Policy Briefing — August 15, 2025

Executive briefing: Indiana Senate Enrolled Act 5 (SEA 5) takes effect on January 1, 2026, creating comprehensive consumer privacy rights enforced by the Attorney General. Controllers meeting the 100,000-resident threshold—or 25,000 with at least 50 percent revenue from data sales—must honour access, correction, deletion, and portability requests within 45 days, publish clear privacy notices, and conduct data protection assessments for profiling, targeted advertising, and processing of sensitive personal data.

Key policy checkpoints

Transparency updates. Ensure privacy notices list processing purposes, categories of data shared with third parties, and appeal mechanisms as required by SEA 5 Section 8.
Universal opt-out. Implement mechanisms to recognise browser-based opt-out signals for targeted advertising and data sales.
Sensitive data governance. Require consent before processing precise geolocation, biometric, or children’s data, and maintain revocation handling.

Operational priorities

Request fulfilment. Build workflows to authenticate consumers, respond within statutory timelines, and log appeals for Attorney General review.
Assessment backlog. Prioritise data protection assessments for AI-driven profiling or automated decision-making that could materially affect consumers.
Vendor oversight. Amend processor contracts to include deletion assistance, sub-processor disclosures, and compliance attestations.

Enablement moves

Train frontline teams on Indiana-specific definitions—such as “targeted advertising” and “sale” of personal data—to avoid inconsistent interpretations.
Align Indiana readiness with neighbouring state requirements (Kentucky, Ohio) to streamline Midwest compliance operations.

Sources

Zeph Tech compresses Indiana privacy readiness into a single dashboard, aligning policy updates, consent engineering, and request handling playbooks.