Indiana’s Consumer Data Protection Act (INCDPA), enacted through Senate Bill No. 5, taking effect on January 1, 2026, gives Indiana residents more control over their personal information and requires businesses to handle personal data carefully and transparently.  

What Is the Indiana Consumer Data Protection Law? 

Indiana’s Consumer Data Protection Law is a comprehensive data privacy law passed in 2023 to protect the personal data of Indiana residents. It establishes rules for businesses on how they can collect, use, and share “personal data” about consumers. The law goes into effect on January 1, 2026, giving businesses a transition period to get ready. After that date, businesses that fall under the law must comply with its requirements or potentially face penalties. 

Who Must Comply? 

INCDPA applies to companies that conduct business in Indiana or target products/services to Indiana residents, provided they handle substantial volumes of personal data. The law applies if a business, during a calendar year, either: 

• Controls or processes personal data of ≥100,000 Indiana consumers, or 

• Controls or processes personal data of ≥25,000 Indiana consumers and derives over 50% of its gross revenue from the sale of personal data. 

Exemptions under INCDPA 

Exempted Entities 

The INCDPA does not apply to the following entities: 

• Indiana state and local government bodies, and third parties acting on their behalf (within the scope of contract) 

• Nonprofit organizations 

• Higher education institutions (public and private) 

• Public utilities and affiliated service companies 

• Financial institutions and their affiliates subject to the Gramm-Leach-Bliley Act (GLBA) 

• HIPAA-covered entities and their business associates 

• Licensed riverboat casinos using Indiana Gaming Commission–approved facial recognition programs 

Exempted Data 

The law excludes the following types of data from its scope: 

• De‑identified, aggregated, or publicly available information 

• Health data under HIPAA, HCQIA, PSQIA, and data used for public‑health purposes 

• Financial data regulated by GLBA 

• Data covered by U.S. federal laws: 

• Fair Credit Reporting Act (FCRA) 

• Family Educational Rights and Privacy Act (FERPA) 

• Driver’s Privacy Protection Act (DPPA) 

• Farm Credit Act 

• Human‑subject and peer‑reviewed scientific/statistical research data 

• Employment or commercial‑context data (i.e., when individuals act as employees or business entities) 

Consumer Rights Under the Law 

The law gives consumers specific rights over their personal data. Here are the five main rights: 

1. Right to Know and Access: Consumers can confirm if businesses are processing their personal data and get access to that data.  

2. Right to Correct: Consumers have the right to correct inaccuracies in the personal data you have about them, but only for data they provided you earlier.  

3. Right to Delete: Consumers can request the deletion of their personal data that they provided to you.  

4. Right to Data Portability: Consumers have the right to get a copy of their personal data in a portable format. “Portable” means it should be in a common, machine-readable format so they can take it to another service. 

5. Right to Opt-Out of Certain Processing: Consumers can opt out from processing of their personal data for specific purposes. Those purposes are: 

• Targeted Advertising: If your business uses someone’s data to serve them targeted ads, they can opt out of that, 

• Sale of Personal Data: If you sell personal data to third parties, consumers can opt out of having their data sold. 

• Profiling in furtherance of decisions that produce legal or similarly significant effects: It refers to automated processing that can impact someone significantly – for example, automated decisions about eligibility for credit, insurance, housing, employment, or other essential services. If your business uses algorithms to make such influential decisions about people, consumers have the right to opt out of that profiling.  

How quickly must businesses respond?  

The law gives businesses 45 days to respond to a consumer’s request regarding their rights. This clock starts once you receive the request. If necessary, you may take an additional 45 days (so up to 90 days total) to respond, but only if it’s reasonably necessary, and you inform the consumer of the extension within the initial 45-day window. 

Appeal Process for Denied Requests 

If a controller (business) denies a consumer’s request to exercise their right, they must inform the consumer within 45 days of receiving the request, including the reason for the denial and provide instructions on how to appeal against the decision.  

Upon the submission of appeal, the controller must respond within 60 days, providing a written explanation of the decision, and if the appeal is denied then an online mechanism or other method to contact the Indiana Attorney General for complaint submission. 

Business Obligations and Compliance Requirements 

To comply with Indiana’s Consumer Data Protection Law, businesses need to follow a set of responsibilities. Following are the major obligations for businesses: 

Transparency and Privacy Notices 

The law requires businesses to be transparent about their data practices by providing a clear privacy notice/policy to consumers. According to the law, your privacy policy needs to include certain information: 

• Categories of personal data you process 

• Purposes for processing 

• Consumer rights and how to exercise them 

• Categories of personal data you share with third parties  

• Categories of third parties with whom you share data  

• Use of data for advertising or sales 

The law wants consumers to understand what data you collect, what you do with it, and with whom you share it. Make sure your privacy notice is up to date and easy to understand. 

