Indiana was the seventh state in the US to pass a consumer privacy bill, with an effective date of July 1, 2026. As of May 1, 2023, when the law was passed, organizations have two and a half years to prepare for INCDPA compliance.<\/p>\n
Six laws have been passed in the United States between March and June 2023: Iowa, Indiana, Tennessee, Montana, Florida, and Texas. Indiana\u2019s data privacy law is quite similar to the Virginia Consumer Data Privacy Act (VCDPA)<\/a>, and also comparable to the Connecticut Data Privacy Act (CTDPA)<\/a> and Colorado Privacy Act (CPA)<\/a> with regards to consumers\u2019 rights and organizations\u2019 responsibilities.<\/p>\n\n\n The Indiana Consumer Data Protection Act (INCDPA)<\/a>, from Senate Bill 5<\/a>, protects the privacy and personal information rights of Indiana\u2019s 6.8 million residents, and establishes data privacy responsibilities for companies doing business in the state or providing goods or services targeting Indiana residents.<\/p>\n In the course of doing business these organizations process consumers\u2019 personal information. Like other states with data privacy laws, Indiana defines a consumer as a resident of the state and \u201cacting only for a personal, family, or household purpose\u201d and not in a \u201ccommercial or employment context\u201d.<\/p>\n The INCDPA uses an opt-out model, as do the laws in all the other states that have passed comprehensive data privacy regulations to date. This means that businesses that are required to become INCDPA-compliant must inform consumers about data collection and processing that they perform, i.e. what data, for what purposes, third parties with whom the data will be shared, etc. Businesses must give consumers a way to opt out of data collection and processing for certain purposes. They and any third parties they engage for data processing must also implement reasonable security and protections.<\/p>\n Personal data<\/strong><\/p>\n The INCDPA<\/strong> uses a fairly standard definition of personal data (also called personal information in some other laws or personally identifiable information): \u201cinformation that is linked or reasonably linkable to an identified or identifiable individual\u201d<\/em>. It explicitly excludes de-identified data<\/a>, aggregate data, or publicly available information.<\/p>\n The Act does not specifically list types of identifiable information, as some other state-level data privacy laws do, but common types include name, account\/username, IP address, email address, Social Security Number, driver\u2019s license number, or passport number.<\/p>\n Consent<\/strong><\/p>\n The European Union\u2019s General Data Protection Regulation (GDPR)<\/a> set the standard for defining consent, which has been followed by many regulations passed since, including Indiana\u2019s.<\/p>\n Under the INCDPA, consent is defined as: \u201ca clear affirmative act that signals a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.\u201d<\/em><\/p>\n \u201cClear affirmative act\u201d is further clarified as, \u201cincludes a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.\u201d<\/em><\/p>\n That second part is relevant for the use of a consent management platform to collect and store user consent data for use of cookies and other online tracking technologies on websites, apps and connected media devices.<\/p>\n It is notable that Indiana\u2019s law does not include any requirement for consumers to have a means to revoke their consent. The data privacy laws in California, Colorado, and Connecticut do provide this.<\/p>\n Sensitive data \/ sensitive personal data<\/strong><\/p>\n This covers more specific categories of personal data, which present a greater risk of harm if misused, including any of:<\/p>\n It is fairly common among the US state-level data privacy laws for them to defer to the federal Children\u2019s Online Privacy Protection Act (COPPA)<\/a> with regards to consent requirements and handling of children\u2019s data, and for any data of a known child (13 years of age is typical) to be categorized as sensitive by default.<\/p>\n Controller<\/strong><\/p>\n Businesses that collect and process personal information will likely qualify as controllers, which the INCDPA defines as \u201ca person that, alone or jointly with others, determines the purpose and means of processing personal data.\u201d<\/em> In this case \u201cperson\u201d could also be a company or other organization that is required to comply with the law.<\/p>\n Processor<\/strong><\/p>\n For businesses that share personal information for processing purposes, the business will be the controller and the third-party entity will be the processor, defined in the Indiana privacy act as \u201ca person that processes personal data on behalf of a controller\u201d<\/em>.<\/p>\n Sale<\/strong><\/p>\n This is defined as the \u201cthe exchange of personal data for monetary consideration by a controller to a third party.\u201d<\/em> Explicitly not included in the definition is:<\/p>\n Targeted advertising<\/strong><\/p>\n Refers to display of \u201can advertisement to a consumer in which the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.\u201d<\/em><\/p>\n The definition does not include:<\/p>\n The INCDPA applies to organizations conducting business in Indiana, and any business that offers products or services targeted to Indiana residents. The organization itself does not have to be based in the state. INCDPA compliance has two primary threshold criteria for organizations (\u201ccontrollers\u201d under the law):<\/p>\n or<\/strong><\/p>\n Unlike some states, e.g. California with the CCPA and CPRA<\/a>, Indiana\u2019s privacy law does not also include a revenue threshold alone. Which means companies that otherwise would be required to comply with the regulation if their annual gross revenues exceeded a certain dollar amount (US $25 million in some other laws), even if they did not meet the threshold of the number of consumers\u2019 whose data was processed.