205 | Indiana Code Concerning Trade Regulation
Sec. 4.  A controller or processor that discloses personal data to a third party controller or processor in compliance with this
article is not in violation of this article if the third party controller or processor that receives and processes the personal
data violates this article, as long as, at the time of disclosing the personal data, the disclosing controller or processor
did not have actual knowledge that the recipient intended to commit a violation. A third party controller or processor
receiving personal data from a controller or processor is likewise not in violation of this article solely because of the
transgressions of the controller or processor from which it receives such personal data.
Sec. 5. This article:
(1)  shall not be construed as an obligation imposed on controllers and processors that adversely affects the rights
or freedoms of any persons, such as exercising the right of free speech under the First Amendment to the
Constitution of the United States; and
(2) does not apply to personal data in the context of a purely personal or household activity.
Sec. 6. Nothing in this article shall be construed as requiring a controller to disclose trade secrets.
Sec. 7. (a)  Personal data processed by a controller for a purpose authorized under this chapter may not be processed for
any other purpose unless otherwise allowed under this article. Personal data processed by a controller under this
chapter may be processed to the extent that such processing is:
(1) reasonably necessary and proportionate to a purpose authorized under this chapter; and
(2) adequate, relevant, and limited to what is necessary in relation to the specific purpose.
(b) Personal data collected, used, or retained under section 2 of this chapter:
(1) shall, as applicable, take into account the nature and purpose of the collection, use, or retention; and
(2) must be subject to reasonable administrative, technical, and physical measures to:
(A) protect the confidentiality, integrity, and accessibility of the personal data; and
(B)  reduce reasonably foreseeable risks of harm to consumers relating to such collection, use, or retention of
the personal data.
(c)  If a controller processes personal data pursuant to an exemption under this chapter, the controller bears the burden
of demonstrating that such processing:
(1) qualifies for the exemption; and
(2) complies with the requirements set forth in this section.
Chapter 9. Investigative Authority
Sec. 1.  Whenever the attorney general has reasonable cause to believe that any person has engaged in, is engaging in, or is
about to engage in any violation of this article, the attorney general is empowered to issue a civil investigative demand
to investigate the suspected violation.