Indiana Consumer Data Protection Act

The Indiana Consumer Data Protection Act (often abbreviated as ICDPA or Indiana CDPA) stands out as one of the key pieces in the wave of new state comprehensive privacy laws effective January 2026. Signed into law back in 2023, this legislation officially kicked in on January 1, 2026, giving Indiana residents stronger tools to manage their personal data while setting clear rules for businesses handling that information.

Have you ever felt like your online life is an open book for companies? The Indiana Consumer Data Protection Act changes that dynamic for Hoosiers by putting control back in your hands. In this in-depth guide, we’ll break down everything you need to know about the ICDPA—its scope, consumer rights, business responsibilities, and why it fits perfectly into the broader shift seen in new state comprehensive privacy laws effective January 2026.

What Is the Indiana Consumer Data Protection Act?

The Indiana Consumer Data Protection Act is Indiana’s first comprehensive consumer privacy law. Enacted as Senate Bill 5 and signed by the governor on May 1, 2023, it draws heavy inspiration from the Virginia Consumer Data Protection Act, making it relatively business-friendly compared to stricter frameworks like California’s.

Unlike patchwork sector-specific rules, the ICDPA creates a broad framework covering how for-profit entities collect, use, share, and sell personal data of Indiana residents acting in personal, family, or household contexts (in other words, everyday consumers—not employees or B2B scenarios).

What makes it part of the new state comprehensive privacy laws effective January 2026? It activated alongside similar laws in Kentucky and Rhode Island, expanding the U.S. privacy patchwork to over 20 states with active comprehensive regimes. No federal law exists yet, so states like Indiana are filling the void with consumer-focused protections.

Who Does the Indiana Consumer Data Protection Act Apply To?

Not every business needs to worry about the ICDPA. It targets larger players with significant Indiana footprints. Specifically, it applies to any person or entity (controller) that:

• Conducts business in Indiana or produces products/services targeted to Indiana residents, and
• In a calendar year:
• Controls or processes personal data of at least 100,000 Indiana consumers, or
• Controls or processes personal data of at least 25,000 Indiana consumers and derives more than 50% of gross revenue from selling personal data.

These thresholds mirror many new state comprehensive privacy laws effective January 2026, striking a balance—big tech and data brokers are clearly in scope, while small local shops usually aren’t.

Exemptions exist for nonprofits, government entities, certain financial institutions under federal laws (like GLBA), HIPAA-covered health data, and more. De-identified, pseudonymous, and publicly available data also fall outside the definition of “personal data.”

Key Consumer Rights Under the Indiana Consumer Data Protection Act

The heart of the Indiana Consumer Data Protection Act lies in empowering residents with actionable rights. These align closely with rights in other new state comprehensive privacy laws effective January 2026:

• Right to Confirm and Access — Know if a business is processing your data and get a copy (or summary) of what you’ve provided.
• Right to Correct — Fix inaccuracies in data you previously shared.
• Right to Delete — Request removal of your personal data (with some exceptions, like legal obligations).
• Right to Portability — Receive your data in a portable, readily usable format to transfer elsewhere.
• Right to Opt Out — Stop targeted advertising, data sales, or profiling that produces legal or significant effects.

Sensitive data (health, biometrics, precise geolocation, race/ethnicity, religious beliefs, sexual orientation, citizenship/immigration status, and all children’s data) requires explicit opt-in consent before processing— a strong safeguard.

Controllers must respond to verified requests within 45 days (extendable once by another 45 days if needed) and provide a free appeal process if they deny a request.

Business Obligations and Compliance Requirements

If you’re a business falling under the Indiana Consumer Data Protection Act, compliance isn’t optional. Key duties include:

• Privacy Notices — Publish clear, accessible notices detailing data categories collected, purposes, shared categories/third parties, and how to exercise rights.
• Data Minimization & Purpose Limitation — Collect only what’s reasonably necessary and use it only for disclosed purposes (or with consent).
• Data Security — Implement reasonable technical and organizational measures.
• Data Protection Assessments — Conduct assessments for high-risk activities like targeted ads, sales, profiling, or sensitive data processing.
• Contracts with Processors — Binding agreements ensuring service providers follow the same rules.
• No Discrimination — Don’t penalize consumers for exercising rights (though some loyalty program exceptions apply).

One standout feature? A permanent 30-day cure period for violations—businesses get notice and time to fix issues before penalties. This is rarer among new state comprehensive privacy laws effective January 2026 and gives companies breathing room.

The Indiana Attorney General enforces exclusively (no private lawsuits), with civil penalties up to $7,500 per violation after the cure window closes.

To help everyone understand, the AG released a plain-language Consumer Data Bill of Rights before the effective date—great for both consumers and compliance teams.

How the Indiana Consumer Data Protection Act Fits Into New State Comprehensive Privacy Laws Effective January 2026

The ICDPA launched on the same day as Kentucky’s and Rhode Island’s laws, marking a clear 2026 milestone in state privacy momentum. While Rhode Island has lower thresholds (broader reach), Indiana sticks to the higher, Virginia-style model—fewer covered entities but straightforward obligations.

Together, these new state comprehensive privacy laws effective January 2026 push companies toward scalable compliance: universal opt-out tools (like Global Privacy Control), centralized request systems, and privacy-by-design thinking.

For multi-state operations, aligning with ICDPA often covers much of the ground needed for similar laws.

Practical Tips for Consumers and Businesses

Consumers in Indiana: Check company privacy notices, submit requests via provided channels (many use online portals), and remember you can opt out of creepy targeted ads with one click under the law.

Businesses: Map your Indiana data flows now, update notices, build request-handling workflows, train teams, and consider tools that handle multiple state laws at once. The cure period helps, but proactive fixes build trust.

Conclusion

The Indiana Consumer Data Protection Act delivers meaningful privacy gains for Hoosiers while offering businesses a predictable, cure-friendly path forward. As part of the new state comprehensive privacy laws effective January 2026, it signals that consumer data rights are here to stay—no longer a California-only conversation.

Whether you’re protecting your own info or running a company, understanding the ICDPA puts you ahead. Review your data practices today; small changes now prevent headaches later.

For more details, check these high-authority sources:

• Indiana Attorney General’s Consumer Bill of Rights
• IAPP Overview of Indiana Privacy Law
• Indiana General Assembly Statute Text

FAQs