Search right to access

“Cloud computing” takes many forms, but, fundamentally, it is a computer network system that allows consumers, businesses, and other entities to store data off-site and manage it with third-party-owned software accessed through the Internet. Files and software are stored centrally on a network to which end users can connect to access their files using computers that are less powerful and sophisticated than those we use today.  This technology reduces the need for expensive multiple servers and PCs with enough capacity to store massive data and application files. Some believe the PC of the future will need simply the capacity to connect to a web browser for the user to access his or her applications and files.

For more information on how cloud computing works, click here. For information on the FTC investigation of cloud computing, click here.

If you are not already computing in a cloud, you likely will be hearing more about “cloud computing” soon. Last month, for example, the City Council for the City of Los Angeles voted to move city employee e-mail and other applications from city computer networks to a cloud service provider – in this case, Google Inc. City officials cite significant cost savings (which they estimate to be in the millions) as one of the reasons for the switch. They acknowledged that concerns over data privacy, security and management remain.

We’ll agree that significant cost savings can be achieved through, among other things, reduced infrastructure. Questions and concerns many have with cloud computing, however, relate to the privacy, security and management of the information in the cloud. These include:

  • What if the cloud starts to rain – a cloud computing data breach – who is responsible for notifying affected persons (and bearing the costs)?
  • Which company owns the data placed in the cloud?
  • If the data in the cloud is employee e-mail, is the employer still permitted to access and monitor email communications? Will new policies/notices be needed?
  • Will company proprietary information be safe?
  • Who has access to the data? Who should have access?
  • Is the cloud service provider a business associate under HIPAA, prepared to comply with the HITECH Act? What other legal compliance requirements are there?
  • Do we still need to maintain a back-up of data in the cloud?
  • Where is the data stored? Is it in the United States, or in a foreign country subject to different data security standards? Does one location as opposed to another provide better access or security? What if data is stored in multiple places, will we be able to locate what we need when we need it?
  • How big is the cloud? How much can we store?
  • What if the cloud goes down? How do we get our data and access the applications needed to run our business?
  • How do we move between clouds? Can our data be held captive when contract negotiations fall through?
  • Can we put our clients’ data in the cloud? Do we have to tell them where it is?
  • What happens to the data if the cloud service provider or the cloud customer goes out of business?
  • Will applications in the cloud work the same way, be as flexible, and respond with the same speed as those on current PCs?

Organizations such as the Cloud Security Alliance have been formed to grapple with some of these issues. Indeed, the City of Los Angeles has had to respond to some of these concerns. So, while cloud computing may yield substantial cost savings and appear tempting, these and other questions and concerns should be addressed before moving in that direction.

California lawmakers have proposed new legislation to reshape the growing use of artificial intelligence (AI) in the workplace. While this bill aims to protect workers, employers have expressed concerns about how it might affect business efficiency and innovation.

What Does California’s Senate Bill 7 (SB 7) Propose?

SB 7, also known as the “No Robo Bosses Act,” introduces several key requirements and provisions restricting how employers use automated decision systems (ADS) powered by AI. These systems are used in making employment-related decisions, including hiring, promotions, evaluations, and terminations. The pending bill seeks to ensure that employers use these systems responsibly and that AI only assists in decision-making rather than replacing human judgment entirely.

The bill is significant for its privacy, transparency, and workplace safety implications, areas that are fundamental as technology becomes more integrated into our daily work lives.

Privacy and Transparency Protections

SB 7 includes measures to safeguard worker privacy and ensure that personal data is not misused or mishandled. The bill prohibits the use of ADS to infer or collect sensitive personal information, such as immigration status, religious or political beliefs, health data, sexual or gender orientation, or other statuses protected by law. These limitations could significantly limit an employer’s ability to use ADS to streamline human resources administration, even if the ADS only assists but does not replace human decision making. Notably, the California Consumer Privacy Act, which treats applicants and employees of covered businesses as consumers, permits the collection of such information.

Additionally, if the bill is enacted, employers and vendors will have to provide written notice to workers if an ADS is used to make employment-related decisions that affect them. The notice must provide a clear explanation of the data being collected and its intended use. Affected workers also must receive a notice after an employment decision is made with ADS. This focus on transparency aims to ensure that workers are aware of how their data is being used.

