The individual rights INCDPA provides align with the majority of other states’ laws. If INCDPA applies to your business, you must allow consumers to:
- Confirm whether your business is processing any data and, if so, access it
- Correct inaccuracies in personal data they provided
- Delete personal data
- Get a copy of certain personal data they provided (data portability)
- Opt-out of the sale of personal data and processing for profiling and targeted advertising
In Indiana, businesses will have a period of 45 days after receipt to respond to Individual Rights Requests (unless the business has been unable to authenticate a request), with a 45-day extension in limited circumstances.
Responses to Individual Rights Requests must be provided free of charge at least once a year. If a business declines to take a requested action, it must notify the consumer in writing and provide instructions for appeal.
The appeal process must be conspicuously available to the consumer and similar to the process for submitting requests (as in Montana, Iowa, Tennessee, and more). Businesses must respond to appeals within 60 days of receipt and, if denying an appeal, must provide an online mechanism or other method for contacting the Indiana State Attorney General to submit a complaint.
Like Virginia, Montana, Iowa, Tennessee, and some other states, Indiana’s data protection law states that a business does not need to include pseudonymous data in its response to Individual Rights Requests.
While INCDPA definition of ‘pseudonymous data’ differs from the other laws, the effect is the same. Under INCDPA, ‘pseudonymous data’ is defined as:
“personal data that cannot be attributed to a specific individual because additional information that would allow the data to be attributed to a specific individual is: (1) kept separately; and (2) subject to appropriate technical and organizational measures; to ensure that the personal data is not attributed to an identified or identifiable individual.”
One of the most common uses of pseudonymous data is in the clinical trial context, where each trial participant is assigned a random ID and their actual identity is only known to medical staff (the sponsor/manufacturing company, labs, and other supporting entities only can see the random ID).
Other types of organizations may want to consider taking this approach, especially those that already assign identifiers through, for example:
- Loyalty or participation rewards programs such as frequent flier/renter/buyer/guest numbers
- Membership IDs (like insurance companies, libraries, and fitness centers)
- Player ID (for online and mobile games)