(From left) Consumer Protection Director Scott Barnhart, Data Privacy Section Chief Doug Swetnam, and Attorney General Todd Rokita spoke to the press Tuesday morning, Nov. 25, in the Media Room at the Indiana Government Center South, located across the street from the Statehouse. (Reporter photo)
AG Rokita: “Your personal data is your personal property”
By STU CLAMPITT
news@readthereporter.com
On Tuesday, Nov. 25, Attorney General Todd Rokita and members of his team put the surveillance economy on notice with the “Data Consumer Bill of Rights.”
“Protecting Hoosiers personal information has always been a priority of our office,” Rokita said. “We’ve been in this game a long time. We’ve sued Google over their use of your location data, and we’ve consistently enforced the privacy rights under HIPAA regarding your health care information. Starting Jan. 1, 2026, we will enforce Indiana’s new Consumer Data Protection Act because we now live in a full-blown, what I call ‘surveillance economy.’”
According to Rokita, data from every online click, purchase, and search, as well as every visit to a doctor and dollar you spend is tracked, packaged, and sold.
“Your personal data is your personal property, and for years now, decades now, it’s been taken from you,” Rokita said. “Your personal data has been treated like someone else’s property for too long. Thanks to unanimous bipartisan action by our General Assembly, we now have a huge first step, not a complete solution by any means, but a huge first step in empowering Hoosiers to steward and protect their own data. You’ve got to put the power in our own hands to keep our property ours.”
Companies that do business with Hoosiers will be required by law to put a clearly marked “privacy notice” or “your data rights” information link in a prominent position on their websites.
“A common practice, and what we suggest, is that companies put that on the bottom right-hand corner of their home page,” Rokita said.
Starting Jan. 1, Hoosiers have the right to correct inaccuracies in personal data held by a company, delete personal data held by a company, and obtain your personal data in an easily transferable form. After 45 days, if a company has not complied, you call the AG’s office for assistance.
“By far, it’s not a perfect law,” Rokita said. “There are exemptions in this law that special interest groups and lobbyists put in, and some have no sense whatsoever. The idea that utilities – our power generators – need an exemption from this law in this day and age when it’s in the non-nuclear context is absolutely ridiculous. Some of our nonprofits are the biggest takers of our private personal data, but they’re exempted from this law. Why? Who knows? Other exemptions may be in place because they’re preempted by federal law.”
Examples of exemptions from the Indiana law that are preempted by federal law include banking and HIPAA-related statutes, according to Rokita.
Scott Barnhart, Chief Counsel and Director of Consumer Protection at the Office of the Indiana Attorney General, echoed Rokita’s position that this law is a good start.
“This is a good first step,” Barnhart said. “The surveillance economy is there. It’s not going away, but this allows for an opportunity for consumers to recapture some of their privacy, recapture some transparency into the system, [and] to better understand how data brokers and others are using their information. There is a reason why there are approximately 56 data centers in Indiana. Those data centers are accumulating information, and they’re accumulating data on consumers, and they’re using it. This will allow the opportunity for consumers to empower themselves to better understand how that data is being used.”
According to Rokita, the consumer protection division of the AG’s office is its second-largest division.
“It’s a very active division,” Rokita said. “We were the first in the nation to sue the Chinese government, for example.”
Doug Swetnam, Section Chief of the Data Privacy & Identity Theft Unit at the Office of the Indiana Attorney General also spoke on Tuesday.
“There are areas that are not covered because of the exemptions, and I think that we will certainly make recommendations moving forward with the General Assembly about ways that we could protect consumers even better,” Swetnam said. “But we’re looking forward to being able to have a new tool in our toolbox for enforcing the rights of consumers to privacy and the ability for them to control their data. The section is set up where companies are required under this law to provide a privacy notice that explains what data they’re collecting from you and how they’re using it in a simple to understand way.”
According to Swetnam, examples of complaints consumers will be able to make through an online portal hosted by the AG’s office include:
- I couldn’t find their policy.
- I don’t know how to delete my data or correct my data.
- I read what they had on their website, but it was complicated and I couldn’t understand it.
“That transparency into how companies are collecting the data and using it is something that will be new for consumers, and that really gives a lot of power to consumers to make choices about who they do business with,” Swetnam said. “If you don’t like what they’re doing, you do have a choice not to do business with that company and that may become a differentiator in the market. We are looking forward to making sure that that law is enforced and that consumers have some level of protection, finally, where they used to have none.”
The Consumer Data Protection Act was passed in 2023 and takes effect Jan. 1, 2026. Due to that long delay in implementation, Rokita said there is no excuse for a company to claim ignorance as a way to avoid penalties for non-compliance.
“Any company that wants to claim ignorance needs to change their lawyers,” Rokita said.
When asked if there will eventually be an online location for consumers to see a list of companies that have not complied or have a pattern of not complying, Rokita said, “I will commit to that to the extent I can under the public records laws and everything else. I’ll compile that and publish it. I think that’s a great deterrent. And again, it’s a tool to empower consumers.”
You can read the full text of the Data Consumer Bill of Rights at tinyurl.com/DataBOR.
Editor’s note: The Hamilton County Reporter’s website, ReadTheReporter.com, has never stored, shared, or sold personal data from website visitors. We will have a clear data privacy statement to that effect posted on every page before Jan. 1. This newspaper is not in the business of sharing or selling consumer data, and we are pleased that the State of Indiana is finally making life a little harder for data brokers everywhere.