Workplace Safety

Beyond privacy, SB 7 also highlights workplace safety by prohibiting the use of ADS that could violate labor laws or occupational health and safety standards. Employers would need to make certain that ADS follow existing safety regulations, and that this technology does not compromise workplace health and safety. Additionally, ADS restrictions imposed by this pending bill could affect employers’ ability to proactively address or monitor potential safety risks with the use of AI.

Oversight & Enforcement

SB 7 prohibits employers from relying primarily on an ADS for significant employment-related decisions, such as hiring and discipline, and requires human involvement in the process. The bill grants workers the right to access and correct their data used by ADS, and they can appeal ADS employment-related decisions. A human reviewer must also evaluate the appeal. Employers cannot discriminate or retaliate against a worker for exercising their rights under this law.

The Labor Commissioner would be responsible for enforcing the bill, and workers may bring civil actions for alleged violations. Employers may face civil penalties for non-compliance.

What’s Next?

While SB 7 attempts to keep pace with the evolution of AI in the workplace, there will likely be ongoing debate about these proposed standards and which provisions will ultimately become law. Jackson Lewis will continue to monitor the status of SB 7.

If you have questions about California’s pending legislation and how it could affect your organization, contact a Jackson Lewis attorney to discuss.

On Friday, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced the fifth enforcement action under its Risk Analysis Initiative. In this case, OCR reached a settlement with Health Fitness Corporation (Health Fitness), a wellness vendor providing services to employer-sponsored group health plans.

This announcement is interesting for several reasons. It furthers the OCR’s Risk Analysis Initiative. The enforcement action is a reminder to business associates about HIPAA compliance. The development also points to a significant development under ERISA for plan fiduciaries and service providers to their plans.

The OCR Risk Analysis Initiative

Anyone who takes a look at prior OCR enforcement actions will notice several trends. One of those trends relates to enforcement actions following a data breach. In those cases, the OCR frequently alleges the target of the action failed to satisfy the risk analysis standard under the Security Rule. This standard is fundamental – it involves assessing the threats and vulnerabilities to electronic protected health information (ePHI), a process that helps to shape the covered entity or business associate’s approach to the other standards, and goes beyond a simply gap analysis.

“Conducting an accurate and thorough risk analysis is not only required but is also the first step to prevent or mitigate breaches of electronic protected health information,” said OCR Acting Director Anthony Archeval.  “Effective cybersecurity includes knowing who has access to electronic health information and ensuring that it is secure.”

For those wondering how committed the OCR is to its enforcement initiatives, you need not look further than its Right to Access Initiative. On March 6, 2025, the agency announced its 53rd enforcement action. According to that announcement, it involved a $200,000 civil monetary penalty imposed against a public academic health center and research university for violating an individual’s right to timely access her medical records through a personal representative.

The DOL Cybersecurity Rule

Businesses that sponsor a group health plan or other ERISA employee benefit plans might want to review the OCR’s announcement and resolution agreement concerning Health Fitness a little more carefully. In 2024, the DOL’s Employee Benefits Security Administration (EBSA) issued Compliance Assistance Release No. 2024-01. That release makes clear that the fiduciary obligation to assess the cybersecurity of plan service providers applies to all ERISA-covered employee benefit plans, including wellness programs for group health plans.

OCR commenced it investigation of Health Fitness after receiving four reports from Health Fitness, over a three-month period (October 15, 2018, to January 25, 2019), of breaches of PHI.  According to the OCR, “Health Fitness reported that beginning approximately in August 2015, ePHI became discoverable on the internet and was exposed to automated search devices (web crawlers) resulting from a software misconfiguration on the server housing the ePHI.” Despite these breaches, according to the OCR, Health Fitness had failed to conduct an accurate and thorough risk analysis, until January 19, 2024.

For Health Fitness, it agreed to implement a corrective action plan that OCR will monitor for two years and paid $227,816 to OCR. For ERISA plan fiduciaries, an important question is what they need to do to assess the cybersecurity of plan service providers like Health Fitness during the procurement process and beyond.

