Indiana
Indiana Data Privacy Laws: ICDPA Consumer Rights Guide (2026)
Indiana's Consumer Data Protection Act (INCDPA) took effect on January 1, 2026, giving Indiana residents the right to access, correct, delete, and opt out of the sale of their personal data. The Indiana Attorney General enforces the law exclusively, with active enforcement set to begin July 1, 2026. Businesses that process data of 100,000 or more Indiana consumers, or 25,000 consumers while earning more than 50 percent of gross revenue from data sales, must comply with Ind. Code Title 24, Article 15.
Indiana enacted the data privacy INCDPA through unanimous legislative votes in 2023, making it among the earliest states to pass a comprehensive consumer privacy framework. The law is closely modeled on the Virginia Consumer Data Protection Act, giving it a business-friendly structure compared to California's approach. This guide covers every aspect of Indiana's data privacy laws, from the INCDPA's consumer rights and business obligations to the state's separate breach notification statute and federal overlay.
Indiana Consumer Data Protection Act (INCDPA) Overview
The Indiana Consumer Data Protection Act was enacted through Senate Bill 5 during the 2023 legislative session. The Indiana Senate passed SB 5 unanimously (49-0) on February 9, 2023, and the Indiana House approved the amended version by a vote of 98-0 on April 11, 2023. Governor Eric Holcomb signed the bill into law on May 1, 2023.
The law is codified at Indiana Code Title 24, Article 15 and became effective on January 1, 2026. When Indiana signed SB 5 into law in 2023, it became the seventh state in the nation to enact a comprehensive consumer data privacy law. As of 2026, more than twenty states have enacted comprehensive consumer privacy frameworks, with Indiana joining the first wave alongside California, Virginia, Colorado, Connecticut, Utah, and Iowa.
The INCDPA is closely modeled after the Virginia Consumer Data Protection Act (VCDPA), sharing a similar structure, definitions, and enforcement approach. This makes it a relatively business-friendly privacy framework compared to more stringent laws like California's CCPA/CPRA.
Who Must Comply With the INCDPA
The INCDPA applies to persons that conduct business in Indiana or produce products or services targeted to Indiana residents and that, during a calendar year, meet one of two thresholds:
- Threshold 1: Control or process personal data of at least 100,000 Indiana consumers, OR
- Threshold 2: Control or process personal data of at least 25,000 Indiana consumers AND derive more than 50% of gross revenue from the sale of personal data
These thresholds are among the highest of any state privacy law, which means many small and mid-sized businesses operating in Indiana will not be subject to the INCDPA.
Who Is Exempt From the INCDPA
The INCDPA provides broad exemptions at both the entity and data levels.
Entity-level exemptions include:
- State and local government bodies (and their contractors acting on their behalf)
- Nonprofit organizations
- Institutions of higher education
- Entities covered by the Health Insurance Portability and Accountability Act (HIPAA)
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
- Public utilities
Data-level exemptions include:
- Protected health information under HIPAA
- Data subject to the GLBA
- Data regulated by the Fair Credit Reporting Act (FCRA)
- Data regulated by the Family Educational Rights and Privacy Act (FERPA)
- Data covered by the Driver's Privacy Protection Act (DPPA)
- Data covered by the Federal Farm Credit Act
- Employment-related data processed in an employment context
- Business-to-business data
- Scientific research data
Consumer Rights Under the INCDPA
The INCDPA grants Indiana residents several important rights over their personal data. Consumers can exercise these rights by submitting a request to a business that acts as a "controller" of their data.
Right to Confirm and Access
Indiana consumers have the right to confirm whether a controller is processing their personal data. If so, they can access that data in a readable format.
Right to Correct
Consumers can request that a controller correct inaccuracies in their personal data, taking into account the nature of the data and the purposes of the processing.
Right to Delete
Consumers have the right to request deletion of personal data that the controller holds about them, including data provided by the consumer and data obtained from other sources.
Right to Data Portability
Consumers can obtain a copy of their personal data in a portable and readily usable format that allows them to transmit the data to another controller. This right may be exercised no more than once per 12-month period.
