Indiana Data Privacy Laws: ICDPA Consumer Rights Guide (2026)

Indiana has positioned itself as one of the growing number of states with a comprehensive consumer data privacy framework. The state's primary data privacy statute, the Indiana Consumer Data Protection Act (ICDPA), took effect on January 1, 2026, giving Indiana residents significant control over how businesses collect, use, and share their personal information.

This guide covers every aspect of Indiana's data privacy laws, including the ICDPA's consumer rights, business obligations, and enforcement mechanisms, as well as the state's separate data breach notification statute.

Indiana Consumer Data Protection Act (ICDPA) Overview

The Indiana Consumer Data Protection Act was enacted through Senate Bill 5 during the 2023 legislative session. The Indiana Senate passed SB 5 unanimously (49-0) on February 9, 2023, and the Indiana House approved the amended version by a vote of 98-0 on April 11, 2023. Governor Eric Holcomb signed the bill into law on May 1, 2023.

The law is codified at Indiana Code Title 24, Article 15 and became effective on January 1, 2026. Indiana became the seventh state in the nation to enact a comprehensive consumer data privacy law, following California, Virginia, Colorado, Connecticut, Utah, and Iowa.

The ICDPA is closely modeled after the Virginia Consumer Data Protection Act (VCDPA), sharing a similar structure, definitions, and enforcement approach. This makes it a relatively business-friendly privacy framework compared to more stringent laws like California's CCPA/CPRA.

Who Must Comply With the ICDPA

The ICDPA applies to persons that conduct business in Indiana or produce products or services targeted to Indiana residents and that, during a calendar year, meet one of two thresholds:

• Threshold 1: Control or process personal data of at least 100,000 Indiana consumers, OR
• Threshold 2: Control or process personal data of at least 25,000 Indiana consumers AND derive more than 50% of gross revenue from the sale of personal data

These thresholds are among the highest of any state privacy law, which means many small and mid-sized businesses operating in Indiana will not be subject to the ICDPA.

Who Is Exempt From the ICDPA

The ICDPA provides broad exemptions at both the entity and data levels.

Entity-level exemptions include:

• State and local government bodies (and their contractors acting on their behalf)
• Nonprofit organizations
• Institutions of higher education
• Entities covered by the Health Insurance Portability and Accountability Act (HIPAA)
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• Public utilities

Data-level exemptions include:

• Protected health information under HIPAA
• Data subject to the GLBA
• Data regulated by the Fair Credit Reporting Act (FCRA)
• Data regulated by the Family Educational Rights and Privacy Act (FERPA)
• Data covered by the Driver's Privacy Protection Act (DPPA)
• Data covered by the Federal Farm Credit Act
• Employment-related data processed in an employment context
• Scientific research data

Consumer Rights Under the ICDPA

The ICDPA grants Indiana residents several important rights over their personal data. Consumers can exercise these rights by submitting a request to a business that acts as a "controller" of their data.

Right to Confirm and Access

Indiana consumers have the right to confirm whether a controller is processing their personal data. If so, they can access that data in a readable format.

Right to Correct

Consumers can request that a controller correct inaccuracies in their personal data, taking into account the nature of the data and the purposes of the processing.

Right to Delete

Consumers have the right to request deletion of personal data that the controller holds about them, including data provided by the consumer and data obtained from other sources.

Right to Data Portability

Consumers can obtain a copy of their personal data in a portable and readily usable format that allows them to transmit the data to another controller. This right may be exercised no more than once per 12-month period.

Right to Opt Out

Indiana consumers have the right to opt out of the processing of their personal data for the following purposes:

• Targeted advertising based on personal data gathered from across different websites and services
• Sale of personal data to third parties
• Profiling that produces legal effects or similarly significant effects on the consumer

It is important to note that the ICDPA does not require businesses to honor universal opt-out mechanisms such as the Global Privacy Control (GPC). Businesses may choose to support GPC voluntarily, but there is no statutory mandate to do so.

How to Exercise Consumer Rights

Consumers submit requests directly to the controller. The controller must respond without undue delay, but no later than 45 days after receiving the request. The controller may extend the response period by an additional 45 days when reasonably necessary, provided the consumer is informed of the extension and the reason for it.

If a controller declines to act on a consumer's request, the controller must inform the consumer without undue delay, providing the reasons for the refusal and instructions for how to appeal the decision.

Right to Appeal

If a controller denies a consumer's request, the consumer has the right to appeal the decision. The controller must establish an internal appeals process and respond to the appeal within 60 days.

If the appeal is denied, the controller must provide the consumer with a method to contact the Indiana Attorney General to submit a complaint.

Sensitive Data Under the ICDPA

The ICDPA defines "sensitive data" as a specific category of personal data that requires heightened protection. Controllers must obtain the consumer's opt-in consent before processing sensitive data.

