Indiana is now part of a growing list of states that extend data protection to its residents, all thanks to the Indiana Consumer Data Protection Act (INCDPA). Just like other states, they're making sure consumers have their rights protected while mandating guidelines to safeguard personal data.
Indiana Governor Eric Holcomb signed the INCDPA into law on May 1, 2023, making it the seventh state to pass a comprehensive privacy law absent federal guidelines. The Indiana Consumer Data Protection Act mirrors laws in Colorado, Connecticut, and Virginia with slight variations. And with an effective date of January 1, 2026, you’ll have plenty of time to adapt to the Indiana privacy law’s requirements, provided you start looking at your practices early.
Let's delve deeper into the Hoosier State's data privacy law.
The Indiana privacy act defines controllers as entities that determine the purpose of processing personal data and the means by which it is collected. It also defines processors as any entity that processes data on behalf of a controller. The INCDPA requires processors to closely adhere to the controller's instructions.
If you operate in Indiana or sell products and services targeted to residents of Indiana and do one of the following, you’ll need to comply with INCDPA:
Indiana's privacy law does not rely solely on a revenue threshold, unlike California's law. The INCDPA states that controllers must comply with the regulation even if their annual gross revenues don't reach a specific threshold, provided the data of a certain number of consumers is processed.
Much like data privacy laws in Virginia, Colorado, and Connecticut, the Indiana privacy law does not require user consent to collect and process most information. There are exceptions under this "opt-out" model, including the requirement that consent must be obtained before collecting or processing sensitive personal information.
Under the INCDPA, consumers must be given ample notice about the opt-out mechanism in the law. Indiana’s privacy law does not specifically require controllers or processors to recognize universal opt-out mechanisms, as do laws in Utah, Virginia, and Iowa. However, there are provisions that address exemptions for security, such as the Indiana riverboat casinos using facial recognition technology, which is outlined by the Indiana Gaming Commission.
The Indiana Consumer Privacy Act grants Hoosiers several data protection rights that have become standard across privacy laws. Specifically, the INCDPA allows consumers to:
The INCDPA does not apply to every organization operating in Indiana, explicitly excluding:
Like federal and other state privacy laws, the INCDPA requires controllers to:
The INCDPA provides controllers a 30-day period to resolve alleged violations. The attorney general (AG) has the authority to pursue injunctive relief and impose civil penalties of up to $7,500 per violation.
However, before taking action, the AG must first give the controller or processor a 30-day notice to resolve the violation. During this 30-day period, the controller or processor must provide the AG with a written statement confirming the resolution of the violations and assuring that they will not recur.
Like data privacy laws in California, Colorado, and Virginia, the INCDPA requires controllers to perform and document a comprehensive Data Protection Impact Assessment (DPIA) for specific activities:
The Indiana Data Privacy Law states that controllers may conduct a single PIA for more than one processing operation if the activities are similar. In addition, compliance assessments conducted for regulations may be used if they have a comparable scope and effect to an assessment.
Like the Virginia law, Indiana's Data Privacy Act can be described as business-friendly. Legislators have provided controllers with an extended time to achieve compliance by developing formal policies and procedures for data collection and processing in Indiana.
That’s good news for business owners, who have the luxury of time to get familiar with the law, conduct risk assessments, and establish a framework for promptly responding to consumers' requests.
With the growing number of privacy laws taking effect, business owners — and especially those who operate across state lines — may want to consider a Data Privacy Platform like Osano, which can help manage opt-out requests, data subject rights requests, and more.
The Indiana Consumer Privacy Act goes into effect on January 1, 2026, giving businesses more than two years from the time it was passed until its effective date to comply.
The INCDPA applies to businesses that operate in Indiana or sell products and services to Indiana residents and control or process the personal data of either up to 100,000 Indianians, or a minimum of 25,000 consumers in Indiana while also generating over 50% of their gross revenue from personal data sales.
The INCDPA defines the sale of data strictly as the exchange of personal data for money by a controller to a third party, similar to the laws in Virginia, Utah, and Iowa. These laws differ from data privacy laws in California, Connecticut, and Colorado, which define the sale of personal data to include valuable consideration other than money.
The Indiana Consumer Privacy Act grants the state’s residents the right to correct inaccuracies in data provided to the controller, the right to opt out of their data being used for targeted advertising, sold, or used for specific profiling purposes, the right to confirm whether a controller is processing their personal data and to access that data, and the right request the deletion of personal data collected or provided to a controller.
The INCDPA excludes any state entity, agency, or local government organizations; third parties under contract with any state entity, agency, or local government organizations; financial institutions or affiliates already required to explain their information-sharing practices to customers under the Gramm-Leach-Bliley Act; entities subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA); and non-profit organizations, higher education institutions, or public utility entities.
A Data Protection Impact Assessment (DPIA) is required under the Indiana Data Privacy Act when processing personal data for targeted advertising, for the sale of personal data, for personal data processing for profiling with foreseeable risks, for the processing of sensitive personal data, and for personal data processing activities with a heightened risk of harm to consumers.