Right to Opt Out
Indiana consumers have the right to opt out of the processing of their personal data for the following purposes:
- Targeted advertising based on personal data gathered from across different websites and services
- Sale of personal data to third parties
- Profiling that produces legal effects or similarly significant effects on the consumer
The INCDPA does not require businesses to honor universal opt-out mechanisms such as Global Privacy Control (GPC). Businesses may choose to support GPC voluntarily, but there is no statutory mandate to do so.
How to Exercise Consumer Rights
Consumers submit requests directly to the controller. The controller must respond without undue delay, but no later than 45 days after receiving the request. The controller may extend the response period by an additional 45 days when reasonably necessary, provided the consumer is informed of the extension and the reason for it.
If a controller declines to act on a consumer's request, the controller must inform the consumer without undue delay, providing the reasons for the refusal and instructions for how to appeal the decision.
Right to Appeal
If a controller denies a consumer's request, the consumer has the right to appeal the decision. The controller must establish an internal appeals process and respond to the appeal within 60 days.
If the appeal is denied, the controller must provide the consumer with a method to contact the Indiana Attorney General to submit a complaint.
Sensitive Data Under the INCDPA
The INCDPA defines "sensitive data" as a specific category of personal data that requires heightened protection. Controllers must obtain the consumer's opt-in consent before processing sensitive data.
Categories of Sensitive Data
Sensitive data under the INCDPA includes:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis made by a health care provider
- Sexual orientation
- Citizenship or immigration status
- Genetic data used to uniquely identify a natural person
- Biometric data used to uniquely identify a natural person
- Precise geolocation data (within a radius of 1,750 feet)
- Personal data collected from a known child under the age of 13
Biometric Data Definition
Biometric data under the INCDPA means data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, retina or iris image, or other unique biological patterns. The definition specifically excludes physical or digital photographs, video or audio recordings, and data generated from those recordings. It also excludes information collected for health care treatment, payment, or operations under HIPAA.
Children's Data
For personal data of a known child under 13, compliance with the federal Children's Online Privacy Protection Act (COPPA) satisfies the parental consent requirements of the INCDPA, as stated in Ind. Code 24-15-1-3.
Business Obligations Under the INCDPA
The INCDPA places several key obligations on businesses that act as data controllers.
Privacy Notice Requirements
Controllers must provide consumers with a clear and accessible privacy notice that includes:
- The categories of personal data processed
- The purposes for processing personal data
- How consumers can exercise their rights, including the right to appeal
- The categories of personal data shared with third parties
- The categories of third parties with whom data is shared
The Indiana Attorney General has made simple-to-understand privacy notices an explicit enforcement priority, based on the office's public guidance released in November 2025.
Data Minimization
Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes. Businesses cannot collect more data than is needed to accomplish the stated purpose.
Purpose Limitation
Controllers cannot process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes, unless the controller obtains the consumer's consent.
Security Requirements
Controllers must implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The security measures must be appropriate to the volume and nature of the data.
Data Processing Agreements
When a controller engages a data processor, the two parties must enter into a written contract that clearly sets forth:
- Instructions for processing personal data
- The nature and purpose of processing
- The type of data subject to processing
- The duration of processing
- The rights and obligations of both parties
Data Protection Assessments
The INCDPA requires controllers to conduct data protection assessments for certain high-risk processing activities. These assessments must evaluate the benefits of the processing against the potential risks to consumer rights. Assessments are required for:
- Processing personal data for targeted advertising
- Selling personal data
- Processing personal data for profiling that presents a risk of unfair or deceptive treatment, financial or physical injury, or intrusion on solitude or seclusion
- Processing sensitive data
Data protection assessments must be made available to the Attorney General upon request during an investigation.
Enforcement and Penalties
Attorney General Enforcement
The INCDPA is enforced exclusively by the Indiana Attorney General. There is no private right of action, meaning individual consumers cannot file lawsuits against businesses for violations of the INCDPA.
In November 2025, Attorney General Todd Rokita released a Consumer Data Protection Bill of Rights to help consumers understand their new rights and to signal enforcement priorities. The AG's office has emphasized compliance with the requirement to provide simple, understandable privacy notices. Enforcement will proceed through consumer complaints submitted to the Attorney General's online portal and through independent staff reviews of company practices.