We provide some thoughts in our earlier article and want to emphasize that plan fiduciaries need to be involved in the process. Cybersecurity is often a risk left to the IT department.  However, doing so may leave even the most ardent IT professional ill equipped or insufficiently informed about the threats and vulnerabilities of the particular service provider. When it come to ERISA plans, this means properly assessing the threats and vulnerabilities as they relate to the aspects of plan administration being handled by the service provider.

Third-party plan service providers and plan fiduciaries should begin taking reasonable and prudent steps to implement safeguards that will adequately protect plan data. EBSA’s guidance should help the responsible parties get there, along with the plan fiduciaries and plan sponsors’ trusted counsel and other advisors.

Around the country, the weather is turning wintery, but in the privacy arena, there will be a blizzard as five state comprehensive privacy laws become effective.

Here is an overview of businesses needing to prepare.

1. Delaware Personal Data Privacy Act (DPDPA)

The DPDPA takes effect on January 1, 2025. It applies to entities doing business in Delaware or targeting Delaware residents. It covers businesses that process the personal data of at least 35,000 consumers or derive significant revenue from selling personal data. Notably, nonprofits are not exempt, and the law includes stringent requirements for handling sensitive personal information.

2. Iowa Consumer Data Protection Act (ICDPA)

The ICDPA also takes effect on January 1, 2025.  It is more business-friendly, with a high threshold for applicability. It targets businesses that control or process data of at least 100,000 Iowan consumers or derive over 50% of their revenue from selling personal data. The ICDPA offers a generous 90-day cure period for violations.

3. Nebraska Data Privacy Act (NDPA)

The NDPA takes effect on January 1, 2025. The NDPA applies broadly to entities conducting business in Nebraska, with few exemptions. Small businesses are exempt from most provisions but must obtain opt-in consent before selling sensitive information. The law includes a 30-day cure period for violations.

4. New Hampshire Data Privacy Act (NHDPA)

The NHDPA takes effect on January 1, 2025. New Hampshire’s NHDPA focuses on consumer rights and data protection, requiring businesses to implement robust data security measures and provide clear privacy notices. It also grants consumers the right to access, correct, and delete their personal data.

5. New Jersey Data Privacy Act (NJDPA)

The NJDPA takes effect on January 15, 2025. The NJDPA introduces comprehensive data protection requirements, including mandatory data protection assessments and the obligation to recognize universal opt-out mechanisms. It aims to enhance transparency and consumer control over personal data.

How to Prepare for the Blizzard

With these new laws, businesses must take proactive steps to ensure compliance. Here are some key actions to consider:

  • Assess Application of the Law: Determine whether each law applies to your business.
  • Conduct Data Audits: Identify and categorize the personal data you process to understand your obligations under each law.
  • Update Privacy Policies: Ensure your privacy policies are transparent and reflect the new legal requirements.
  • Implement Data Security Measures: Strengthen your data protection practices to safeguard consumer information.
  • Service Provider Agreements: Review and update as necessary service provider agreements with those vendors that process personal information on behalf of the business.
  • Consumer Rights Readiness: Be prepared to comply with requests from consumers concerning their privacy rights, such as rights to opt-out of sale or deletion of personal information.
  • Train Employees: Educate your staff about the new laws and their roles in maintaining compliance.

If you have questions about compliance with the laws taking effect in January or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

When Colorado enacted the Colorado Privacy Act (CPA), it included “biometric data that may be processed for the purpose of uniquely identifying an individual.” However, the CPA as originally drafted did not cover the personal data of individuals acting in a commercial or employment context. Last week, Colorado amended the CPA to broaden the protections for biometric data when Gov. Jared Polis signed HB-1130 into law.

Application of the CPA Biometric Amendment. Importantly, HB-1130 alters the scope of the CPA’s application. Recall that under the CPA, a controller is subject to the CPA if it:

(i) determines the purposes and means of processing personal data, (ii) conducts business in Colorado or produces or delivers commercial products or services intentionally targeted to residents of the state, and (iii) either:  (a) controls or processes the personal data of more than 100,000 Colorado residents per year or (b) derives revenue from selling the personal data of more than 25,000 Colorado residents.

