(1) A controller shall limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.

Ask a business law question, get an answer ASAP!
Thousands of highly rated, verified business lawyers.
Click here to chat with a lawyer about your rights.

(3) A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices required under this subdivision must be appropriate to the volume and nature of the personal data at issue.

(4) A controller shall not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights set forth in this article, including by denying goods or services to the consumer, charging different prices or rates for goods and services, or providing a different level or quality of goods or services to the consumer. However, nothing in this subdivision shall be construed to:

(A) require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain; or

(B) prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised the consumer’s right to opt out under IC 24-15-3-1(b)(5) or if the offer is related to a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discount, or club card program.

(5) A controller shall not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children’s Online Privacy Protection Act (15 U.S.C. § 6501 et seq.).

As added by P.L.94-2023, SEC.1.