Enforcement Grace Period
Indiana built a six-month enforcement grace period into the INCDPA. While the law took effect January 1, 2026, the Attorney General will not begin active enforcement until July 1, 2026. Businesses that have not yet achieved full compliance should treat the period from now through June 30, 2026 as their final compliance window.
After July 1, 2026, any business that receives a notice of violation from the Attorney General will have 30 days to cure before facing penalties.
30-Day Cure Period
Before initiating an enforcement action, the Attorney General must provide the controller or processor with 30 days' written notice identifying the specific provisions that have been or are being violated.
During the 30-day cure period, the business can cure the alleged violation and provide the Attorney General with a written statement confirming that:
- The violation has been cured
- No further violations will occur
A critical feature of Indiana's law is that the 30-day cure period is permanent and has no sunset date. Unlike Colorado and Connecticut (where cure periods had sunset dates) or California (which eliminated its cure period under the CPRA), Indiana businesses will always have this 30-day window to remedy violations before facing penalties.
Civil Penalties
| Violation Type | Maximum Penalty |
|---|---|
| INCDPA violation (per violation) | $7,500 |
| Data breach notification violation (per deceptive act) | $150,000 |
| Attorney's fees and investigation costs | Recoverable by AG |
| Injunctive relief | Available to AG |
If the cure period expires without adequate remediation, or if the violation is incurable, the Attorney General may initiate an action in the name of the state seeking:
- An injunction to restrain violations
- Civil penalties not to exceed $7,500 for each violation
- Recovery of reasonable expenses incurred in investigating and preparing the case, including attorney's fees
Indiana Data Breach Notification Law
In addition to the INCDPA, Indiana has a separate data breach notification statute codified at Indiana Code 24-4.9 (Disclosure of Security Breach). This law has been in effect since 2006 and was most recently updated when the 2024 legislature added age-verification data to the definition of personal information subject to breach notification, effective July 1, 2024.
What Triggers a Notification
A data breach notification is required when there is an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an entity, and the breach has resulted in or could result in identity deception, identity theft, or fraud.
Definition of Personal Information
Under Indiana's breach notification law, personal information includes:
- A Social Security number alone, OR
- An individual's first name or initial and last name combined with any one or more of:
- Driver's license number
- State identification card number
- Credit card number
- Financial account number or debit card number in combination with a required security code, password, or access code
- Data collected by adult-oriented websites subject to Indiana's age verification law (Ind. Code 24-4-23), added by the 2024 legislative session
Personal information does not include information lawfully obtained from publicly available sources.
Encryption Safe Harbor
Notification is not required if the breached data was encrypted or redacted, provided the encryption key itself was not compromised during the breach.
Notification Requirements
Businesses must provide notice of a data breach as follows:
| Requirement | Detail |
|---|---|
| Timing | Without unreasonable delay, but no more than 45 days after discovery |
| Consumer notification methods | Written mail, telephone, fax, or email |
| Attorney General notification | Required when breach notice is sent to Indiana residents |
| Consumer reporting agency notification | Required when more than 1,000 Indiana residents are affected |
| Substitute notice threshold | Available when cost exceeds $250,000 or affected class exceeds 500,000 residents |
Substitute notice consists of conspicuous posting on the entity's website and notification to statewide media outlets serving the affected geographic area.
Breach Notification Penalties
The Attorney General may seek enforcement action against entities that fail to comply with breach notification requirements. Penalties include:
- Civil penalties of up to $150,000 per deceptive act
- Injunctive relief
- Recovery of reasonable costs for investigating and maintaining the action
Businesses can report a data breach to the Indiana Attorney General's office by submitting the Data Breach Notification Form to DataBreach@atg.in.gov.
Exemptions From Breach Notification
Entities that maintain their own security breach notification procedures as part of an information privacy or security policy are exempt from the notification requirements, provided those procedures are at least as stringent as the notification requirements of the statute. Additionally, entities subject to and compliant with notification requirements under HIPAA, the GLBA, the USA PATRIOT Act, the DPPA, or the FCRA may follow those federal frameworks instead.
Federal Privacy Overlay for Indiana Residents
Indiana residents benefit from several federal privacy laws that operate alongside the INCDPA and breach notification statute. Federal protections apply regardless of whether a business meets the INCDPA's state-law thresholds.