HB-1130 adds that a controller can be subject to the CPA without meeting the requirements above, provided that it would be subject to the CPA solely to the extent that it controls or processes any amount of biometric identifiers or biometric data.

Key Definitions. The amendment added language expressly applicable to employers, including defining employees to include not only individuals employed on a full or part time basis, but also individuals who are “on-call” or hired as a “contractor, subcontractor, intern, or fellow.” The amendment also adds definitions for biometric data and biometric identifier,

“Biometric data” means one or more biometric identifiers that are used or intended to be used, singly or in combination with each other or with other personal data, for identification purposes. “Biometric data” does not include the following unless the biometric data is used for identification purposes: (i) a digital or physical photograph; (ii) an audio or voice recording; or (iii) any data generated from a digital or physical photograph or an audio or video recording.

“Biometric identifier” means data generated by the technological processing, measurement, or analysis of a consumer’s biological, physical, or behavioral characteristics, which data can be processed for the purpose of uniquely identifying an individual. “Biometric identifier” includes: (a) a fingerprint; (b) a voiceprint; (c) a scan or record of an eye retina or iris; (d) a facial map, facial geometry, or facial template; or (e) other unique biological, physical, or behavioral patterns or characteristics.

While there are some similarities in these definitions to the corresponding definitions in the popular Illinois Biometric Information Privacy Act (BIPA), there are some significant differences. One is that a biometric identifier under the BIPA is defined as a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” The Illinois law does not make reference to “other unique biological, physical, or behavioral patterns or characteristics.” There is also not a private right of action for violations of the CPA amendment, as there is in the BIPA.

Requirements. HB-1130 establishes several requirements for controllers that control or process one or more biometric identifiers. These requirements include:

  • Obtaining consent from the consumer (including the employee) before collecting the consumer’s biometric data.
  • A written policy that
    • Establishes a retention schedule for biometric identifiers and biometric information,
    • Includes a process for responding to the data security incident that would compromise the security of biometric identifiers or biometric information. This would include the process for notifying consumers under the state’s existing data breach notification law.
    • Establishes guidelines addressing the deletion biometric identifiers within certain time frames.
  • Subject to certain exceptions, controllers must make the written policy available to the public. One exception is for a policy applying only to current employees of the controller.
  • Providing a reasonably accessible, clear, and meaning privacy notice satisfying specific content requirements including the purposes for processing.
  • Satisfying certain rights the consumer may have with respect to their biometric data, including the right to access.

HB-1130 also prohibits controllers from certain activities concerning biometric identifiers such as:

  • Selling, leasing or trading such information,
  • Disclosing biometric identifiers, subject to limited exceptions including consent and complying with federal or state law.
  • Refusing to provide a good or service to a consumer, based on the consumer’s refusal to consent to the controller’s collection, use, disclosure, etc. of a biometric identifier unless same is necessary to provide the good or service.

Controllers and processors also must use a reasonable standard of care when storing, transmitting, and protecting biometric identifiers from disclosure.

Employment provisions. HB-1130 includes certain specific provisions for employers. While the law provides that employers may require current or prospective employees to allow the employer to collect and process their biometric identifiers, they may do so only to

  • Permit access to secure physical locations and secure electronic hardware and software applications (but not obtain consent to retain such data for current employee location tracking or tracking time using a hardware or software application),
  • Record the commencement and conclusion of the employee’s full workday, including meal breaks and rest breaks in excess of 30 minutes,
  • Improve or monitor workplace safety or security or ensure the safety or security of employees,
  • Improve or monitor the safety or security of the public in the event of an emergency or crisis situation.

Collecting or processing biometric identifiers for other purposes will require consent which satisfied the applicable CPA requirements. However, employers will be able to collect and process biometric identifiers where the anticipated uses are “aligned with the reasonable expectations” of an employee based on the employee’s job description or role, or a prospective employee based on reasonable background check, application or identification requirements.

Organizations that collect and process information that could be considered biometric identifiers or biometric data in various jurisdiction around the country will need to do a detailed analysis of the growing privacy and cybersecurity obligations, including incident response requirements. For assistance with that, please see our biometric law map.    

