Indiana Biometric Privacy Laws: Collection, Consent & Penalties (2026)
Indiana joined the growing number of states regulating biometric data when the Indiana Consumer Data Protection Act (ICDPA) took effect on January 1, 2026. Signed by Governor Eric Holcomb on May 1, 2023, as Senate Bill 5, the law is codified at Indiana Code Title 24, Article 15 and treats biometric data as a category of sensitive information requiring heightened protections.
Unlike Illinois, which gives individuals the right to sue companies that mishandle biometric data under BIPA, Indiana takes an attorney-general-enforcement-only approach. This makes compliance less litigation-heavy for businesses but gives consumers fewer direct remedies.
For a broader look at Indiana's overall data protection framework, see the parent guide to [Indiana Data Privacy Laws](/us-laws/data-privacy-laws/indiana-data-privacy-laws).
How Indiana Defines Biometric Data
Under IC 24-15-2-4, biometric data means data generated by automatic measurements of an individual's biological characteristics. The statute lists these examples:
- Fingerprints
- Voiceprints
- Images of the retina or iris
- Other unique biological patterns or characteristics
The definition is intentionally broad in its final clause, covering emerging biometric technologies such as palm vein scans or gait analysis if they rely on automatic measurement of biological traits.
What the Definition Excludes
The ICDPA specifically excludes the following from its biometric data definition:
- Physical or digital photographs
- Video recordings
- Audio recordings
- Data generated from photographs, video, or audio recordings
There is an important exception to these exclusions. If a photograph, video, or audio recording is processed specifically to identify a particular individual, the resulting data can qualify as biometric data under the statute. A security camera recording on its own is not biometric data, but running that footage through facial recognition software to identify someone could generate biometric data subject to ICDPA protections.
Biometric Data as Sensitive Data Under the ICDPA
The ICDPA groups biometric data with other categories of sensitive data that receive stronger protections than ordinary personal data. Under IC 24-15-2-17, sensitive data includes:
- Data revealing racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnoses made by a health care provider
- Sexual orientation
- Citizenship or immigration status
- Genetic data
- Biometric data processed to identify a specific individual
- Personal data collected from a known child under age 13
- Precise geolocation data (within a 1,750-foot radius)
The key phrase is "processed to identify a specific individual." Biometric data collected for purposes other than individual identification may not qualify as sensitive data, though it could still constitute personal data under the broader ICDPA framework.
Consent Requirements for Biometric Data
The ICDPA requires businesses to obtain opt-in consent before processing any sensitive data, including biometric data. This means a business cannot collect fingerprints, voiceprints, or iris scans from Indiana consumers unless those consumers affirmatively agree to the collection.
Consent under the ICDPA must be:
- Freely given by the consumer without coercion
- Specific to the processing activity in question
- Informed so the consumer understands what they are agreeing to
- Unambiguous with a clear affirmative act indicating agreement
Pre-checked boxes, bundled consent buried in terms of service, or implied consent through continued use of a service do not meet the ICDPA standard. The consumer must know they are agreeing to biometric data collection and actively choose to allow it.
Who Must Comply
The ICDPA applies to for-profit entities that conduct business in Indiana or produce products or services targeted to Indiana residents and meet one of two thresholds during a calendar year:
- Control or process personal data of at least 100,000 Indiana consumers (excluding data processed solely for payment transactions), or
- Control or process personal data of at least 25,000 Indiana consumers and derive more than 50% of gross revenue from selling personal data
Small and mid-size businesses that fall below these thresholds are not subject to the ICDPA. However, any covered entity that collects biometric data from Indiana residents must comply with the sensitive data consent requirements.
Exemptions
The ICDPA broadly exempts certain entities and data types from its requirements:
- HIPAA-covered entities: Health care providers, health plans, and their business associates are exempt when handling protected health information
- GLBA-regulated entities: Financial institutions already subject to the Gramm-Leach-Bliley Act
- FCRA data: Information governed by the Fair Credit Reporting Act
- FERPA data: Student education records under the Family Educational Rights and Privacy Act
- DPPA data: Driver information under the Driver's Privacy Protection Act
- Employment data: Data processed about individuals acting in a commercial or employment context
The employment data exemption is significant for biometric privacy. Unlike Illinois BIPA, which explicitly covers employer collection of employee biometric data, the ICDPA exempts data collected in an employment context. Indiana employers using fingerprint time clocks or biometric access systems for their employees face fewer restrictions under the ICDPA as a result.
Controller Obligations for Biometric Data
Businesses that qualify as data controllers under the ICDPA must meet several obligations when handling biometric data.
Privacy Notices
Controllers must publish clear, accessible privacy notices that disclose:
- The categories of personal data they process, including whether they collect biometric data
- The purposes for processing each data category
- How consumers can exercise their rights
- Whether data is shared with third parties and which categories of third parties receive it
Data Minimization
Controllers must limit biometric data collection to what is "adequate, relevant, and reasonably necessary" for the disclosed purpose. A business cannot collect fingerprints for identity verification and then use that same data for marketing analytics without additional consent.
Security Requirements
Controllers must implement "reasonable administrative, technical, and physical data security practices" appropriate to the volume and nature of the personal data they process. Biometric data, as sensitive data, warrants stronger security measures than less sensitive categories.
Data Protection Assessments
The ICDPA requires controllers to conduct data protection assessments for processing activities that present a "heightened risk of harm to consumers." Processing sensitive data, including biometric data, triggers this requirement.
The assessment must weigh:
- Benefits that flow from the processing to the controller, the consumer, and the public
- Risks of harm to the consumer, including risks of unfair treatment, unlawful disparate impact, financial injury, physical injury, and intrusion upon privacy
- Any safeguards the controller has in place to mitigate those risks
Assessments are required for processing activities occurring after December 31, 2025.
