Section 24-15-8-1 - [Effective 1/1/2026] Permissible activities by controllers and processors(a) This article shall not be construed to restrict a controller's or processor's ability to do any of the following: (1) Comply with federal, state, or local laws, rules, or regulations or, in the case of an owner of a riverboat licensed under IC 4-33-6, implement and operate a facial recognition program approved by the Indiana gaming commission.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, state, local, or other governmental authority.(3) Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations.(4) Investigate, establish, exercise, prepare for, or defend legal claims.(5) Provide a product or service specifically requested by a consumer, perform a contract to which the consumer, or a parent of a child, is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer or parent before entering into a contract.(6) Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual, if the processing cannot be manifestly based on another legal basis.(7) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, investigate, report, or prosecute those responsible for any such action, and preserve the integrity or security of systems.(8) Engage in public or peer reviewed scientific or statistical research that is in the public interest and that adheres to all applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or a similar independent oversight entity, that determines if:(A) the information is likely to provide substantial benefits that do not exclusively accrue to the controller;(B) the expected benefits of the research outweigh the privacy risks; and(C) the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification.(9) Assist another controller, processor, or third party with any obligation described in this section.(b) Processing personal data for a purpose expressly identified in subsection (a)(1) through (a)(9) does not by itself make a person a controller with respect to such processing.Added by P.L. 94-2023,SEC. 1, eff. 1/1/2026.