<\/p>\n Without this threshold, businesses of any size\/value that meet the Indiana privacy law\u2019s personal information or personal information plus revenue percentage thresholds must become compliant with Indiana\u2019s CDPA.<\/p>\n The exemptions in the Indiana data privacy act are fairly consistent with the other existing US data privacy laws, deferring mainly to existing federal laws, including:<\/p>\n Other exemptions include HR data, health records, research data for human subjects that are covered by other federal laws or standards, and data that is processed or maintained for employment-related purposes.<\/p>\n Exempted institutions include:<\/p>\n Exclusions to the Indiana law\u2019s definition of \u201cconsumer\u201d also include individuals acting in a commercial (business) or employment context.<\/p>\n\n\n Consumers have several main personal information rights under the new data protection law.<\/p>\n Parents or guardians can exercise these rights on behalf of children. Personal data of children under age 13 is categorized as sensitive by default. Like all other state-level data privacy laws in the US except California, the INCDPA does not include a private right of action, which would enable consumers to sue a controller in the event of a violation.<\/p>\n\n\n Controllers must practice transparency and provide consumers with an \u201caccessible, clear and meaningful\u201d privacy notice. The notice should include:<\/p>\n To exercise their rights, consumers must submit a verifiable request to the controller (company). After a consumer request is received, the controller has 45 days to respond. There are some limited reasons that they can decline, including if the consumer\u2019s identity cannot be reasonably verified. The consumer can appeal such a decision, and the controller has 45 days to respond to the appeal.<\/p>\n If there are extenuating circumstances preventing a controller from fulfilling a consumer request, once the consumer has been notified, that response period can be extended by 45 days if reasonably necessary.<\/p>\n Purpose limitation<\/strong><\/p>\n Controllers can process personal information for the purpose(s) that they have communicated, as long as the processing is \u201cadequate, relevant, and reasonably necessary\u201d and proportional to those purposes.<\/p>\n Data security<\/strong><\/p>\n Controllers must protect personal information by establishing, implementing and maintaining reasonable administrative, technical, and physical security measures. These measures should be appropriate to the nature and volume of personal information being processed.<\/p>\n Controllers must conduct and document data protection assessments when they:<\/p>\n These assessments apply to processing activities occurring after December 1, 2025, which is seven months before the law\u2019s effective date of July 1, 2026.<\/p>\n Consent requirements<\/strong><\/p>\n Like other US states that have passed privacy laws, Indiana uses an opt-out model, so user consent is not required before collecting and processing information in many cases. The exception is that consent must be obtained before collecting or processing sensitive personal information. Consumers must be given clear notice about processing and be able to opt out of sale, targeted advertising, or profiling.<\/p>\n Where children are concerned, like a number of other states, the INCDPA follows the federal Children\u2019s Online Privacy Protection Act (COPPA)<\/a>. Consent from any known child\u2019s parent or guardian must be obtained before processing of any personal information of any user known to be under 13 years of age. This would include all children\u2019s personal information, as under Indiana\u2019s data privacy regulation data of children under 13 is classified as sensitive by default.<\/p>\n Nondiscrimination<\/strong><\/p>\n Controllers are prohibited from unlawful discrimination against consumers, and from processing personal information if doing so is in violation of state or federal laws governing discrimination. Additionally, controllers cannot discriminate against consumers for exercising their rights. For example, a consumer cannot be blocked from accessing a website if they opt out of allowing personal information collection.<\/p>\n However, there are often website features or functions that will not work without certain cookies being active, so if a consumer does not opt in to their use because they collect personal information, the site may not work optimally. This is not discriminatory.<\/p>\n Controllers can offer voluntary incentives like discounts for consumers\u2019 voluntary participation in operations like an organization\u2019s loyalty program or signing up for a newsletter, where these operations collect and process personal data. Such offers have to be reasonable, as data protection authorities tend to frown on disproportionate incentives as they start to look like bribes.<\/p>\n Transparency<\/strong><\/p>\n Controllers must provide consumers with clear and accessible information about data processing. Commonly this appears on the company\u2019s website in a privacy notice or policy. Under the INCDPA, this information must include:<\/p>\n Third party data processing contracts<\/strong><\/p>\n Controllers must have contracts in place with third-party processors (vendors and other service providers) with clear information about:<\/p>\n Third-party data processors are also expected to assist controllers in meeting duties related to security, transparency, retention, deletion, assessment, and reporting. The Indiana Attorney General can request a DPIA from a controller for the purposes of a civil investigation.