The Indiana Consumer Data Protection Act (ICDPA), signed into law in 2023, represents a major step forward for privacy rights in the state. Often referred to simply as Indiana’s privacy law, it mirrors many provisions from other state privacy statutes, but also introduces its own nuances that businesses should understand.
With an effective date of January 1, 2026, organizations have some time to prepare but waiting is risky. Let’s explore what this law means, recent updates that affect compliance strategies, and how it compares to other states.
What Is the Indiana Consumer Data Protection Act?
The ICDPA governs how businesses collect, use, and share personal data belonging to Indiana residents. It applies to companies doing business in Indiana or targeting Indiana consumers if they:
- Control or process the personal data of at least 100,000 consumers annually, or
- Handle data for 25,000 consumers and derive over 50% of gross revenue from selling personal data.
The law does not apply to government entities, nonprofits, or data already covered by HIPAA, GLBA, or the Fair Credit Reporting Act. Publicly available and de-identified data is also out of scope.
For the full statutory text, see the Indiana General Assembly website.
When Does the Indiana CDPA Take Effect?
The Indiana Consumer Data Protection Act effective date is January 1, 2026. That gives organizations a buffer compared to states like Colorado or California, but implementing privacy frameworks particularly consent processes and data mapping takes time.
Who Must Comply and Why It Matters
The law places obligations on data controllers and processors, requiring them to manage consumer data responsibly and transparently. Unlike California’s CCPA, Indiana’s law does not provide for private lawsuits; enforcement falls solely to the Attorney General.
Businesses should also note that Indiana’s approach is more measured than some states: there is no universal opt-out signal requirement, and organizations retain flexibility in responding to access requests. But penalties for violations up to $7,500 per infraction mean compliance should be a top priority.
Core Consumer Rights Under the ICDPA
Indiana residents will have several new rights once the law takes effect, including:
- The right to know if their data is being processed and to access that information.
- The right to correct inaccuracies in data they provided.
- The right to request deletion of personal data.
- The right to obtain a portable copy of their personal data.
- The right to opt out of the sale of data, targeted advertising, and certain automated decision-making.
Businesses will need clear processes to handle these requests within 45 days, with an appeals mechanism for any denials.
Compliance Basics
Companies covered by the ICDPA must publish clear privacy notices, honor opt-out requests, and obtain explicit opt-in consent before processing sensitive data, which includes racial or ethnic origin, religious beliefs, health information, precise geolocation, biometric identifiers, and data about children.
Organizations will also need to conduct Data Protection Impact Assessments (DPIAs) for high-risk activities such as profiling or selling personal data. For a practical breakdown, see this Osano summary.
Recent Updates Businesses Should Know
While Indiana does not plan additional regulatory rulemaking, several clarifications and implementation details have emerged:
- No Rulemaking Process: Unlike states such as Colorado, Indiana does not anticipate issuing formal regulations beyond the statute itself (National Law Review).
- Timing for DPIAs: Required starting after December 31, 2025, in preparation for the law’s effective date (Cookiebot).
- Access Requests Can Be Summarized: Controllers may provide a summary of data rather than a full export.
- Scope of Rights Clarified: Correction applies only to consumer-supplied data; profiling opt-outs apply only to fully automated decisions.
- Cure Period Stays Permanent: Businesses retain a 30-day cure window after violations,unlike Colorado, which sunsetted this feature.
Curious how Indiana stacks up against other states? Dive into this expert take on what businesses should watch out for.
How Indiana’s Law Compares
Indiana’s approach is often seen as business-friendly compared to California or Colorado. There’s no obligation to recognize browser-based global opt-out signals, and sensitive data definitions remain narrower than in California’s CPRA. However, the law borrows heavily from Virginia’s model, so companies compliant with Virginia’s CDPA may find alignment easier here.
FAQ
Who is covered by the Indiana Consumer Data Protection Act?
Businesses operating in Indiana or targeting Indiana residents that meet data thresholds.
How can consumers exercise their rights?
By submitting requests through the methods businesses provide usually via an online portal or email. Responses are required within 45 days.
What are the penalties for noncompliance?
Up to $7,500 per violation, enforced by the Attorney General.
How does Indiana’s law differ from others?
It has a longer compliance runway, does not require universal opt-out signals, and retains an indefinite cure period.
When does the law take effect?
January 1, 2026.
Final Thoughts
The Indiana Consumer Data Protection Act is part of the growing patchwork of U.S. state privacy laws. While its measured approach may seem less daunting than California’s, businesses should not underestimate the operational effort required. Preparing nowby mapping data, updating policies, and planning for DPIAs will make compliance manageable before enforcement begins.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. For tailored guidance, consult a qualified attorney.
