Indiana Consumer Protection Act (Indiana CDPA): An Overview

Indiana was the seventh state in the US to pass a consumer privacy bill, with an effective date of July 1, 2026. As of May 1, 2023, when the law was passed, organizations have two and a half years to prepare for Indiana CDPA compliance.

Six laws have been passed in the United States between March and June 2023: Iowa, Indiana, Tennessee, Montana, Florida, and Texas. Indiana’s data privacy law is quite similar to the Virginia Consumer Data Privacy Act (VCDPA), and also comparable to the Connecticut Data Privacy Act (CTDPA) and Colorado Privacy Act (CPA) with regards to consumers’ rights and organizations’ responsibilities.

The Indiana Consumer Data Protection Act (Indiana CDPA), from Senate Bill 5, protects the privacy and personal information rights of Indiana’s 6.8 million residents, and establishes data privacy responsibilities for companies doing business in the state or providing goods or services targeting Indiana residents.

In the course of doing business these organizations process consumers’ personal information. Like other states with data privacy laws, Indiana defines a consumer as a resident of the state and “acting only for a personal, family, or household purpose” and not in a “commercial or employment context”.

The Indiana CDPA uses an opt-out model, as do the laws in all the other states that have passed comprehensive data privacy regulations to date. This means that businesses that are required to become Indiana CDPA-compliant must inform consumers about data collection and processing that they perform, i.e. what data, for what purposes, third parties with whom the data will be shared, etc. Businesses must give consumers a way to opt out of data collection and processing for certain purposes. They and any third parties they engage for data processing must also implement reasonable security and protections.

Personal data

The Indiana CDPA uses a fairly standard definition of personal data (also called personal information in some other laws or personally identifiable information): “information that is linked or reasonably linkable to an identified or identifiable individual”. It explicitly excludes de-identified data, aggregate data, or publicly available information.

The Act does not specifically list types of identifiable information, as some other state-level data privacy laws do, but common types include name, account/username, IP address, email address, Social Security Number, driver’s license number, or passport number.

Consent

The European Union’s General Data Protection Regulation (GDPR) set the standard for defining consent, which has been followed by many regulations passed since, including Indiana’s.

Under the Indiana CDPA, consent is defined as: “a clear affirmative act that signals a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.”

“Clear affirmative act” is further clarified as, “includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.”

That second part is relevant for the use of a consent management platform to collect and store user consent data for use of cookies and other online tracking technologies on websites, apps and connected media devices.

It is notable that Indiana’s law does not include any requirement for consumers to have a means to revoke their consent. The data privacy laws in California, Colorado, and Connecticut do provide this.

Sensitive data / sensitive personal data

This covers more specific categories of personal data, which present a greater risk of harm if misused, including any of:

• personal data revealing racial or ethnic origin
• religious beliefs
• a mental or physical health diagnosis made by a healthcare provider
• sexual orientation
• citizenship or immigration status
• genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual
• personal data collected from a known child (under 13 years of age)
• precise geolocation data (within 1,750 feet or 533.4 meters)

It is fairly common among the US state-level data privacy laws for them to defer to the federal Children’s Online Privacy Protection Act (COPPA) with regards to consent requirements and handling of children’s data, and for any data of a known child (13 years of age is typical) to be categorized as sensitive by default.

Controller

Businesses that collect and process personal information will likely qualify as controllers, which the Indiana CDPA defines as “a person that, alone or jointly with others, determines the purpose and means of processing personal data.” In this case “person” could also be a company or other organization that is required to comply with the law.

Processor

For businesses that share personal information for processing purposes, the business will be the controller and the third-party entity will be the processor, defined in the Indiana privacy act as “a person that processes personal data on behalf of a controller”.

Sale

This is defined as the “the exchange of personal data for monetary consideration by a controller to a third party.” Explicitly not included in the definition is:

• disclosure of personal data to a processor that processes the personal data on behalf of the controller
• disclosure of personal data to a third party for purposes of providing a product or service requested by:
  • the consumer
  • the parent of a child to whom the personal data pertains
• disclosure or transfer of personal data to an affiliate of the controller
• disclosure of information that the consumer:
  • intentionally made available to the general public via a channel of mass media, and
  • did not restrict to a specific audience
• disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets

Targeted advertising

Refers to display of “an advertisement to a consumer in which the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.”

