After being unanimously passed by their legislature, it appears that an Indiana data privacy law is imminent, at least in terms of enactment, if not in terms of becoming effective.

David Strauss of Husch Blackwell reported that, on April 13, the Indiana legislature passed SB 5.

The Senate originally passed the bill by a vote of 49-0 on February 9th. The House passed an amended version of the bill by a vote of 98-0 on April 11th. On April 13th, the Senate concurred in the House amendments. Pending any remaining procedural hurdles, the bill will be sent to Indiana Governor Eric Holcomb in the coming days.

As Strauss reports, the bill largely tracks the Virginia Consumer Data Protection Act (VCDPA) with some limited variations. It’s more business-friendly than the Colorado and Connecticut laws but more consumer-friendly than the Utah and Iowa laws.

While the enactment of the Indiana data privacy law appears imminent, the proposed effective date is far from it – January 1, 2026, which is over two-and-a-half years away! Iowa, which just passed their bill last month, goes into effect one year earlier.

One unique wrinkle about the new Indiana data privacy law: the bill states that it does not restrict a controller or processor’s ability to, “in the case of an owner of a riverboat licensed under IC 4-33-6, implement and operate a facial recognition program approved by the Indiana gaming commission.” Go figure.

Riverboats aside, Husch Blackwell provides a very useful detailed comparison of the Indiana bill against the six existing state privacy laws on applicability thresholds, rights and other provisions.

At the rate things are picking up steam, they may need to update that comparison soon. According to the International Association of Privacy Professionals (IAPP) US State Privacy Legislation Tracker, Hawaii, Montana, New Hampshire, Oklahoma and Tennessee all have bills “In Cross Committee” – the last step before being passed. Maybe we should start a betting pool as to which state will be next! 😉

So, what do you think? How is your organization addressing all these new data privacy laws? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.