Indiana Senate Committee Passes Privacy Legislation
Indiana’s Senate Commerce Committee unanimously approved privacy legislation Thursday modeled after Virginia’s new law. Several members said they need more information on a last-minute amendment before they can support the bill on the floor. The House hasn't introduced companion legislation. The law would take effect in January 2024.
Introduced by Sen. Liz Brown (R), SB-358 would establish duty of care for businesses collecting user data and force them to de-identify personal information of consumers. Businesses could share only de-identified data with third parties, and consumers would be able to ask what data is collected and have businesses delete information. It was originally written with a private right of action for consumers to sue platforms, but that provision was removed. Several witnesses and members noted the bill’s similarities to Virginia’s law, calling it the “gold standard” (see 2103020068).
Brown’s amendment clarified details about data aggregation, and it narrowed the law’s scope, so entities subject to federal privacy laws wouldn’t be affected. The amendment was introduced to avoid unnecessary regulation, said Brown. It was adopted unanimously. Brown said she worked with several groups when writing the amendment.
It’s important the bill makes regulations more consistent across states, said Chairman Chip Perfect (R). “I love the concept,” said Sen. Blake Doriot (R). “This is just a lot to digest in such a short period of time.” Doriot said he will need more research before he supports the bill on the floor. Sen. Stacey Donato (R) agreed: “I love the concept, but I would have loved to have a whole lot more detail.” It would have been good to have a “three-hour” meeting to fully understand the amendment, said Sen. Jean Leising (R). Leising said there’s a lot more work before deciding on the floor. The committee has eight Republicans and three Democrats.
Model the bill after Virginia, asked Alliance for Automotive Innovation representative Matt Norris, The alliance, which is neutral on the bill, wants to work with legislators on the plan, he said. Perfect and Sen. Shelli Yoder (D) asked Norris if automakers monetize consumer data by selling it. Norris said some data is used to monitor safety and performance, but he didn’t have an answer on whether the data is monetized through third parties. “I’d like to check with the client and get you a more definitive answer,” said Norris.
The legislation attempts to strike the right balance and allow consumers to opt out of certain data collection practices and control their information, said Scott Barnhart, chief counsel for Indiana Attorney General Todd Rokita (R). It’s tied to concerns the AG has had for years, involving a lawsuit the state filed against Google this week (see 2201240028), he said. The data requests would be similar to a consumer requesting a credit report, said Barnhart. The bill provides mechanisms for consumers to file complaints with the AG, who receives about 15,000 consumer complaints yearly, he said. The AG office should be able to handle consumer complaints on any new law, but it would have to assess potentially “scaling out” depending on demand, he said.
The Indiana bill would let consumers get specific information about data directly from companies, said Adam Berry, Indiana Chamber of Commerce vice president-economic development and technology. When it was introduced, it was modeled after the EU’s general data protection regulation, he said. It wouldn’t make sense to apply EU law to a state here, he said.