Data Collection and Use Limitations (Data Minimization and Purpose Limitations) 

The law says you should only collect personal data that is reasonably necessary for your stated purposes and not use it in incompatible ways. This is often called data minimization and purpose specification: 

• Data Minimization: Don’t collect more information than you need. The law obligates controllers to limit data collection to what is adequate, relevant, and reasonably necessary in relation to the purposes you’ve disclosed. 

• Purpose Limitation: Only use personal data for the purposes you told the consumer about (or other purposes allowed by the law). If you want to use data for a new purpose that was not originally disclosed, you need to get the consumer’s consent. 

Consent for Sensitive Data 

A “sensitive data” (like health, precise location, etc.) is a special category data. The law requires that businesses obtain an individual’s affirmative consent before processing their sensitive personal data. 

Data Security Practices 

The law mandates that businesses implement reasonable security measures to protect personal data. You should take appropriate steps to safeguard the information you hold from unauthorized access, theft, or abuse. The standard the law gives is “reasonable administrative, technical, and physical data security practices” appropriate to the volume and nature of the personal data. 

No Discrimination 

Under Indiana’s law, a business cannot discriminate against a consumer for exercising their rights. This means you should not deny goods or services, charge different prices, or provide a different level of quality just because someone opted out of data processing or asked you to delete their data, etc. 

Contracts with Data Processors 

If your business uses third-party service providers to handle personal data (for example, a cloud database provider, an email service, a payment processor, etc.), the law requires that you have appropriate contracts in place with those “processors.” As a controller, you need to bind processors to certain duties: 

• The processor must only act on your documented instructions regarding the data. 

• They should assist you in meeting obligations like responding to consumer requests and implementing security measures. 

• If the processor experiences a data breach or incident, they should inform you because you (the controller) have obligations to secure data. 

• The contract should also require the processor to delete or return personal data once the service is completed (i.e. when the contract ends) unless retention is required by law. 

• The processor should ensure that each person processing the data is under a confidentiality obligation. 

• If the processor hires sub-processors (subcontractors), they must have similar contractual obligations to protect the data. 

Data Protection Assessments 

The law provides that businesses must conduct Data Protection Impact Assessments (DPIAs) for certain high-risk activities. INCDPA lists explicitly that you need to do an assessment if you engage in: 

• Targeted Advertising Processing: If you’re using personal data for targeted ads, assess the benefits vs. the risks to consumer privacy. 

• Selling Personal Data: If you sell data, analyze how that sale might impact consumers and what safeguards you have. 

• Profiling with legal/significant effects: If you do automated profiling that could significantly affect consumers, evaluate the fairness and potential harm. 

• Processing Sensitive Data: Any use of sensitive personal data should undergo an assessment. 

Enforcement and Penalties 

It’s essential to know how this law will be enforced and what could happen if a business doesn’t comply: 

• Enforcement by Attorney General: The Indiana Attorney General’s office is in charge of enforcing this law. There is no private right of action, which means individual consumers cannot directly sue your business under this law for violations. Only the Attorney General can take legal action for non-compliance. However, consumers can file complaints to the Attorney General if they believe their rights were violated, and the AG can investigate those. 

• Notice and Cure Period: If the Attorney General believes your business is violating the law, the AG must first send you a notice, and you have 30 days to cure the violation. This 30-day cure period is a chance to avoid penalties by correcting the problem quickly. 

• Penalties: If you fail to cure the violation after 30 days, or if the issue is unresolved, the Attorney General can pursue enforcement. The law allows for civil penalties of up to $7,500 per violation. In addition to fines, the Attorney General can seek an injunction – a court order to stop the violating behavior. The AG can also require you to pay for the costs of the investigation and case preparation. 

Practical Tips for Preparing and Complying 

With January 1, 2026, the effective date, businesses have some time to get ready. Here are some practical steps and tips for compliance: 

1. Assess Whether the Law Applies to You.  

2. Conduct data inventory or audit.   

3. Review and Update Your Privacy Policy.   

4. Implement Mechanisms for Consumer Rights Requests.   

5. Train Your Team.   

6. Examine Your Data Collection Practices.  

7. Boost Your Security Measures.   

8. Update Contracts with Third Parties.  

9. Plan for Data Protection Assessments. 

These steps can help you create a clear and manageable strategy to comply with INCDPA. 

Conclusion