Processor Contracts
Controllers that share biometric data with processors (third-party service providers) must establish binding contracts that specify the processing purposes, data categories, duration, and consumer rights obligations. Processors must cooperate with controllers on data rights requests and breach notification.
Consumer Rights Over Biometric Data
Indiana consumers have several rights over their personal data, including biometric information, under the ICDPA.
Right to Know and Access
Consumers can confirm whether a controller is processing their personal data and obtain a copy of that data in a portable, readily usable format. This includes biometric data. The right may be exercised no more than once per 12-month period.
Right to Correct
Consumers can request correction of inaccurate personal data, taking into account the nature and purpose of the data processing.
Right to Delete
Consumers can request deletion of personal data that a controller holds about them. This applies to biometric data a business has collected, though certain exceptions allow retention (such as completing a transaction or complying with a legal obligation).
Right to Opt Out
Consumers can opt out of the processing of their personal data for targeted advertising, the sale of personal data, or profiling that produces legal or similarly significant effects.
No Universal Opt-Out Requirement
Unlike some newer state privacy laws, the ICDPA does not require businesses to honor universal opt-out mechanisms such as the Global Privacy Control. Businesses may choose to support GPC voluntarily but are not required to do so.
Enforcement and Penalties
The Indiana Attorney General has exclusive enforcement authority over the ICDPA. There is no private right of action. Individual consumers cannot sue businesses for biometric data violations under this law.
30-Day Cure Period
Before taking action, the Attorney General must provide a written notice identifying the specific provisions allegedly violated. The business then has 30 days to cure the violation. This cure period is permanent under the ICDPA and does not expire or sunset, which is unusual among state privacy laws.
If the business fixes the violation within 30 days, the matter ends. If it does not, the Attorney General may pursue enforcement action.
Civil Penalties
Violations that are not cured carry civil penalties of up to $7,500 per violation. The Attorney General may also seek injunctive relief to stop ongoing violations.
Indiana's Breach Notification Law and Biometric Data
Indiana's Disclosure of Security Breach Act (IC 24-4.9) requires businesses to notify affected individuals and the Attorney General after a data breach. However, the statute defines "personal information" narrowly as a name combined with:
- Social Security number
- Driver's license or state ID number
- Credit card, financial account, or debit card numbers with security codes
Biometric data is not included in this definition. A breach that exposes only fingerprint templates, voiceprints, or iris scans would not trigger notification requirements under IC 24-4.9.
Businesses that notify the Attorney General must email DataBreach@atg.in.gov and include a sample of the notice sent to affected individuals. If more than 1,000 Indiana residents are affected, the business must also notify consumer reporting agencies (Equifax, Experian, and TransUnion).
How Indiana Compares to Other States
Indiana's approach to biometric data sits in the middle of the national spectrum.
Stronger protections exist in:
- Illinois: BIPA provides a private right of action with statutory damages of $1,000 to $5,000 per violation. It covers employee biometric data and has generated billions of dollars in class action settlements.
- Texas: CUBI gives the Attorney General enforcement power with penalties up to $25,000 per violation.
Similar frameworks exist in:
- States with comprehensive privacy laws that classify biometric data as sensitive (Colorado, Connecticut, Virginia, Montana, Oregon, Delaware) follow the same general pattern as Indiana: opt-in consent for sensitive data, AG enforcement, and no private right of action.
Weaker protections exist in:
- States with no comprehensive privacy law and no biometric-specific statute, where biometric data receives no dedicated state-level protection.
The key distinction between Indiana and Illinois is the employment exemption. Illinois BIPA has generated thousands of lawsuits against employers using fingerprint time clocks. Indiana's ICDPA exempts employment-context data, shielding Indiana employers from similar exposure.
Pending Legislation
As of March 2026, no major standalone biometric privacy legislation is pending in the Indiana General Assembly that would create a BIPA-style private right of action or expand biometric protections beyond the ICDPA framework.
The 2026 legislative session has included Senate Bill 76, which amends several areas of Indiana Code including consumer data protection provisions. Businesses should monitor the Indiana General Assembly website at iga.in.gov for any amendments that could expand biometric data coverage or modify enforcement mechanisms.
The ICDPA is still in its first year of enforcement, and the Attorney General's office is building its enforcement track record. Future rulemaking or guidance documents from the AG could clarify biometric data obligations further.
More Indiana Laws
- Indiana Recording Laws
- Indiana Recording Laws
- Indiana Recording Laws
- Indiana Recording Laws
- Indiana Recording Laws
- Indiana Data Privacy Laws
- Indiana Lemon Laws
- Indiana Statute of Limitations
This article provides general legal information about Indiana biometric privacy laws under the ICDPA. It is not legal advice. Laws and regulations change frequently, and this content may not reflect the most recent developments. Consult a qualified attorney licensed in Indiana for advice about your specific situation.
Sources and References
- Indiana Senate Bill 5 (ICDPA) bill page and enrolled text(iga.in.gov).gov
- Indiana Code Title 24, Article 15 Consumer Data Protection full text(iga.in.gov).gov
- Indiana AG Consumer Data Protection Bill of Rights(in.gov).gov
- Indiana AG security breach notification FAQ and form(in.gov).gov
- Akin Gump analysis of Indiana Data Protection Act obligations(akingump.com)
- Hunton Andrews Kurth Indiana privacy law overview(hunton.com)
- Global Privacy Control specification(globalprivacycontrol.org)
- Indiana SB 76 (2026 session) legislative actions(iga.in.gov).gov