TAKE IT DOWN Act (2025)
Congress enacted the TAKE IT DOWN Act (Pub. L. 119-12) on April 28, 2025, and President Trump signed it into law on May 19, 2025. The law criminalizes the knowing publication of nonconsensual intimate images (NCII), including AI-generated deepfakes, and creates a federal right to demand removal of such content.
Key provisions affecting Indiana residents:
- Criminal penalties: Up to two years in federal prison for publishing NCII of adults, up to three years for images involving minors
- Platform removal obligation: Covered digital platforms must remove reported NCII within 48 hours of a valid takedown request and delete all known identical copies
- FTC enforcement: The Federal Trade Commission enforces the platform removal requirements. The compliance deadline for platforms to establish removal systems was May 19, 2026. The FTC began active enforcement on that date.
- Civil penalties: Platforms that violate the removal obligation may face FTC enforcement with civil penalties of up to $53,088 per violation
Indiana residents who have nonconsensual intimate images posted online can submit complaints at TakeItDown.ftc.gov or contact the FTC at consumer.ftc.gov.
HIPAA
The Health Insurance Portability and Accountability Act protects health information held by covered entities (hospitals, insurers, health care providers) and their business associates. HIPAA-covered data is explicitly exempt from the INCDPA at the entity level, so health care organizations in Indiana follow federal HIPAA rules rather than the INCDPA for that data.
Gramm-Leach-Bliley Act (GLBA)
Financial institutions subject to the GLBA must protect customer financial data and provide privacy notices under the FTC's Safeguards Rule. GLBA-regulated entities are exempt from the INCDPA.
Fair Credit Reporting Act (FCRA)
The FCRA governs how consumer reporting agencies collect, share, and use consumer credit and background information. Data subject to the FCRA is exempt from INCDPA coverage.
COPPA
The Children's Online Privacy Protection Act requires verifiable parental consent before collecting personal information from children under 13. The INCDPA expressly provides that COPPA compliance satisfies the parental consent requirements of the state law under Ind. Code 24-15-1-3.
FTC Act Section 5
The Federal Trade Commission's general authority under Section 5 of the FTC Act to prohibit unfair or deceptive acts or practices applies to all businesses in Indiana. Any misleading privacy policy or data-handling practice that harms consumers can be the basis for an FTC enforcement action regardless of whether the INCDPA applies.
American Privacy Rights Act (APRA)
Congress introduced a bicameral draft of the American Privacy Rights Act in 2024. The bill did not pass in 2024. A revised version, sometimes called APRA 2.0, was introduced in 2025. As of May 2026, no comprehensive federal privacy law has been enacted. If APRA or a successor bill passes, it would create a federal floor that affects all Indiana businesses and residents.
How the INCDPA Compares to Other State Privacy Laws
Indiana's data privacy law shares significant similarities with Virginia's VCDPA, but there are notable differences compared to other state frameworks.
Key Comparisons
| Feature | Indiana (INCDPA) | California (CCPA/CPRA) | Virginia (VCDPA) | Kentucky (KCDPA) |
|---|---|---|---|---|
| Effective date | January 1, 2026 | Jan 1, 2020 / Jan 1, 2023 | January 1, 2023 | January 1, 2026 |
| Applicability threshold | 100K consumers or 25K + 50% revenue | $25M revenue, 50K consumers, or 50% revenue | 100K consumers or 25K + 50% revenue | 100K consumers or 25K + 50% revenue |
| Private right of action | No | Yes (limited to data breaches) | No | No |
| Cure period | 30 days (permanent) | None (eliminated under CPRA) | 30 days (expired Jan 1, 2025) | 30 days (permanent) |
| Universal opt-out | Not required | Required (GPC) | Not required | Not required |
| Maximum penalty | $7,500 per violation | $7,500 per intentional violation | $7,500 per violation | $7,500 per violation |
| Rulemaking authority | No | Yes (via CPPA) | No | No |
| Enforcement start | July 1, 2026 | Ongoing | Ongoing | Ongoing |
Unique Features of Indiana's Law
The INCDPA has several characteristics that distinguish it from other state privacy laws:
- Permanent cure period: The 30-day right to cure never expires, giving businesses an ongoing opportunity to fix violations before facing penalties.
