Indiana
INCDPA Consumer Rights: Indiana Data Privacy Rights
Starting January 1, 2026, the Indiana Consumer Data Protection Act (INCDPA) gives Indiana residents five core rights over their personal data under IC 24-15-3-1: to confirm and access it, correct inaccuracies, delete it, obtain a portable copy or summary, and opt out of targeted advertising, the sale of personal data, and profiling. These are the full Virginia-model rights, broader than the limited rights in neighboring Iowa.
A business must respond to a verified request within 45 days under IC 24-15-3-1(c), with one possible 45-day extension. If a controller refuses, it must explain why and offer an appeal, and after an appeal it must point the consumer to the Indiana Attorney General, who is the sole enforcer of these rights.
Jurisdiction scope: This covers Indiana's Consumer Data Protection Act (Indiana Code Article 24-15). It is general legal information, not legal advice.
Who can exercise INCDPA rights
The INCDPA's rights belong to a "consumer," defined in Chapter 2 as a natural person who is an Indiana resident acting only in an individual or household context. A person acting in a commercial or employment context is not a consumer, so the rights do not extend to data about employees, job applicants, or business-to-business contacts.
Under IC 24-15-3-1(a), a consumer invokes one or more rights by submitting a request to the controller that specifies which rights the consumer wishes to invoke. A controller must comply with an authenticated request, subject to the limitations and exceptions elsewhere in the article.
Parents and guardians have a role too. IC 24-15-3-1(a) lets a known child's parent or legal guardian invoke rights on the child's behalf with respect to the processing of the child's personal data. This pairs with the opt-in and COPPA protections for children's data in Chapter 4.
These rights take effect with the rest of the law on January 1, 2026. Before that date, Indiana residents have no statutory right to make INCDPA requests, although many national companies already honor similar requests under other state laws.
The five rights under IC 24-15-3-1
The heart of the law is the rights list in IC 24-15-3-1(b). Indiana grants the full Virginia-model set, which makes it meaningfully broader than the four-right Iowa statute next door.
Right to confirm and access. Under IC 24-15-3-1(b)(1), a consumer may confirm whether a controller is processing the consumer's personal data and access that data, subject to the limitations in the portability subdivision. This is the baseline transparency right.
Right to correct. Under IC 24-15-3-1(b)(2), a consumer may correct inaccuracies in personal data the consumer previously provided, taking into account the nature of the data and the purposes of processing. A controller that receives such a request must correct the inaccurate information. Indiana includes this right, unlike Iowa and Utah, which omit it.
Right to delete. Under IC 24-15-3-1(b)(3), a consumer may delete "personal data provided by or obtained about the consumer." This is broader than Iowa's right, which reaches only data the consumer provided; Indiana's deletion right also captures data the controller gathered from other sources.
Right to data portability. Under IC 24-15-3-1(b)(4), a consumer may obtain either a copy or a representative summary of the personal data the consumer previously provided. The information must be in a portable and, to the extent technically practicable, readily usable format. A controller need not provide it more than once in any 12-month period.
Right to opt out. Under IC 24-15-3-1(b)(5), a consumer may opt out of processing for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. All three opt-outs are available, matching Virginia and exceeding Iowa, which offers only a sale opt-out.
The 45-day response deadline and extension
Once a consumer submits a request, IC 24-15-3-1(c)(1) sets the response clock. A controller must respond "without undue delay, but in any case not later than forty-five (45) days after receipt of the consumer's request."
The controller may extend that window once by an additional 45 days "when reasonably necessary, taking into account the complexity and number of the consumer's requests." To use the extension, the controller must tell the consumer of the extension and the reason within the original 45-day period.
Responses must generally be free. Under IC 24-15-3-1(c)(3), information must be provided free of charge up to once annually per consumer. If requests are manifestly unfounded, excessive, or repetitive, the controller may charge a reasonable fee or decline, but it bears the burden of proving that the request is excessive.
A controller may also decline a request it cannot authenticate. Under IC 24-15-3-1(c)(4), if the controller cannot authenticate the request using commercially reasonable efforts, it is not required to comply and may ask the consumer for additional information to verify identity.
Deletion when data came from a third party
Indiana includes a Virginia-style accommodation for controllers that did not get the data directly from the consumer. Under IC 24-15-3-1(c)(5), a controller that has obtained personal data about a consumer from a source other than the consumer is considered to comply with a deletion request if it does two things.
First, the controller must retain a record of the consumer's deletion request and the minimum data necessary to ensure that the consumer's personal data remains deleted from the controller's records. Second, the controller must not use that retained data for any other purpose.
