192 | Indiana Code Concerning Trade Regulation
SECTION 1. IC 24-15 IS ADDED TO THE INDIANA CODE AS A NEW ARTICLE TO READ AS FOLLOWS [EFFECTIVE
JANUARY 1, 2026]:
ARTICLE 15. CONSUMER DATA PROTECTION
Chapter 1. Applicability
Sec. 1. (a)  This article applies to a person that conducts business in Indiana or produces products or services that are targeted
to residents of Indiana and that during a calendar year:
(1)  controls or processes personal data of at least one hundred thousand (100,000) consumers who are Indiana
residents; or
(2)  controls or processes personal data of at least twenty-five thousand (25,000) consumers who are Indiana
residents and derives more than fifty percent (50%) of gross revenue from the sale of personal data.
(b) This article does not apply to any of the following:
(1) Either of the following:
(A)  The state, a state agency, or a body, authority, board, bureau, commission, district, or agency of any political
subdivision of the state.
(B)  A third party under contract with an entity described in clause (A), when acting on behalf of the entity. This
clause does not exempt data held or created by third parties outside of the scope of the contract with the
entity.
(2)  Any financial institutions and affiliates, or data subject to Title V of the federal Gramm-Leach-Bliley Act (15
U.S.C. 6801 et seq.).
(3)  Any covered entity or business associate governed by the privacy, security, and breach notification rules issued
by the United States Department of Health and Human Services (45 CFR Parts 160 and 164) pursuant to HIPAA.
(4) Any nonprofit organization.
(5) Any institution of higher education.
(6)  Any public utility (as defined in IC 8-1-2-1(a)) or service company affiliated with a public utility (as defined in IC
8-1-2-1(a)). For purposes of this subdivision, “service company” means an associate company within a holding
company system organized specifically for the purpose of providing goods or services to a public utility (as
defined in IC 8-1-2-1(a)) in the same holding company system.
Sec. 2. The following information and data are exempt from this article:
(1)  Protected health information under HIPAA and related regulations under 45 CFR Part 160, 45 CFR Part 162,
and 45 CFR Part 164.
(2) Patient identifying information for purposes of 42 U.S.C. 290dd-2.
(3) Any of the following:
(A)  Identifiable private information for purposes of the federal policy for the protection of human subjects under
45 CFR Part 46.
(B)  Identifiable private information that is otherwise information collected as part of human subjects research
under the good clinical practice guidelines issued by the International Council for Harmonisation of Technical
Requirements for Pharmaceuticals for Human Use.