On June 16, 2023, Nevada’s Governor signed Senate Bill (SB) 370, which enacts certain protections for consumer health data.

The law is similar to Washington’s My Health, My Data Act, which was passed in April. The Future of Privacy Forum prepared a useful chart comparing the Washington and Nevada laws.

Nevada’s law becomes operative on March 31, 2024.

To what entities does the law apply?

SB 370 applies to any person that:

  • Conducts business in Nevada or produces or provides products or services that are targeted at consumers in Nevada; and,
  • Alone or with other persons, determines the purpose and means of processing, sharing, or selling consumer health data.

The law includes a long list of exceptions, including exclusions for:

  • any person or entity subject to the Health Insurance Portability and Accountability Act (HIPAA), and
  • a financial institution or affiliate that is subject to the provisions of the Gramm-Leach-Bliley Act.

Who is protected by the law?

SB 370 protects “consumers” – natural persons who have requested a product or service from a regulated business and who reside in the state of Nevada or whose health information is collected in Nevada. The law does not extend to natural persons acting in an employment context or as an agent of a governmental entity.

What data is protected by the law?

Consumer health data is protected under the law. This is defined as personal information that is linked or reasonably capable of being linked to a consumer which the covered business uses to identify the past, present, or future health status of the consumer. Consumer health data includes:

  • Any health condition or status, disease, or diagnosis
  • Social psychological, behavioral, or medical intervention
  • Surgeries or health-related procedures
  • The use or acquisition of medication
  • Bodily functions, vital signs, or symptoms
  • Reproductive or sexual health care
  • Gender-affirming care
  • Biometric or genetic data

The law does not cover information used for certain research, public health, or health data shared pursuant to federal or state law.

What are the rights of consumers?

Similar to the California Consumer Privacy Act and the growing array of consumer privacy laws enacted in several states, consumers have certain rights under SB 370 concerning their consumer health information, such as:

  • The right to confirm whether a covered business is collecting, sharing, or selling their health data.
  • The right to access a list of all third parties with whom the business has shared or sold the consumer’s health data.
  • The right to request the business stop collection, sharing, or selling of the consumer’s health data.
  • The right to delete their health data.

What obligations do businesses have?

Below is a non-exhaustive list of obligations covered businesses have under SB 370.

Covered businesses must obtain affirmative voluntary consent when collecting and sharing consumer health data, except to the extent it is necessary to provide a product or service that the consumer has requested from the business. The covered business also may share consumer health information without consent when required by law.

Covered businesses shall upon request by a consumer:

  • Confirm whether the regulated entity is collecting, sharing, or selling the consumer’s health data.
  • Provide the consumer with a list of all third parties with whom the business has shared or sold the consumer’s health data.
  • Cease collection, sharing, or selling of the consumer’s health data.
  • Delete the consumer’s health data.

Responses to requests must be made without undue delay but no later than 45 days after the business authenticates the request. Note that under some other laws, such as Washington’s My Health, My Data Act, and the CCPA, the 45-day clock starts to run from the date the request is received, not when it is authenticated.

Covered businesses also are required to develop and maintain a policy concerning the privacy of consumer health data that clearly and conspicuously establishes:

  • The categories of consumer health data being collected and the manner in which it will be used.
  • The categories of sources from which the health data is collected
  • The categories of third parties and affiliates with whom the covered business shares health data.
  • The manner in which health data will be processed.
  • The procedure for submitting a request
  • The process by which a consumer can review and request changes to their health data
  • The way the business will notify consumers of changes to its privacy policy
  • Whether a third party may collect health data from the business
  • The effective date of the privacy policy

The business must conspicuously post a link to its policy on its main internet website or otherwise provide the policy to consumers in a manner that is clear and conspicuous. These website policy requirements across several states and countries are adding significant complexity to the compliance obligations of covered businesses.

Employees and processors of the covered business may be permitted to access consumer health information only where reasonably necessary (i) to further the purpose for which the consumer consented to the collection or sharing of the information, or (ii) to provide a product or service that the consumer requested.

Covered businesses also are required to establish, implement and maintain policies and practices for the administrative, technical, and physical security of consumer health data.