- No universal opt-out mandate: Businesses are not required to honor browser-based opt-out signals like Global Privacy Control.
- No rulemaking authority: The Attorney General cannot issue regulations interpreting or expanding the statute, which provides businesses with more regulatory certainty.
- High applicability thresholds: The 100,000-consumer threshold means most small businesses in Indiana are not subject to the law.
- Narrow sensitive data definition: The requirement of a health care provider diagnosis for mental or physical health data is more limited than some states that include any health-related information.
- Enforcement grace period: The AG will not enforce the law until July 1, 2026, giving businesses extra time to come into compliance.
Practical Steps for Compliance
Businesses that meet the INCDPA's applicability thresholds should take the following steps to ensure compliance before the July 1, 2026 enforcement start:
- Conduct a data inventory to understand what personal data you collect, how it is processed, who it is shared with, and where it is stored.
- Update your privacy notice to include all required disclosures about data collection, processing purposes, consumer rights, and third-party sharing. The AG has identified simple, understandable privacy notices as a top enforcement priority.
- Implement consumer rights request processes that allow Indiana residents to submit and track access, correction, deletion, portability, and opt-out requests within the 45-day response window.
- Obtain opt-in consent for sensitive data processing, including biometric, genetic, health diagnoses, geolocation, and children's data.
- Review and update vendor contracts to ensure data processing agreements meet the INCDPA's requirements.
- Conduct data protection assessments for targeted advertising, data sales, profiling, and sensitive data processing activities.
- Train your team on the new requirements and establish internal procedures for responding to consumer requests and potential Attorney General inquiries.
- Review data security practices to ensure reasonable administrative, technical, and physical safeguards are in place.
- Review TAKE IT DOWN Act obligations if you operate a digital platform where users can share images or video. The FTC platform removal obligation took effect May 19, 2026.
More Indiana Data Privacy Resources
Indiana's data privacy framework works alongside other state laws that protect personal information and consumer rights. For more on Indiana's legal landscape, see our coverage at recordinglaw.com/us-laws/data-privacy-laws/.
You can also explore data privacy laws in neighboring states:
- Illinois Data Privacy Laws
- Ohio Data Privacy Laws
- Kentucky Data Privacy Laws
- Michigan Data Privacy Laws
This article is for informational purposes only and does not constitute legal advice. The information reflects Indiana law as of May 2026. For specific questions about how Indiana's data privacy laws apply to your situation, consult a licensed attorney in your jurisdiction.
In-depth guides
- What Is the INCDPA? Indiana Consumer Data Protection Act
- INCDPA Consumer Rights: Your Data Privacy Rights
- INCDPA Compliance Checklist for Businesses (2026)
More Indiana Laws
- Indiana AI Meeting Recording Laws
- Indiana Alimony Laws
- Indiana At-Will Employment Laws
- Indiana Car Accident Laws
- Indiana Car Seat Laws
- Indiana Child Custody Laws
- Indiana Child Support Laws
- Indiana Common Law Marriage Laws
- Indiana Deepfake Laws
- Indiana Divorce Laws
- Indiana Dog Bite Laws
- Indiana Emancipation Laws
- Indiana Expungement Laws
- Indiana Hit and Run Laws
- Indiana Landlord-Tenant Laws
- Indiana Lemon Laws
Frequently Asked Questions
When did the Indiana Consumer Data Protection Act take effect?
The Indiana Consumer Data Protection Act (INCDPA) took effect on January 1, 2026. It was enacted through Senate Bill 5, which passed the Indiana legislature unanimously in 2023 and was signed by Governor Eric Holcomb on May 1, 2023. The law is codified at Indiana Code Title 24, Article 15. While the law is in force, the Indiana Attorney General will not begin active enforcement until July 1, 2026.
When does the Indiana Attorney General start enforcing the INCDPA?
The Indiana Attorney General begins active enforcement of the INCDPA on July 1, 2026. Indiana built in a six-month enforcement grace period from April 1, 2026 through June 30, 2026. Businesses that are not yet fully compliant should use this period to update privacy notices, implement consumer rights processes, and audit their data practices. After July 1, 2026, violations can result in civil penalties up to $7,500 per violation after a 30-day cure notice.