The definition does not include:

• advertisements based on activities within a controller’s own or affiliated websites or online applications
• advertisements based on the context of a consumer’s current search query, visit to a website, or online application
• advertisements directed to a consumer in response to the consumer’s request for information or feedback
• the processing of personal data solely for measuring or reporting advertising performance, reach, or frequency

The Indiana CDPA applies to organizations conducting business in Indiana, and any business that offers products or services targeted to Indiana residents. The organization itself does not have to be based in the state. Indiana CDPA compliance has two primary threshold criteria for organizations (“controllers” under the law):

• control or process the personal information of at least 100,000 Indiana residents during a calendar year,

or

• control or process the personal information of at least 25,000 Indiana consumers during a calendar year, and derive more than 50% of their gross revenue from the sale of personal information

Unlike some states, e.g. California with the CCPA and CPRA, Indiana’s privacy law does not also include a revenue threshold alone. Which means companies that otherwise would be required to comply with the regulation if their annual gross revenues exceeded a certain dollar amount (US $25 million in some other laws), even if they did not meet the threshold of the number of consumers’ whose data was processed.

Without this threshold, businesses of any size/value that meet the Indiana privacy law’s personal information or personal information plus revenue percentage thresholds must become compliant with Indiana’s CDPA.

The exemptions in the Indiana data privacy act are fairly consistent with the other existing US data privacy laws, deferring mainly to existing federal laws, including:

• Health Insurance Portability and Accountability Act (HIPAA)
• Health Care Quality Improvement Act
• Patient Safety and Quality Improvement Act
• Fair Credit Reporting Act (FCRA)
• Children’s Online Privacy Protection Act (COPPA)
• Family Educational Rights and Privacy Act (FERPA)
• Driver’s Privacy Protection Act
• Farm Credit Act (FCA)

Other exemptions include HR data, health records, research data for human subjects that are covered by other federal laws or standards, and data that is processed or maintained for employment-related purposes.

Exempted institutions include:

• state government entities
• public utilities
• financial institutions (also entities and affiliates subject to the Gramm-Leach-Bliley Act)
• insurance companies
• institutions of higher education
• nonprofit organizations

Exclusions to the Indiana law’s definition of “consumer” also include individuals acting in a commercial (business) or employment context.

Consumers have several main personal information rights under the new data protection law.

• Right to access: confirmation if the controller is processing the consumer’s personal information and access to that data, with some exceptions
• Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
• Right to portability: obtain a copy of the consumer’s personal information that the consumer previously provided to the controller, in a readily usable format, with some exceptions
• Right to delete: any personal information the controller has that was provided by the consumer (with some exceptions)
• Right to disclosure: any categories of information about the consumer that have been sold
• Right to opt out: of sale of personal information, targeted advertising, or profiling, and partial right not to be subject to fully automated decision-making
• Right to opt in: for consumers or parents of children, consent must be obtained before collecting or processing personal data categorized as sensitive
• Right to not be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights

Parents or guardians can exercise these rights on behalf of children. Personal data of children under age 13 is categorized as sensitive by default. Like all other state-level data privacy laws in the US except California, the Indiana CDPA does not include a private right of action, which would enable consumers to sue a controller in the event of a violation.

Controllers must practice transparency and provide consumers with an “accessible, clear and meaningful” privacy notice. The notice should include:

• categories of personal data processed
• purpose for processing personal data
• categories of personal data the controller shares with third parties, if any
• categories of third parties the controller shares consumers’ personal data with, if any
• an explanation of how consumers may exercise their rights
• disclosure of the controller’s use or sale of personal data to third parties for targeted advertising, if applicable
• a method to opt out of targeted advertising data use or sale

To exercise their rights, consumers must submit a verifiable request to the controller (company). After a consumer request is received, the controller has 45 days to respond. There are some limited reasons that they can decline, including if the consumer’s identity cannot be reasonably verified. The consumer can appeal such a decision, and the controller has 45 days to respond to the appeal.

If there are extenuating circumstances preventing a controller from fulfilling a consumer request, once the consumer has been notified, that response period can be extended by 45 days if reasonably necessary.