In addition, covered businesses may not establish a geofence within 1,750 feet of any medical facility for the purposes of identifying or tracking consumers seeking in-person health care, collecting health data, and sending notifications. 

How is the law enforced?

The new law provides for enforcement by the Nevada Attorney General. There is no private right of action.

For additional information on Nevada’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

We have written several times about U.S. Department of Health and Human Services Office for Civil Rights’ “HIPAA Right of Access Initiative.” In its most recent enforcement action under the Initiative, the 44th such enforcement action, the OCR investigated a complaint made against a psychotherapist concerning the alleged refusal to provide medical records. Ultimately, and even after the OCR provided “technical assistance,” the OCR claimed the covered entity still failed to provide the records.

“Under HIPAA, parents, as the personal representatives of their minor children, generally have a right to access their children’s medical records,” said OCR Director Melanie Fontes Rainer. “It should not take an individual or their parent representative nearly six years and multiple complaints to gain access to patient records.”

The settlement resulted in a $15,000 resolution amount and required compliance with a two-year corrective action plan (CAP). The CAP includes the following requirements for the solo practitioner:

  • Review and revise right to access policies within 30 days of the settlement, and review and adopt OCR recommend changes to such policies.
  • Provide to the OCR right to access training materials within 60 days of the settlement for OCR’s review and approval.
  • Following OCR’s approval of the training materials, provide training to all employees within 30 days and annually thereafter.
  • Provide the requested records to the complainant with 15 days of the settlement.
  • Within 90 days of receiving OCR’s approval of the right to access policies and procedures, and every 90 days thereafter, submit to OCR a detailed list of requests for access received by the healthcare provider, and documentation for any denials of access.
  • In the event an employee of the provider fails to comply with the right to access policies, the provider must notify OCR within 30 days and include a description of the failure and mitigation plan.
  • Within 120 days after OCR’s approval of the provider’s right to access policies and procedures, submit to OCR a report summarizing the status of implementation.
  • Within 60 days after the end of each year of the CAP, submit to OCR an annual report regarding the healthcare provider’s compliance with the CAP.   

For small providers, the HIPAA rules can be confusing; they also are more than 20 years old. So, smaller practitioners, particularly those newer to practice, simply may not be fully aware of the scope and obligations under of the HIPAA privacy, security, and breach notification rules. Compliance goes well beyond handing patients a template Notice of Privacy Practices and having a secure electronic medical record platform.

The full scope of the HIPAA rules is beyond the scope of this post, but at least for the right to access and considering the OCR’s Enforcement Initiative, here are some resources to help avoid patient complaints and an onerous OCR corrective enforcement action:

On May 1, 2023, Governor Holcomb signed Senate Bill 5, Indiana’s comprehensive privacy statute (The Act). the Act will become operative on January 1, 2026, and make Indiana the seventh state, after CaliforniaColoradoConnecticutIowaUtah, and Virginia to enact a comprehensive consumer privacy statute.

Indiana beat Montana and Tennessee which both have consumer privacy statutes pending signature by their governors.

The Act applies to persons that conduct business in Indiana or produce products or services that are targeted to residents of the state and that, during a calendar year:

  • Control or process the personal data of at least 100,000 consumers who are residents of the state, or
  • Control or process personal data of at least 25,000 consumers who are residents of the state and derive more than 50% of gross revenue from the sale of personal data.

Like other states’ comprehensive consumer privacy laws, the statute provides consumers with the right to access personal data being processed, to delete personal data, and to opt out of the sale of their personal data.

For additional information on Indiana’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

The Indiana Legislature is poised to pass Senate Bill 5, a comprehensive privacy statute (the “Act”), and send it on to the Governor. Once signed, the Act will become operative on January 1, 2026, and make Indiana the seventh state, after California, Colorado, Connecticut, Iowa, Utah, and Virginia to enact a comprehensive consumer privacy statute.

Key Elements

Similar to the Colorado Privacy Act (CPA) and the Virginia Consumer Data Privacy Act (VCDPA), the Act was modeled in part on the CCPA, CPRA, and the EU General Data Protection Regulation (GDPR). But there are some variations. Key elements of the UCPA include:

When does the Act apply? The Act applies to persons that conduct business in Indiana or produce products or services that are targeted to residents of the state and that, during a calendar year:

  • Control or process personal data of at least 100,000 consumers who are residents of the state, or
  • Control or process personal data of at least 25,000 consumers who are residents of the state and derive more than 50% of gross revenue from the sale of personal data.

