The Indiana Consumer Data Protection Act: What You Need to Know

Indiana is now part of a growing list of states that extend data protection to its residents, all thanks to the Indiana Consumer Data Protection Act (INCDPA). Just like other states, they're making sure consumers have their rights protected while mandating guidelines to safeguard personal data. 

Indiana Governor Eric Holcomb signed the INCDPA into law on May 1, 2023, making it the seventh state to pass a comprehensive privacy law absent federal guidelines. The Indiana Consumer Data Protection Act mirrors laws in Colorado, Connecticut, and Virginia with slight variations. And with an effective date of January 1, 2026, you’ll have plenty of time to adapt to the Indiana privacy law’s requirements, provided you start looking at your practices early. 

Let's delve deeper into the Hoosier State's data privacy law.  

What Is the Indiana Consumer Data Protection Act? 

The Indiana privacy act defines controllers as entities that determine the purpose of processing personal data and the means by which it is collected. It also defines processors as any entity that processes data on behalf of a controller. The INCDPA requires processors to closely adhere to the controller's instructions. 

If you operate in Indiana or sell products and services targeted to residents of Indiana and do one of the following, you’ll need to comply with INCDPA: 

• Control or process the personal data of at least 100,000 Indiana residents, or 
• Control or process the personal data of a minimum of 25,000 Indiana residents while also generating over 50 percent of your gross revenue from personal data sales. 

Indiana's privacy law does not rely solely on a revenue threshold, unlike California's law. The INCDPA states that controllers must comply with the regulation even if their annual gross revenues don't reach a specific threshold, provided the data of a certain number of consumers is processed. 

INCDPA and Consumer Consent, Opt-Outs, and Security Exemptions 

Much like data privacy laws in Virginia, Colorado, and Connecticut, the Indiana privacy law does not require user consent to collect and process most information. There are exceptions under this "opt-out" model, including the requirement that consent must be obtained before collecting or processing sensitive personal information.  

Under the INCDPA, consumers must be given ample notice about the opt-out mechanism in the law. Indiana’s privacy law does not specifically require controllers or processors to recognize universal opt-out mechanisms, as do laws in Utah, Virginia, and Iowa. However, there are provisions that address exemptions for security, such as the Indiana riverboat casinos using facial recognition technology, which is outlined by the Indiana Gaming Commission. 

What Rights Does the INCDPA Grant Indiana Consumers? 

The Indiana Consumer Privacy Act grants Hoosiers several data protection rights that have become standard across privacy laws. Specifically, the INCDPA allows consumers to: 

• Correct inaccuracies in data they previously provided to the controller. 
• Opt out of their data being used for targeted advertising, sold, or used for specific profiling purposes. 

• Confirm whether a controller is processing their personal data and access that data. 
• Request the deletion of personal data collected or provided to a controller. 

Exemptions to the Indiana Privacy Law 

The INCDPA does not apply to every organization operating in Indiana, explicitly excluding: 

• Any state entity, agency, or local government organizations. 
• Third parties under contract with any state entity, agency, or local government organizations. 
• Financial institutions or affiliates already required to explain their information-sharing practices to customers under the Gramm-Leach-Bliley Act. 
• Entities subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). 
• Non-profit organizations, higher education institutions, or public utility entities. 

What Is Required of Controllers? 

Like federal and other state privacy laws, the INCDPA requires controllers to: 

• Collect personal data that is adequate, relevant, and reasonably necessary for the disclosed purposes of processing. 
• Implement appropriate data security measures based on the volume and nature of the personal data. 
• Comply with anti-discrimination laws when processing personal data. 
• Establish binding contracts with processors, detailing the nature and purpose of processing, instructions, and the rights and obligations of both parties. 
• Obtain consumer opt-in consent for processing sensitive data and handle sensitive data of known children in compliance with the Children's Online Privacy Protection Act (COPPA). 
• Provide clear and accessible privacy notices, disclosing data categories, processing purposes, consumer rights, data sharing with third parties, and opt-out options if personal data is sold or used for targeted advertising. 
• Conduct data protection impact assessments for specific data processing activities involving personal data. 

INCDPA Enforcement

The INCDPA provides controllers a 30-day period to resolve alleged violations. The attorney general (AG) has the authority to pursue injunctive relief and impose civil penalties of up to $7,500 per violation.  

However, before taking action, the AG must first give the controller or processor a 30-day notice to resolve the violation. During this 30-day period, the controller or processor must provide the AG with a written statement confirming the resolution of the violations and assuring that they will not recur. 

Data Protection Impact Assessment (DPIA) Requirements 

Like data privacy laws in California, Colorado, and Virginia, the INCDPA requires controllers to perform and document a comprehensive Data Protection Impact Assessment (DPIA) for specific activities: 

• Processing of personal data for targeted advertising. 
• Sale of personal data. 
• Personal data processing for profiling with foreseeable risks. 
• Processing of sensitive personal data. 
• Any personal data processing activity with a heightened risk of harm to consumers. 

The Indiana Data Privacy Law states that controllers may conduct a single PIA for more than one processing operation if the activities are similar. In addition, compliance assessments conducted for regulations may be used if they have a comparable scope and effect to an assessment. 

How to Comply With the INCDPA 

Like the Virginia law, Indiana's Data Privacy Act can be described as business-friendly. Legislators have provided controllers with an extended time to achieve compliance by developing formal policies and procedures for data collection and processing in Indiana.  

That’s good news for business owners, who have the luxury of time to get familiar with the law, conduct risk assessments, and establish a framework for promptly responding to consumers' requests.  

With the growing number of privacy laws taking effect, business owners — and especially those who operate across state lines — may want to consider a Data Privacy Platform like Osano, which can help manage opt-out requests, data subject rights requests, and more. 

FAQs About the Indiana Privacy Law 

When is the INCDPA effective date?  

The Indiana Consumer Privacy Act goes into effect on January 1, 2026, giving businesses more than two years from the time it was passed until its effective date to comply.  

Who must comply with the law?  

The INCDPA applies to businesses that operate in Indiana or sell products and services to Indiana residents and control or process the personal data of either up to 100,000 Indianians, or a minimum of 25,000 consumers in Indiana while also generating over 50% of their gross revenue from personal data sales.

How does the INCDPA define the sale of data?  

The INCDPA defines the sale of data strictly as the exchange of personal data for money by a controller to a third party, similar to the laws in Virginia, Utah, and Iowa. These laws differ from data privacy laws in California, Connecticut, and Colorado, which define the sale of personal data to include valuable consideration other than money. 

What rights does the INCDPA grant Indiana consumers?  

The Indiana Consumer Privacy Act grants the state’s residents the right to correct inaccuracies in data provided to the controller, the right to opt out of their data being used for targeted advertising, sold, or used for specific profiling purposes, the right to confirm whether a controller is processing their personal data and to access that data, and the right request the deletion of personal data collected or provided to a controller.

What entities and organizations are exempt from the Indiana Privacy Law? 

The INCDPA excludes any state entity, agency, or local government organizations; third parties under contract with any state entity, agency, or local government organizations; financial institutions or affiliates already required to explain their information-sharing practices to customers under the Gramm-Leach-Bliley Act; entities subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA); and non-profit organizations, higher education institutions, or public utility entities.

When must controllers conduct a comprehensive Data Protection Impact Assessment (DPIA) under the INCDPA?  

A Data Protection Impact Assessment (DPIA) is required under the Indiana Data Privacy Act when processing personal data for targeted advertising, for the sale of personal data, for personal data processing for profiling with foreseeable risks, for the processing of sensitive personal data, and for personal data processing activities with a heightened risk of harm to consumers.