Purpose limitation

Controllers can process personal information for the purpose(s) that they have communicated, as long as the processing is “adequate, relevant, and reasonably necessary” and proportional to those purposes.

Data security

Controllers must protect personal information by establishing, implementing and maintaining reasonable administrative, technical, and physical security measures. These measures should be appropriate to the nature and volume of personal information being processed.

Controllers must conduct and document data protection assessments when they:

• process personal data for targeted advertising purposes
• sell personal data
• process personal data for profiling purposes if that profiling creates a foreseeable risk of unfair or deceptive treatment or impact on consumers
• process sensitive data
• process any personal data in a way that heightens the risk of harm to consumers

These assessments apply to processing activities occurring after December 1, 2025, which is seven months before the law’s effective date of July 1, 2026.

Consent requirements

Like other US states that have passed privacy laws, Indiana uses an opt-out model, so user consent is not required before collecting and processing information in many cases. The exception is that consent must be obtained before collecting or processing sensitive personal information. Consumers must be given clear notice about processing and be able to opt out of sale, targeted advertising, or profiling.

Where children are concerned, like a number of other states, the Indiana CDPA follows the federal Children’s Online Privacy Protection Act (COPPA). Consent from any known child’s parent or guardian must be obtained before processing of any personal information of any user known to be under 13 years of age. This would include all children’s personal information, as under Indiana’s data privacy regulation data of children under 13 is classified as sensitive by default.

Nondiscrimination

Controllers are prohibited from unlawful discrimination against consumers, and from processing personal information if doing so is in violation of state or federal laws governing discrimination. Additionally, controllers cannot discriminate against consumers for exercising their rights. For example, a consumer cannot be blocked from accessing a website if they opt out of allowing personal information collection.

However, there are often website features or functions that will not work without certain cookies being active, so if a consumer does not opt in to their use because they collect personal information, the site may not work optimally. This is not discriminatory.

Controllers can offer voluntary incentives like discounts for consumers’ voluntary participation in operations like an organization’s loyalty program or signing up for a newsletter, where these operations collect and process personal data. Such offers have to be reasonable, as data protection authorities tend to frown on disproportionate incentives as they start to look like bribes.

Transparency

Controllers must provide consumers with clear and accessible information about data processing. Commonly this appears on the company’s website in a privacy notice or policy. Under the Indiana CDPA, this information must include:

• categories of personal information processed by the controller
• purpose(s) for processing personal information
• how consumers may exercise their rights and/or appeal a controller’s decision (e.g. if a request for access is denied)
• categories of personal information that the controller sells to third parties, if any
• categories of third parties to whom the controller sells personal information, if any
• notice about the right to opt out of the sale of personal information to third parties, targeted advertising, or profiling for decisions that produce legal or similarly significant effects to the consumer

Third party data processing contracts

Controllers must have contracts in place with third-party processors (vendors and other service providers) with clear information about:

• instructions for processing personal data
• nature and purpose of the processing
• type of data subject to processing
• duration of processing
• rights and obligations of both parties

Third-party data processors are also expected to assist controllers in meeting duties related to security, transparency, retention, deletion, assessment, and reporting. The Indiana Attorney General can request a DPIA from a controller for the purposes of a civil investigation.

Universal opt-out signal

Like with the Virginia Consumer Data Protection Act (VCDPA), Iowa Consumer Data Protection Act (ICDPA), and Utah Consumer Privacy Act (UCPA), the Indiana Consumer Data Protection Act does not make any specific reference to the Global Privacy Control (GPC) “universal opt-out” or similar mechanism.

California’s laws do reference this signal, which is intended to standardize user consent online. Using it enables consumers to create a single set of their own personal data privacy consent preferences. These settings can then be communicated to all websites or apps that consumers visit, so users don’t have to set new preferences on every site. Use of this mechanism also helps ensure compliance with consumer privacy laws relevant to each user.

In Indiana, the Attorney General has enforcement authority for the Indiana CDPA. As noted, the law does not provide consumers with private right of action, but they can report alleged violations or complaints about denial of requests to the Attorney General’s office.

The Attorney General’s office can also issue a civil investigative demand for suspected violations of the Act if there is reasonable belief that a violation has occurred. The Attorney General must provide parties that have violations alleged against them with written notice that lists the violations.

