The Indiana Consumer Data Protection Act (ICDPA) excludes financial institutions and certain financial data from its scope of applicability.

Text of Relevant Provisions

ICDPA Ch.1(1)(b)(2):

"(b) This article does not apply to any of the following: (2) Any financial institutions and affiliates, or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.)."

Analysis of Provisions

The ICDPA explicitly excludes financial institutions, their affiliates, and data subject to Title V of the Gramm-Leach-Bliley Act (GLBA) from its scope of application. This exclusion is significant as it carves out a substantial sector of the economy from the Act's requirements.

The provision uses broad language, stating that the Act does not apply to "any financial institutions and affiliates." This comprehensive wording suggests that all types of financial institutions, regardless of their size or specific nature, are exempt from the ICDPA's requirements.

Furthermore, the exclusion extends beyond just the institutions themselves to include "data subject to Title V of the federal Gramm-Leach-Bliley Act." This means that even if a non-financial entity processes financial data that falls under the GLBA's purview, such data processing would be exempt from the ICDPA's requirements.

Implications

This exclusion has several important implications for businesses:

1. Financial institutions operating in Indiana are not required to comply with the ICDPA, potentially reducing their regulatory burden.
2. Companies that process financial data subject to the GLBA do not need to apply ICDPA standards to that specific data, even if they are otherwise subject to the Act for other types of data processing.
3. Businesses that partner with or provide services to financial institutions need to be aware that while their own operations might be subject to the ICDPA, any data they handle that falls under the GLBA would be exempt.
4. The exclusion creates a dual regulatory regime where financial institutions and GLBA-covered data are regulated by federal law, while other businesses and types of personal data are subject to Indiana's state-level protections.
5. Companies operating across multiple sectors may need to implement different data protection practices for their financial services operations versus their other business activities.