In practice, this lets a controller honor a deletion request for third-party-sourced data without re-collecting it later by accident. The controller keeps just enough information to remember that the consumer asked for deletion, and may use it only to keep the data suppressed.
This provision matters most for data brokers and companies that buy or license data. It is a narrow safe harbor, not a loophole, and it does not relieve the controller of the duty to actually stop processing the consumer's data.
The appeal process under IC 24-15-3-1(d)
If a controller declines to act on a request, the INCDPA builds in an appeal. Under IC 24-15-3-1(c)(2), when a controller declines to take action, it must inform the consumer of the justification within 45 days and provide instructions for how to appeal.
IC 24-15-3-1(d) requires the controller to establish an appeal process that is conspicuously available and similar to the process for submitting the original request. The consumer may appeal within a reasonable period after receiving the controller's decision.
Not later than 60 days after receiving an appeal, the controller must inform the consumer in writing of any action taken or not taken, including a written explanation of the reasons for the decision. This 60-day appeal window is separate from, and longer than, the 45-day window for the original request.
If the appeal is denied, the controller must give the consumer an online mechanism, if available, or another method to contact the Indiana Attorney General and submit a complaint. That referral is the consumer's route to enforcement, because the INCDPA has no private right of action.
How Indiana rights compare to other states
| Right | Indiana INCDPA | Iowa ICDPA | California CCPA |
|---|---|---|---|
| Confirm and access | Yes (24-15-3-1(b)(1)) | Yes | Yes |
| Correct inaccuracies | Yes (24-15-3-1(b)(2)) | No | Yes |
| Delete | Yes, broad (24-15-3-1(b)(3)) | Provided data only | Yes |
| Data portability | Yes (24-15-3-1(b)(4)) | Yes | Yes |
| Opt out of targeted ads | Yes (24-15-3-1(b)(5)) | No | Yes |
| Opt out of profiling | Yes (24-15-3-1(b)(5)) | No | Limited |
| Response deadline | 45 days | 90 days | 45 days |
Indiana sits at the fuller end of the rights spectrum. It grants every right Virginia grants, including correction and all three opt-outs, while Iowa stops at four narrow rights. California reaches similar ground through a different statutory structure built around limiting the use of sensitive information.
Where Indiana is more business-friendly than the strictest states is on enforcement tools, not on the rights themselves. It declines to mandate a universal opt-out mechanism and provides a permanent 30-day cure period, but the underlying rights an Indiana resident can exercise are robust.
Enforcement: the Attorney General is the only backstop
Indiana residents cannot sue a business directly for an INCDPA violation. The article contains no private right of action, so the only enforcer is the state. Under IC 24-15-10-1, the Indiana Attorney General has exclusive authority to enforce the law.
A consumer's practical path is the complaint mechanism. After a denied appeal, IC 24-15-3-1(d) requires the controller to point the consumer to the Attorney General. The Attorney General can then investigate under Chapter 9 and, if warranted, bring an action under IC 24-15-10-2 seeking an injunction and penalties up to $7,500 per violation.
Before suing, the Attorney General must give the business 30 days to cure under IC 24-15-10-3. If the business cures and provides a written assurance of non-recurrence, no action proceeds. This cure step is permanent and has no sunset, which shapes how quickly an individual complaint can turn into an enforcement action.
Related guides
- Indiana Data Privacy Laws (INCDPA hub)
- What Is the INCDPA? Indiana's Data Privacy Law Explained
- INCDPA Compliance Checklist for Businesses
- US State Privacy Laws Comparison
- What Is the CCPA? California's Privacy Law Explained
Sources
Sources and References
- Indiana Code 24-15-3-1: Personal Data; Consumer Rights; Appeal(iga.in.gov).gov
- Indiana Code Article 24-15: Consumer Data Protection (Full Text)(iga.in.gov).gov
- Indiana Code 24-15-4-1: Controller Responsibilities; Sensitive Data Consent(iga.in.gov).gov
- Indiana Code 24-15-2-28: Definition of Sensitive Data(iga.in.gov).gov
- Indiana Code 24-15-10-1: Attorney General Exclusive Enforcement(iga.in.gov).gov
- Indiana Code 24-15-10-2: Injunction and Civil Penalty(iga.in.gov).gov
- Indiana Code 24-15-10-3: 30-Day Cure Period(iga.in.gov).gov
- Indiana Senate Bill 5 (2023): Consumer Data Protection(iga.in.gov).gov
- Indiana Attorney General: Consumer Protection(in.gov).gov