<\/p>\n Universal opt-out signal<\/strong><\/p>\n Like with the Virginia Consumer Data Protection Act (VCDPA)<\/a>, Iowa Consumer Data Protection Act (ICDPA)<\/a>, and Utah Consumer Privacy Act (UCPA)<\/a>, the Indiana Consumer Data Protection Act does not make any specific reference to the Global Privacy Control<\/a> (GPC) \u201cuniversal opt-out\u201d or similar mechanism.<\/p>\n California\u2019s laws do reference this signal, which is intended to standardize user consent online. Using it enables consumers to create a single set of their own personal data privacy consent preferences. These settings can then be communicated to all websites or apps that consumers visit, so users don\u2019t have to set new preferences on every site. Use of this mechanism also helps ensure compliance with consumer privacy laws relevant to each user.<\/p>\n\n\n In Indiana, the Attorney General has enforcement authority for the INCDPA. As noted, the law does not provide consumers with private right of action, but they can report alleged violations or complaints about denial of requests to the Attorney General\u2019s office.<\/p>\n The Attorney General\u2019s office can also issue a civil investigative demand for suspected violations of the Act if there is reasonable belief that a violation has occurred. The Attorney General must provide parties that have violations alleged against them with written notice that lists the violations.<\/p>\n There is a 30-day cure period during which organizations can fix the issues and take steps to prevent recurrence of violation. They must also provide a written statement that any violations have been cured and no further ones will occur. Cure periods in other state-level data privacy laws range from 30 to 90 days, and in Indiana the right to cure does not sunset.<\/p>\n If the controller or any of their data processors are still in violation after the cure period, or after submitting their statement, the Attorney General can commence enforcement proceedings by issuing an injunction and\/or seeking civil penalties.<\/p>\n A controller or processor found to be in violation of Indiana\u2019s data privacy regulation is subject to a fine of up to US $7,500 per violation, which is the same as California\u2019s maximum fine under the California Privacy Rights Act (CPRA)<\/a>. They can also recover reasonable expenses, like attorney\u2019s fees.<\/p>\n\n\n Indiana\u2019s consumer privacy law reflects the opt-out model, as do all other current US state-level data privacy laws. Under this model, controllers do not have to obtain user\/data subject consent prior to collecting or processing personal data. Only collection and use of sensitive personal data, including that of children, needs prior consent.<\/p>\n Consumers have to be provided with information about and the option of opting out of collection and processing of their personal information for sale, targeted advertising, or profiling at any point. Information about that must be provided on the website, typically under the privacy notice\/policy page.<\/p>\n These requirements continue to evolve, as state-level privacy laws passed earlier did not necessarily include these provisions, particularly re. targeted advertising or profiling. Addressing automated decision-making is becoming more common as well, and is likely to continue to garner attention and discussion as machine learning and generative AI tools grow in popularity.<\/p>\n The mechanism to enable users to opt out of data processing can be presented in a banner and displayed, most commonly as a link or button, reflecting the requirements in the law\u2019s definition of consent: \u201ca statement written by electronic means, or any other unambiguous affirmative action.\u201d<\/em><\/p>\n Usercentrics\u2019 Consent Management Platform (CMP)<\/a> also helps to automate detection of the cookies and other tracking technologies in use on websites and apps. Use of a CMP streamlines collecting and providing the information to users about categories of data and specific services in use by the controller and\/or processor(s), and third parties with whom data is shared. Indiana\u2019s privacy law, and most data privacy regulations around the world, require this notification.<\/p>\n Because the United States does not have a single federal data privacy law, companies doing business across the country and\/or with other countries may need to comply with multiple consumer privacy laws to protect data. (Learn more: Comparing US state-level data privacy laws<\/a>) A CMP can make this easier by enabling banner customization and geotargeting. Data processing, consent information and choices for specific regulations can be presented based on specific user location. Geotargeting can also improve clarity and user experience by presenting this information in the user\u2019s preferred language.<\/p>\n\n\nWhat is the Indiana data privacy act?<\/h2>\n
Definitions in the Indiana Consumer Data Protection Act<\/h4>\n
\n
\n
\n
\n
\n
What is covered in the Indiana data privacy act?<\/h2>\n
Who has to comply with the Indiana Consumer Data Protection Act?<\/h4>\n
\n
\n
Exemptions to Indiana Consumer Data Protection Act compliance<\/h4>\n
\n
\n
Consumers\u2019 rights under the Indiana Consumer Data Protection Act<\/h2>\n
\n
How does the new Indiana data protection act affect businesses?<\/h2>\n
How to comply with the Indiana data privacy act<\/h4>\n
\n
Data protection impact assessments (DPIA)<\/h4>\n
\n
\n
\n
What happens if you break the Indiana data protection law?<\/h2>\n
Enforcement<\/h4>\n
Cure period and controller actions<\/h4>\n
Fines and penalties<\/h4>\n
The Indiana Consumer Data Protection Act and consent management<\/h2>\n