Data privacy management is a management function of businesses and other entities as well. It generally involves managing the business’s collecting and processing of consumer data that it uses for various purposes, e.g., marketing. Of course, a business must first decide whether it should collect consumer data and, if so, what data it needs to collect. Once in possession of consumer data, businesses must make sure the data is kept secure and private.
A business needs to deploy various cybersecurity measures to protect the privacy of their own and their customers’ information in order to avoid data privacy lawsuits. A data privacy management system would also have to offer consumers features they can use to educate and inform themselves about their data and allow them to control how it is used to the extent that is allowed.
Importantly, it would also have to comply with all applicable Indiana and federal laws and regulations that govern how businesses collect, use, store, share, and sometimes sell the data they collect from consumers.
Of course, consumers are afraid that if their data is accessed by people who should not have it through data breaches by bad actors and criminals, it puts them at risk of being victimized by identity theft and other types of theft and consumer fraud.
What Are Some Common Data Privacy Violations?
- Processing Consumer Data Absent Consent: An organization may continue to collect and process sensitive personal data even if they have not been given consent by the consumer. Of course, this would mean that a law or regulation requires a company to obtain the consent of consumers to collect their data and make use of it.
- Lack of Adequate Protection of Data: Businesses and other entities, e.g., non-profit organizations, may not have adequate controls in place to protect the sensitive data of consumers that they collect and maintain. Organizations engaged in processing large amounts of consumer data sometimes may not track it and secure it adequately.
- A company may store sensitive personal information on peripheral devices or servers even after the data has been used as desired by the company. Then a hacker may gain access to such information as Social Security numbers, because controls are inadequate.
- Inadequate Monitoring of Third-party Data Sharing: Businesses may share information with other third-party partners, vendors and contractors. This may be done via methods over which the controller of the date does not have control. So once it has left the environment of the business, it is not secure.
What Data Must Indiana Businesses Protect Under Privacy Laws?
The Indiana Consumer Data Protection Act (INCDPA) is effective as of January 1, 2026. It introduces new requirements to Indiana businesses for their handling of the personal data of Indiana residents. Businesses should inform themselves about this new law and plan how they will comply with it.
The INCDPA has been modeled on privacy laws that other states have adopted. It gives Indiana consumers certain rights with respect to their personal data. It also imposes obligations on some of the businesses that control and process that data.
The INCDPA applies to entities that do business in Indiana. They may produce products for or provide services to Indiana residents. However, to be subject to the INCDPA in Indiana, a business must do one of the following during a single calendar year:
- It must control or process the personal data of at least 100,000 Indiana consumers annually.
- It must control or process the data of at least 25,000 Indiana consumers and derive over 50% of gross revenue from selling personal data.
These requirements would limit the applicability of the INCDPA and the protections it offers to consumers.
The new INCDPA gives Indiana consumers the following rights with respect to their data:
- Right to Confirm Processing and Access Data: A consumer has a right to confirm with a business whether it processes their personal data and to access the data if the business does process it.
- Correct Incorrect Data: A consumer has the right to review their data and correct any inaccuracies that they may contain.
- Deletion: A consumer has a right to delete personal data, whether they were provided by the consumer or obtained from another source.
- Data Portability: A consumer has a right to get a copy of their data file in a format that is portable.
- Opt Out: A consumer has a right to opt out of data processing for the purposes of targeted advertising, sale of their personal data, and profiling.
There are also several federal laws that offer privacy protections for consumers’s data as follows:
- Health Insurance Portability and Accountability Act (HIPAA): This federal law applies to businesses in the healthcare industry that deal with the Protected Health Information (PHI) of individuals. These businesses must comply with the HIPAA which protects the security of people’s private medical information.
- Children’s Online Privacy Protection Act (COPPA): This federal law focuses mainly on protecting the personal data of minors and the sensitive personal data of minors under 13 years of age in all states including Indiana. Hence, businesses that collect and manage the data of minors must employ practices that comply with COPPA.
- Gramm-Leach-Bliley Act (GLBA): Businesses that operate in the financial industry may have to comply with the GLBA. The GLBA requires financial institutions to inform customers about their data-sharing practices. They must also protect their customers’ sensitive information.
- Fair Credit Reporting Act (FCRA): The FCRA governs consumer credit reporting agencies, among other activities. It requires businesses to ensure that credit data is accurate and secure.
