Do Indiana privacy laws really protect Hoosiers? Report card issues a failing grade

Chris Sims, Indianapolis Star
·4 min read

U.S. consumers are constantly under attack where their privacy and data are concerned.

Public Interest Research Groups (PIRG) and the Electronic Privacy Information Center (EPIC) have teamed up to create privacy law report cards for the states that have enacted privacy laws since 2018.

Forty-four states have examined comprehensive privacy laws, but only a small portion have actually passed them.

Indiana privacy laws: Doctor violated girl's privacy in abortion case, medical board finds

Here's what you need to know about privacy laws and how each state fared:

What is Public Interest Research Groups or PIRG?

According to their website, PIRG is an advocate for the public interest that speaks out for the public and stands up to special interests on problems that affect the public’s health, safety and wellbeing.

What is Electronic Privacy Information Center or EPIC?

According to their website, EPIC was created in 1994 to protect privacy, freedom of expression and democratic values in the information age. The nonprofit's mission is to secure the fundamental right to privacy in the digital age for all people through advocacy, research and litigation.

A bipartisan group of senators and representatives is pushing for a sweeping privacy bill that would give New Hampshire consumers more control over personal data.
A bipartisan group of senators and representatives is pushing for a sweeping privacy bill that would give New Hampshire consumers more control over personal data.

What personal information is protected by the Privacy Act?

The Privacy Act of 1974 "grants individuals increased rights of access to records maintained about them as well as the right to seek amendment of records maintained about them," according to the U.S. Department of the Treasury.

How many states have privacy laws for data in the U.S.?

There are 14 states with privacy laws in the U.S., according to PIRG.

Indiana legislation 2024: State lawmakers' fights with Indy continue and more from 3rd week of 2024 session

Which states have privacy laws in the U.S.?

According to PIRG, the states that have passed privacy laws in the U.S. include:

Public Interest Research Groups (PIRG) and the Electronic Privacy Information Center (EPIC) teamed up to create privacy law report cards for the states that have enacted privacy laws since 2018.
Public Interest Research Groups (PIRG) and the Electronic Privacy Information Center (EPIC) teamed up to create privacy law report cards for the states that have enacted privacy laws since 2018.

When does state privacy law supersede HIPAA?

According to hipaajournal.com, if a state law provides greater privacy protections for individuallly identifiable health information than HIPAA or proivdes more privacy rights, then state privacy laws supersedes HIPAA.

The standard or clause of the stte law applies rather than the whole of the state policy in these cases.

Why are privacy laws important?

According to PIRG, consumer's personal security is at risk because consumer data is being collected more often than most epople know and is being sold to multiple companies consumers don't even know about.

Are state privacy laws in the U.S. being shaped by industry?

Simply put, yes. According to PIRG, California is the only state of the 14 that have passed privacy laws that does NOT follow a model intially drafted by industry giants such as Amazon.

The press release states: "While California’s rules became law in response to a proposed ballot question, Virginia’s legislation had been handed to the bill sponsor by an Amazon lobbyist, and it was based on an earlier bill from Washington state that had been modified at the behest of Amazon, Comcast, Microsoft and other industry lobbyists."

Virginia became the second state to enact privacy laws in 2021. The law was weak, according to PIRG, but became the national standard for other laws written throughout the country.

Pir noted that some lobbyists have pivoted to pushing the “Connecticut model” more recently. The bill is similar to Virginia's but actually has a couple of perks for consumers.

Indiana Consumer Data Protection Act

Visit iga.in.gov to read the specifics of the Indiana Consumer Data Protection Act.

Indiana privacy laws grade: F

Indiana receives a failing grade because the Indiana Consumer Data Protection Act "provides no meaningful privacy protections to consumers." Here's where it fails, according to PIRG:

  • Companies can keep collecting whatever data they want from people and using it just about however they like.

  • If consumers want to opt-out of data collection or tell companies to delete their data, they have to do so one at a time to the hundreds, if not thousands, of entities already holding their personal information.

  • Consumers can’t hold companies accountable in court for violating the few rights consumers are given.

What do strong privacy laws in U.S. look like?

According to PIRG, there are 5 things a state should do to receive an A+ on the report card:

  • Limit companies to only collecting the data that’s required to deliver a service the consumer is expecting to get, and use the data only for that purpose.

  • Give consumers rights that are actually easy to exercise, like letting consumers send one deletion request to hundreds of data brokers at one time.

  • Ban tricky designs that make it more likely you’ll accidentally consent to data collection you didn’t mean to (think cookie pop-ups)

  • Appoint a regulator and give them tools to identify and hold accountable companies that have broken the law

  • Allow consumers to hold companies that violate their rights accountable in court

Chris Sims is a digital content producer at Midwest Connect Gannett. Follow him on Twitter: @ChrisFSims.

This article originally appeared on Journal Star: Privacy laws report card 2024: PIRG, EPIC hand Indiana grade of 'F'