Categories of Sensitive Data

Sensitive data under the ICDPA includes:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis made by a health care provider
• Sexual orientation
• Citizenship or immigration status
• Genetic data used to uniquely identify a natural person
• Biometric data used to uniquely identify a natural person
• Precise geolocation data (within a radius of 1,750 feet)
• Personal data collected from a known child under the age of 13

Biometric Data Definition

Biometric data under the ICDPA means data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, retina or iris image, or other unique biological patterns. The definition specifically excludes physical or digital photographs, video or audio recordings, and data generated from those recordings. It also excludes information collected for health care treatment, payment, or operations under HIPAA.

Children's Data

For personal data of a known child under 13, compliance with the federal Children's Online Privacy Protection Act (COPPA) satisfies the parental consent requirements of the ICDPA, as stated in Ind. Code 24-15-1-3.

Business Obligations Under the ICDPA

The ICDPA places several key obligations on businesses that act as data controllers.

Privacy Notice Requirements

Controllers must provide consumers with a clear and accessible privacy notice that includes:

• The categories of personal data processed
• The purposes for processing personal data
• How consumers can exercise their rights, including the right to appeal
• The categories of personal data shared with third parties
• The categories of third parties with whom data is shared

Data Minimization

Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes. Businesses cannot collect more data than is needed to accomplish the stated purpose.

Purpose Limitation

Controllers cannot process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes, unless the controller obtains the consumer's consent.

Security Requirements

Controllers must implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The security measures must be appropriate to the volume and nature of the data.

Data Processing Agreements

When a controller engages a data processor, the two parties must enter into a written contract that clearly sets forth:

• Instructions for processing personal data
• The nature and purpose of processing
• The type of data subject to processing
• The duration of processing
• The rights and obligations of both parties

Data Protection Assessments

The ICDPA requires controllers to conduct data protection assessments for certain high-risk processing activities. These assessments must evaluate the benefits of the processing against the potential risks to consumer rights. Assessments are required for:

• Processing personal data for targeted advertising
• Selling personal data
• Processing personal data for profiling that presents a risk of unfair or deceptive treatment, financial or physical injury, or intrusion on solitude or seclusion
• Processing sensitive data

Data protection assessments must be made available to the Attorney General upon request during an investigation.

Enforcement and Penalties

Attorney General Enforcement

The ICDPA is enforced exclusively by the Indiana Attorney General. There is no private right of action, meaning individual consumers cannot file lawsuits against businesses for violations of the ICDPA.

The Attorney General has indicated that enforcement will proceed through two primary channels: consumer complaints and proactive investigations.

30-Day Cure Period

Before initiating an enforcement action, the Attorney General must provide the controller or processor with 30 days' written notice identifying the specific provisions that have been or are being violated.

During the 30-day cure period, the business can cure the alleged violation and provide the Attorney General with a written statement confirming that:

• The violation has been cured
• No further violations will occur

A critical feature of Indiana's law is that the 30-day cure period is permanent. Unlike states such as Colorado and Connecticut (where cure periods had sunset dates) or California (which eliminated its cure period under the CPRA), Indiana businesses will always have this 30-day window to remedy violations before facing penalties.

However, the Indiana Attorney General's office has signaled that this safe harbor applies only to violations that can be cured. Violations deemed incurable may be subject to immediate enforcement action.

Civil Penalties

Violation Type	Maximum Penalty
ICDPA violation (per violation)	$7,500
Data breach notification violation (per deceptive act)	$150,000
Attorney's fees and investigation costs	Recoverable by AG
Injunctive relief	Available to AG

If the cure period expires without adequate remediation, or if the violation is incurable, the Attorney General may initiate an action in the name of the state seeking:

• An injunction to restrain violations
• Civil penalties not to exceed $7,500 for each violation
• Recovery of reasonable expenses incurred in investigating and preparing the case, including attorney's fees

Indiana Data Breach Notification Law

In addition to the ICDPA, Indiana has a separate data breach notification statute codified at Indiana Code 24-4.9 (Disclosure of Security Breach). This law has been in effect since 2006 and was most recently amended by S.B. 17 in 2024, effective July 1, 2024.

What Triggers a Notification

A data breach notification is required when there is an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an entity, and the breach has resulted in or could result in identity deception, identity theft, or fraud.

Definition of Personal Information

Under Indiana's breach notification law, personal information includes:

• A Social Security number alone, OR
• An individual's first name or initial and last name combined with any one or more of:
  • Driver's license number
  • State identification card number
  • Credit card number
  • Financial account number or debit card number in combination with a required security code, password, or access code

Personal information does not include information lawfully obtained from publicly available sources.