There is a 30-day cure period during which organizations can fix the issues and take steps to prevent recurrence of violation. They must also provide a written statement that any violations have been cured and no further ones will occur. Cure periods in other state-level data privacy laws range from 30 to 90 days, and in Indiana the right to cure does not sunset.

If the controller or any of their data processors are still in violation after the cure period, or after submitting their statement, the Attorney General can commence enforcement proceedings by issuing an injunction and/or seeking civil penalties.

A controller or processor found to be in violation of Indiana’s data privacy regulation is subject to a fine of up to US $7,500 per violation, which is the same as California’s maximum fine under the California Privacy Rights Act (CPRA). They can also recover reasonable expenses, like attorney’s fees.

Indiana’s consumer privacy law reflects the opt-out model, as do all other current US state-level data privacy laws. Under this model, controllers do not have to obtain user/data subject consent prior to collecting or processing personal data. Only collection and use of sensitive personal data, including that of children, needs prior consent.

Consumers have to be provided with information about and the option of opting out of collection and processing of their personal information for sale, targeted advertising, or profiling at any point. Information about that must be provided on the website, typically under the privacy notice/policy page.

These requirements continue to evolve, as state-level privacy laws passed earlier did not necessarily include these provisions, particularly re. targeted advertising or profiling. Addressing automated decision-making is becoming more common as well, and is likely to continue to garner attention and discussion as machine learning and generative AI tools grow in popularity.

The mechanism to enable users to opt out of data processing can be presented in a banner and displayed, most commonly as a link or button, reflecting the requirements in the law’s definition of consent: “a statement written by electronic means, or any other unambiguous affirmative action.”

Usercentrics’ Consent Management Platform (CMP) also helps to automate detection of the cookies and other tracking technologies in use on websites and apps. Use of a CMP streamlines collecting and providing the information to users about categories of data and specific services in use by the controller and/or processor(s), and third parties with whom data is shared. Indiana’s privacy law, and most data privacy regulations around the world, require this notification.

Because the United States does not have a single federal data privacy law, companies doing business across the country and/or with other countries may need to comply with multiple consumer privacy laws to protect data. (Learn more: Comparing US state-level data privacy laws) A CMP can make this easier by enabling banner customization and geotargeting. Data processing, consent information and choices for specific regulations can be presented based on specific user location. Geotargeting can also improve clarity and user experience by presenting this information in the user’s preferred language.

This will enable companies to achieve data privacy Indiana CDPA compliance, as well as other current and upcoming regulations across the United States. For companies doing business internationally, using a consent management platform also enables compliance with regulations like the GDPR, which has more strict consent management requirements than the laws in the US.

Organizations doing business in Indiana have until 2026 to prepare for compliance with the Indiana CDPA, which is a longer runway than many other states have had. If organizations have already achieved compliance with other state-level data privacy laws in the US, especially Virginia, but also Connecticut, and/or Colorado, much of the work is already done. As always, a privacy by design approach will benefit all operations in an organization, whether specifically for regulatory compliance or not.

Achieving Indiana CDPA compliance will mainly be a matter of confirming the state law’s specific requirements and having a solution in place to provide users with the necessary notifications and opt-out options. A consent management platform can help on companies’ websites with cookie and tracking notification and management.

Updates to the Indiana CDPA are likely over time, as these US regulations are all in their first version, and both technology and consumer expectations are rapidly changing. The law began modeled on the EU’s GDPR and California’s CCPA, but with a joint effort between the state’s legislators and business community, the bill evolved to be much more like Virginia’s law. The VCDPA itself was seen as an expression of evolving thought and legislation when passed in 2021.

As the Indiana CDPA does not include private right of action, consumer class-action lawsuits will not be a potential influence on future amendments to Indiana’s privacy law as they may be in California.

Consulting qualified legal counsel and/or your organization’s data privacy expert, like a Data Protection Officer, is recommended to ensure responsibilities are met.

Beyond just meeting requirements, being proactive about protecting user privacy is a valuable business effort. It builds user trust and engagement, provides better user experiences, and strengthens customer relationships long-term, which leads to more high quality data for marketing operations and boosts revenue.

If you have questions or interest in implementing a consent management platform to help achieve compliance with privacy laws in the United States and around the world, talk to one of our experts.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.