Can I ensure that my company is compliant with expanding privacy protections in Indiana? What are the requirements?

Indiana Privacy Protection Requirements

To ensure that your company is compliant with expanding privacy protections in Indiana, you need to follow the requirements outlined in the following documents:

• ^[1.3] Initial privacy notice to consumers
• ^[1.1] Revised privacy notices
• ^[1.4] Information to be included in privacy notices
• ^[1.2] Annual privacy notice to customers

Initial Privacy Notice

According to ^[1.3], a licensee must provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to an individual who becomes the licensee’s customer, not later than when the licensee establishes a customer relationship. The licensee is not required to provide an initial notice to a consumer if the licensee does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than as authorized by sections 13 and 14 of this rule, and the licensee does not have a customer relationship with the consumer.

Revised Privacy Notice

A licensee shall provide a revised notice before it discloses a new category of nonpublic personal financial information to any nonaffiliated third party, discloses nonpublic personal financial information to a new category of nonaffiliated third party, or discloses nonpublic personal financial information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt-out right regarding that disclosure, as stated in ^[1.1].

Annual Privacy Notice

A licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship as outlined in ^[1.2]. The licensee may define the twelve (12) consecutive month period, but the licensee shall apply it to the customer on a consistent basis. A licensee provides a notice annually if it defines the twelve (12) consecutive month period as a calendar year and provides the annual notice to the customer once in each calendar year following the calendar year in which the licensee provided the initial notice.

Information to be Included in Privacy Notices

The initial, annual, and revised privacy notices that a licensee provides under sections 3, 4, and 7 of this rule shall include each of the following items of information, in addition to any other information the licensee wishes to provide, that applies to the licensee and to the consumers to whom the licensee sends its privacy notice, as stated in ^[1.4]:

• The categories of nonpublic personal financial information that the licensee collects.
• The categories of nonpublic personal financial information that the licensee discloses.
• The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under sections 13 and 14 of this rule.
• The categories of nonpublic personal financial information about the licensee’s former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee’s former customers, other than those parties to whom the licensee discloses information under sections 13 and 14 of this rule.
• If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under section 12 of this rule (and no other exception in sections 13 and 14 of this rule applies to that disclosure), a separate description of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted.
• An explanation of the consumer’s right under section 9(a) of this rule to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time.
• Any disclosures that the licensee makes under Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act, 15 U.S.C. 1681a(d)(2)(A)(iii), regarding the ability to opt out of disclosures of information among affiliates.
• The licensee’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.
• Any disclosure that the licensee makes under subsection (b).

Conclusion

To ensure compliance with expanding privacy protections in Indiana, your company must provide an initial privacy notice to customers, a revised privacy notice when disclosing new categories of nonpublic personal financial information, an annual privacy notice, and include specific information in all privacy notices as outlined in ^[1.3], ^[1.4], and ^[1.2].

Source(s):

• [1.1] Revised privacy notices
• [1.2] Annual privacy notice to customers
• [1.3] Initial privacy notice to consumers
• [1.4] Information to be included in privacy notices

Jurisdiction

Indiana

• Privacy