Encryption Safe Harbor

Notification is not required if the breached data was encrypted or redacted, provided the encryption key itself was not compromised during the breach.

Notification Requirements

Businesses must provide notice of a data breach as follows:

Requirement	Detail
Timing	Without unreasonable delay, but no more than 45 days after discovery
Consumer notification methods	Written mail, telephone, fax, or email
Attorney General notification	Required when breach notice is sent to Indiana residents
Consumer reporting agency notification	Required when more than 1,000 Indiana residents are affected
Substitute notice threshold	Available when cost exceeds $250,000 or affected class exceeds 500,000 residents

Substitute notice consists of conspicuous posting on the entity's website and notification to statewide media outlets serving the affected geographic area.

Breach Notification Penalties

The Attorney General may seek enforcement action against entities that fail to comply with breach notification requirements. Penalties include:

• Civil penalties of up to $150,000 per deceptive act
• Injunctive relief
• Recovery of reasonable costs for investigating and maintaining the action

Businesses can report a data breach to the Indiana Attorney General's office by submitting the Data Breach Notification Form to DataBreach@atg.in.gov.

Exemptions From Breach Notification

Entities that maintain their own security breach notification procedures as part of an information privacy or security policy are exempt from the notification requirements, provided those procedures are at least as stringent as the notification requirements of the statute. Additionally, entities subject to and compliant with notification requirements under HIPAA, the GLBA, the USA PATRIOT Act, the DPPA, or the FCRA may follow those federal frameworks instead.

How the ICDPA Compares to Other State Privacy Laws

Indiana's data privacy law shares significant similarities with Virginia's VCDPA, but there are notable differences compared to other state frameworks.

Key Comparisons

Feature	Indiana (ICDPA)	California (CCPA/CPRA)	Virginia (VCDPA)
Effective date	January 1, 2026	January 1, 2020 / January 1, 2023	January 1, 2023
Applicability threshold	100K consumers or 25K + 50% revenue	$25M revenue, 50K consumers, or 50% revenue	100K consumers or 25K + 50% revenue
Private right of action	No	Yes (limited to data breaches)	No
Cure period	30 days (permanent)	None (eliminated under CPRA)	30 days (expired January 2025)
Universal opt-out	Not required	Required (GPC)	Not required
Maximum penalty	$7,500 per violation	$7,500 per intentional violation	$7,500 per violation
Rulemaking authority	No	Yes (via CPPA)	No
Dark patterns prohibition	No	Yes	No

Unique Features of Indiana's Law

The ICDPA has several characteristics that distinguish it from other state privacy laws:

• Permanent cure period: The 30-day right to cure never expires, giving businesses an ongoing opportunity to fix violations before facing penalties.
• No universal opt-out mandate: Businesses are not required to honor browser-based opt-out signals like Global Privacy Control.
• No rulemaking authority: The Attorney General cannot issue regulations interpreting or expanding the statute, which provides businesses with more regulatory certainty.
• High applicability thresholds: The 100,000-consumer threshold means most small businesses in Indiana are not subject to the law.
• Narrow sensitive data definition: The requirement of a health care provider diagnosis for mental or physical health data is more limited than some states that include any health-related information.

More Indiana Laws

Indiana's data privacy framework works alongside other state laws that protect personal information and consumer rights. For more on Indiana's legal landscape, see our coverage at recordinglaw.com/us-laws/data-privacy-laws/.

You can also explore data privacy laws in neighboring states:

• Illinois Data Privacy Laws
• Ohio Data Privacy Laws
• Kentucky Data Privacy Laws
• Michigan Data Privacy Laws

Practical Steps for Compliance

Businesses that meet the ICDPA's applicability thresholds should take the following steps to ensure compliance:

1. Conduct a data inventory to understand what personal data you collect, how it is processed, who it is shared with, and where it is stored.
2. Update your privacy notice to include all required disclosures about data collection, processing purposes, consumer rights, and third-party sharing.
3. Implement consumer rights request processes that allow Indiana residents to submit and track access, correction, deletion, portability, and opt-out requests within the 45-day response window.
4. Obtain opt-in consent for sensitive data processing, including biometric, genetic, health, geolocation, and children's data.
5. Review and update vendor contracts to ensure data processing agreements meet the ICDPA's requirements.
6. Conduct data protection assessments for targeted advertising, data sales, profiling, and sensitive data processing activities.
7. Train your team on the new requirements and establish internal procedures for responding to consumer requests and potential Attorney General inquiries.
8. Review data security practices to ensure reasonable administrative, technical, and physical safeguards are in place.

This article is for informational purposes only and does not constitute legal advice. The information provided reflects Indiana law as of the publication date. For specific questions about how Indiana's data privacy laws apply to your situation, consult a licensed attorney in your jurisdiction.