Of course, the Fourth Amendment to the U.S. Constitution gives individuals in the U.S. the right “to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.”
The Fourth Amendment has been interpreted to give Americans a reasonable expectation of privacy in such locations as their places of residence and certain areas of their vehicles.
It has also been interpreted to extend to electronic data and digital privacy, i.e., the information and data that people generate through their use of such technologies as cell phones, email and wearable devices. Generally, the government needs a warrant to access a person’s private personal digital information.
However, the Fourth Amendment applies only to governments. It does not constrain private entities, e.g., private businesses. Other federal and state laws must be looked to for providing people the protection they need in the private sector.
When Can an Indiana Business Be Sued for Data Privacy Violations?
The Indiana Attorney General (AG) enforces the INCDPA. The AG can go to court to seek an injunction and/or payment of a fine of as much as $7,500 per violation.
The AG must give a business notice of a violation at least 30 days before taking any action. This gives the business the opportunity to correct their violation before the AG takes legal action. If the business corrects the violation, the AG cannot act. A private consumer does not have the right to sue a business that violates the INCDPA. The INCDPA gives that authority only to the Indiana AG.
However, Indiana businesses can be sued directly by consumers who are harmed by data privacy violations of federal laws. These are commonly referred to as “data breaches.” The individual who sues a business must prove that they were harmed by any breach.
In other words, an individual would not sue a company or other organization just because they experienced data breaches, e.g., data was hacked by an unauthorized party. The victim must have suffered measurable harm, usually economic losses.
In Indiana, data privacy lawsuits might claim breach of contract, negligence, and/or violations of federal privacy laws. If the victim had a non-disclosure agreement with the party they sue that applies to their situation and was breached, they could allege breach of that contract.
Again, they would need to prove that the data privacy violation was the direct cause of harm to themselves, generally economic loss that can be quantified.
Are There Any Legal Remedies for Data Privacy Legal Issues?
Available legal remedies would be an award of compensatory damages. This would be an amount of money that would compensate the victim for any financial losses they have suffered. Compensatory damages would also compensate the victim for any expenses they incurred in trying to mitigate their damages, i.e., minimize their losses.
Under certain Indiana or federal laws, a victim may be able to recover an amount equal to their attorney’s fees and court costs. An Indiana lawyer consultation would help a person figure out how best to sue a company that has harmed them through inadequate protection of their sensitive personal data.
If an individual suffers emotional injury, such as anxiety, fear, depression and loss of enjoyment in life, they may claim infliction of emotional distress. They would need to have solid evidence of their suffering such as medical records of treatment by a physician. They might need to enlist the services of an expert witness to testify about the victim’s emotional distress.
If a business has not changed their practices so as to prevent a continuing exposure of their customers personal private data, then an individual may need to go to court to get an injunction. An injunction is a court order that directs a party to do or cease doing some activity or action.
How Can Indiana Businesses Reduce the Risk of Data Privacy Lawsuits?
Businesses can take a number of steps to reduce their risk of data privacy lawsuits. They consult experts in the field of cybersecurity or employ individuals who are well-educated and trained in cybersecurity. Consultants and employees with the appropriate training would be able to advise a business about security and privacy policies that comply with both Indiana and federal laws.
A business would want consultants and employees to conduct regular assessments of its data privacy risk status. They would look for security vulnerabilities and develop strategies for eliminating any that they find. They would want to consult an Indiana lawyer about staying up-to-date with the requirements of all state and federal laws and regulations. They would ask their lawyer what particular issues can give rise to lawsuits by consumers.
In addition, a business might want to be sure that there is a mandatory binding arbitration clause in their agreements with the customers, contractors and suppliers with which they do business. Including waivers of class actions in all of their contracts is also advisable, as it would enable them to limit or completely avoid costly class action lawsuits.
Should I Hire a Lawyer for Help with a Data Privacy Lawsuit?
If you have suffered economic losses because your sensitive personal data has been compromised by a business or other organization, you want to consult an Indiana business lawyer. Your lawyer can investigate how your data might have been revealed and which federal or state law or regulation can offer you the compensation you deserve.
If you are a business or other organization, you too want to talk to an Indiana business lawyer to discuss whether the INCDPA applies to you and whether you are in compliance now or need to take new measures to prepare your organization to meet its requirements. You do not want to wait until you have been sued to get your organization into compliance with Indiana and federal law.
