INCDPA Compliance Checklist for Indiana Businesses

A business complies with the Indiana Consumer Data Protection Act (INCDPA) by confirming it meets the IC 24-15-1-1 thresholds, publishing a privacy notice that covers the elements in IC 24-15-4-3, obtaining opt-in consent before processing sensitive data, building a consumer-request and appeal workflow, conducting data protection assessments for high-risk processing, and signing data processing agreements with every processor. The law takes effect January 1, 2026, the longest runway any state has given.

As of 2026, enforcement is the Indiana Attorney General's alone under IC 24-15-10. A controller gets a 30-day cure period under IC 24-15-10-3 that has no sunset, but an uncured violation can draw a civil penalty up to $7,500 each under IC 24-15-10-2. There is no private right of action.

Jurisdiction scope: This covers Indiana's Consumer Data Protection Act (Indiana Code Article 24-15). It is general legal information, not legal advice.

Step 1: Confirm whether the INCDPA applies

The first task is the applicability test in IC 24-15-1-1. The law reaches a person that conducts business in Indiana, or produces products or services targeted to Indiana residents, that during a calendar year controls or processes personal data of at least 100,000 Indiana consumers, OR at least 25,000 Indiana consumers while deriving more than 50% of gross revenue from the sale of personal data.

Count carefully. A "consumer" is an Indiana resident acting in an individual or household context, so employees, job applicants, and business-to-business contacts do not count. Many mid-sized businesses fall below the 100,000-consumer threshold and outside the law entirely.

Then check the entity exemptions in IC 24-15-1-1. The article does not apply to the state and its agencies and political subdivisions, GLBA-covered financial institutions, HIPAA covered entities and business associates, nonprofit organizations, or institutions of higher education. If a full entity exemption applies, the analysis can end there.

Finally, review the data exemptions in IC 24-15-1-2 for data already regulated by HIPAA, the Fair Credit Reporting Act, the Driver's Privacy Protection Act, FERPA, the Farm Credit Act, and COPPA. A covered business may still need a program for its non-exempt data even if much of its data is carved out.

Step 2: Write a compliant privacy notice

Covered controllers must publish a privacy notice. IC 24-15-4-3 requires a reasonably accessible, clear, and meaningful notice that includes five elements, and a notice that omits any of them is non-compliant.

The notice must disclose: the categories of personal data the controller processes; the purpose for processing; how consumers may exercise their rights under Chapter 3, including how to appeal a controller's decision; the categories of personal data the controller shares with third parties, if any; and the categories of third parties with whom it shares personal data.

Because the INCDPA mirrors Virginia, a business that already maintains a VCDPA-compliant notice can usually adapt it for Indiana with minimal changes. The required elements are nearly identical.

Separately, IC 24-15-4-4 imposes an opt-out disclosure. If the controller sells personal data or uses it for targeted advertising, it must clearly and conspicuously disclose that activity and the manner in which a consumer may opt out. This disclosure is distinct from the general privacy notice and should be unmistakable.

Step 3: Handle sensitive data with opt-in consent

Indiana takes the stricter, opt-in route to sensitive data. Under IC 24-15-4-1(5), a controller "shall not process sensitive data concerning a consumer without obtaining the consumer's consent." There is no notice-and-opt-out alternative as there is in Iowa or Utah.

Sensitive data is defined in IC 24-15-2-28. It includes personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, plus genetic or biometric data used to uniquely identify a person, data collected from a known child, and precise geolocation data within a 1,750-foot radius.

For a known child, IC 24-15-4-1(5) requires the controller to process the data in accordance with the federal Children's Online Privacy Protection Act rather than relying on ordinary consent. Build a consent flow that captures, records, and can later prove opt-in for each sensitive-data use.

Map your data first. Many businesses discover they collect sensitive data, such as precise location or health-related fields, without a consent mechanism. Identifying those flows before January 1, 2026 is the practical core of this step.