Are there exemptions? Among the persons not subject to the Act include Indiana and state agencies, third-party contractors of the state and such agencies acting on their behalf (but only with respect to such contracts), financial institutions, HIPAA-covered entities and business associates, not-for-profit organizations, institutions of higher education, and public utilities.

Who is protected under the Act? The Act protects the personal information of a “consumer,” defined as an individual who:

  • Is a resident of the state, and
  • Is acting only for personal, family, or household purposes.

Like the recently passed Iowa statute, Indiana excludes individuals acting in a commercial or employment context from its definition of consumer.

What “personal data” is protected under the Act? Under the Act, personal data is defined broadly as information that is linked or reasonably linkable to an individual. The definition excludes de-identified data, aggregate data, or publicly available information.

What rights do consumers have under the Act? The Act provides consumers with the following rights:

  • The right to request confirmation of whether a business is processing their personal data and related information.
  • The right to access their personal data upon request.
  • The right to correct information a company possesses
  • The right to delete personal information obtained by businesses
  • The right to opt out of the processing of personal data for purposes of targeted advertising, sale of personal data, or certain profiling activities.

The rules surrounding the administration of these rights pull from similar language in the other state privacy laws – a 45-day period to respond, a verification requirement, and a right to appeal a controller’s adverse decision concerning a consumer right request.

What obligations do covered persons have?

The Act lays out a list of obligations for controllers which generally track the laws in the other states. Without limitation, controllers must:

  • limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed,
  • establish, implement, and maintain reasonable administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of personal data,
  • not discriminate against a consumer for exercising rights under the Act,
  • not process sensitive data without the consumer’s consent,
  • provide consumer with a privacy notice that explained among other things the categories of personal data the controller processes and shares with third parties, and
  • provide consumers the opportunity to opt out of the sale of personal data and explain the means to exercise these and other rights under the Act.

For processing activities created or generated after December 31, 2025, controllers need to conduct and document impact assessments for certain processing activities, such as the sale of personal data and the processing of sensitive data. In short, these assessments must weigh the benefits of the processing and the risks to the consumer, considering risk mitigation efforts by the controller.

With respect to processors, the Act requires they adhere to the instructions of controllers, such as assisting the controller with responding to consumer requests. Contracts between controllers and processors must include certain provisions, such as instructions for processing personal data, the nature and duration of the processing. Other required provisions include (i) a requirement for processors to make available all information in the processor’s possession to demonstrate the processor’s compliance with the Act, (ii) cooperating with reasonable assessments of compliance by the controller (or arrange for a qualified and independent assessor), and (iii) obligating the processor to push the Act’s required provisions down to the processor’s subcontractors 

How is the law enforced, any private right of action? Unlike the CCPA, Indiana’s statute does not include a private right of action for consumers. In fact, the Act states that “[n]othing in [the Act] shall be construed as providing the basis for a private right of action for violations of this article or any other law.” Instead, the state attorney general will have exclusive enforcement authority. Businesses that are found to have violated the law may face fines of up to $7,500 per violation.

For additional information on Indiana’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On March 28, 2023, Iowa’s Governor signed Iowa’s new statute relating to consumer data protection. Iowa joins CaliforniaColoradoConnecticutUtah, and Virginia in the ever-growing patchwork of consumer privacy laws across the country.

The new law takes effect on January 1, 2025.

Iowa’s consumer privacy law covers businesses that control or process personal data on 100,000 consumers in the state or derive 50% of their revenue from selling the data of more than 25,000 consumers. A consumer under Iowa’s statute is defined as a natural person who is a resident of the state and active in an individual or household context. Individuals acting in a commercial or employment context are excluded.

Like other states’ comprehensive consumer privacy laws, the statute provides consumers with the right to access personal data being processed, to delete personal data, and to opt out of the sale of their personal data.

 For additional information on Iowa’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.