Does the INCDPA apply to small businesses in Indiana?
The INCDPA only applies to businesses that conduct business in Indiana or target Indiana residents and meet specific thresholds: processing personal data of at least 100,000 Indiana consumers per year, or processing data of at least 25,000 consumers while deriving more than 50 percent of gross revenue from selling personal data. Most small businesses will not meet these thresholds. Nonprofits, government entities, higher education institutions, HIPAA-covered entities, and GLBA-regulated financial institutions are also exempt regardless of size.
What rights do Indiana consumers have under the INCDPA?
Indiana consumers have five key rights under the INCDPA: the right to confirm and access their personal data, the right to correct inaccuracies, the right to delete their data, the right to obtain a portable copy of their data (once per 12 months), and the right to opt out of targeted advertising, data sales, and certain profiling. Businesses must respond to consumer requests within 45 days, with a possible 45-day extension. If a request is denied, consumers can appeal, and the business must respond to the appeal within 60 days. Consumers can also file complaints with the Attorney General's office.
What are the penalties for violating Indiana data privacy laws?
The Indiana Attorney General can seek civil penalties of up to $7,500 per violation of the INCDPA, plus injunctive relief and recovery of investigation costs and attorney fees. For data breach notification violations under Ind. Code 24-4.9, penalties can reach $150,000 per deceptive act. The INCDPA includes a permanent 30-day cure period, meaning businesses receive written notice and 30 days to fix violations before facing penalties. There is no private right of action, so only the Attorney General can enforce the INCDPA.
How quickly must an Indiana business report a data breach?
Under Indiana Code 24-4.9, businesses must notify affected Indiana residents of a data breach without unreasonable delay, but no later than 45 days after discovering the breach. The Indiana Attorney General must also be notified when breach notices are sent to residents. If more than 1,000 Indiana residents are affected, consumer reporting agencies must also be notified. Businesses can submit breach reports to the Attorney General at DataBreach@atg.in.gov using the official Data Breach Notification Form available at in.gov.
Is Indiana's 30-day cure period permanent?
Yes. The 30-day cure period under the INCDPA is permanent and has no sunset date. Before the Indiana Attorney General can file an enforcement action, the office must give the business 30 days' written notice identifying the specific violations. If the business cures the violation within 30 days and certifies that it will not recur, the AG cannot proceed with litigation. This differs from Virginia, where the cure period expired on January 1, 2025, and California, which eliminated its cure period under the CPRA.
What is the TAKE IT DOWN Act and does it affect Indiana?
The TAKE IT DOWN Act (Pub. L. 119-12) is a federal law signed on May 19, 2025. It criminalizes the knowing publication of nonconsensual intimate images, including AI-generated deepfakes, with criminal penalties up to two years in federal prison for images involving adults and up to three years for images involving minors. Digital platforms must remove reported images within 48 hours of a valid request. The FTC began enforcing the platform removal obligation on May 19, 2026. The law applies nationally, including in Indiana.
Sources and References
- Senate Bill 5 - Consumer Data Protection(iga.in.gov).gov
- Indiana Code Title 24, Article 15 - Consumer Data Protection(iga.in.gov).gov
- Indiana Attorney General - Security Breaches(in.gov).gov
- Indiana Attorney General - Breach FAQ and Notification Form(in.gov).gov
- Indiana Consumer Data Protection Consumer Bill of Rights(in.gov).gov
- Data Breach Notification Form(in.gov).gov
- HIPAA - HHS(hhs.gov).gov
- Gramm-Leach-Bliley Act - FTC(ftc.gov).gov
- Fair Credit Reporting Act - FTC(ftc.gov).gov
- FERPA - Dept of Education(www2.ed.gov).gov
- COPPA - FTC(ftc.gov).gov
- Drivers Privacy Protection Act(uscode.house.gov).gov
- FTC Begins Enforcing the TAKE IT DOWN Act(ftc.gov).gov
- Complying With the Take It Down Act - Federal Trade Commission(ftc.gov).gov
- TAKE IT DOWN Act - Congress.gov CRS Report(congress.gov).gov