Step 4: Build the consumer-request and appeal workflow

A covered controller must be able to receive and fulfill the five rights in IC 24-15-3-1: confirm and access, correct, delete, portability, and the three opt-outs. Stand up secure intake channels and an identity-verification process before the effective date.

Meet the deadlines. Under IC 24-15-3-1(c)(1), respond within 45 days, with one optional 45-day extension that you must announce within the first 45 days. Under IC 24-15-3-1(c)(3), provide information free up to once a year per consumer, charging only for manifestly excessive requests, and only when you can prove the request is excessive.

Build the appeal process. IC 24-15-3-1(d) requires a conspicuous appeal mechanism, similar to the request mechanism, with a written decision within 60 days. If you deny an appeal, you must give the consumer a way to contact the Indiana Attorney General to submit a complaint.

Remember the third-party-data accommodation. Under IC 24-15-3-1(c)(5), if you obtained data from a source other than the consumer, you comply with a deletion request by retaining only a record of the request and the minimum data needed to keep the consumer's data suppressed, and using it for no other purpose.

Step 5: Run data protection impact assessments

Indiana requires data protection impact assessments for higher-risk processing. IC 24-15-6-1 lists the activities that trigger an assessment, and the requirement applies to processing activities created or generated after December 31, 2025.

A controller must conduct and document an assessment for: processing for targeted advertising; the sale of personal data; profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, financial or physical or reputational injury, intrusion on solitude, or other substantial injury; the processing of sensitive data; and any processing that presents a heightened risk of harm to consumers.

Each assessment must weigh the benefits of the processing against the risks to the consumer, as mitigated by safeguards, and must factor in de-identification, consumer expectations, and the context of the controller-consumer relationship. A single assessment may cover a comparable set of similar processing operations.

An assessment done for another law or regulation can satisfy the INCDPA if it has a reasonably comparable scope and effect, so a GDPR or VCDPA assessment can often be reused. Keep these assessments because the Attorney General can require disclosure during an investigation.

Step 6: Put processor contracts in place

The INCDPA distinguishes controllers from processors and requires a contract between them, following the Virginia template in Chapter 5. A processor that handles personal data on a controller's behalf must do so under a binding agreement.

That contract must set out processing instructions, the nature and purpose of processing, the type of data, the duration, and the rights and obligations of both parties. It should also bind the processor to confidentiality, to assisting the controller in responding to consumer requests, to deleting or returning data at the end of the engagement, and to flowing the same terms down to any subcontractors.

Inventory every vendor that touches Indiana-resident personal data: cloud hosts, analytics providers, marketing platforms, and support tools. Each needs a data processing agreement that satisfies Chapter 5 before the engagement continues past the effective date.

Misclassifying a processor as a mere vendor is a common gap. If a service provider determines the purposes and means of processing, it may itself be a controller with independent duties, which changes the contract and the compliance posture.

Step 7: Plan for enforcement and the 30-day cure

The INCDPA is enforced by the Indiana Attorney General alone. IC 24-15-10-1 grants exclusive enforcement authority, and Chapter 9 gives the Attorney General investigative tools, including the ability to compel information.

The penalty exposure is set by IC 24-15-10-2: an injunction plus a civil penalty up to $7,500 for each violation, and the Attorney General may recover reasonable investigation and litigation expenses. There is no private right of action, so the risk is regulatory rather than class-action driven.

Indiana provides a permanent cure period. Under IC 24-15-10-3, before initiating an action the Attorney General must give 30 days' written notice identifying the specific provisions allegedly violated. If the controller cures within 30 days and provides an express written statement that the violation is cured and that steps were taken to prevent recurrence, the Attorney General "shall not initiate an action." Unlike several states whose cure rights expire, Indiana's has no sunset, so the cure opportunity remains available indefinitely.

INCDPA compliance at a glance

Related guides

• Indiana Data Privacy Laws (INCDPA hub)
• What Is the INCDPA? Indiana's Data Privacy Law Explained
• INCDPA Consumer Rights: What Indiana Residents Can Do
• US State Privacy Laws Comparison
• What Is the CCPA? California's Privacy Law Explained

Sources