Indiana
What Is the INCDPA? Indiana's Data Privacy Law
The Indiana Consumer Data Protection Act (INCDPA) is Indiana's comprehensive consumer data privacy law, codified at Indiana Code Article 24-15 (Chapters 1 through 11). The legislature passed it as Senate Bill 5, Governor Eric Holcomb signed it on May 1, 2023, and it takes effect January 1, 2026. It gives Indiana residents a full Virginia-style set of rights over their personal data while tracking the controller and processor framework that most state laws now share.
As of 2026, the Indiana Attorney General holds exclusive authority to enforce the INCDPA under IC 24-15-10-1, with civil penalties up to $7,500 per violation. Before any action, a controller gets a 30-day window to cure the alleged violation under IC 24-15-10-3, and that cure right has no sunset date. There is no private right of action.
Jurisdiction scope: This covers Indiana's Consumer Data Protection Act (Indiana Code Article 24-15). It is general legal information, not legal advice.
What the INCDPA is: statute, enactment, and effective date
The Indiana Consumer Data Protection Act is Indiana's first comprehensive consumer data privacy law. It is codified at Indiana Code Article 24-15, which runs from Chapter 1 (Applicability) through Chapter 11 (Preemption; Other Laws), with the definitions in Chapter 2, consumer rights in Chapter 3, controller duties in Chapter 4, and enforcement in Chapter 10.
The legislature passed it as Senate Bill 5 during the 2023 session, and Governor Eric Holcomb signed it on May 1, 2023. Each section of the article carries the effective-date notation "Section effective January 1, 2026," confirming a delayed start built directly into the text.
That timing is the law's single most distinctive feature. Indiana gave covered businesses roughly two and a half years between signing and effect, the longest runway of any state privacy law in the country. Where Virginia, Colorado, and Connecticut all moved from signing to effect in well under two years, Indiana deliberately pushed its start date to January 1, 2026.
When it enacted SB 5, Indiana became the seventh state to pass a broad consumer privacy law, following California, Virginia, Colorado, Connecticut, Utah, and Iowa. The INCDPA sits in the Virginia lineage rather than the California one, using the same controller and processor vocabulary and the same opt-out-rights structure.
The Virginia clone: why Indiana modeled the VCDPA
Commentators consistently describe the INCDPA as a close copy of Virginia's Consumer Data Protection Act (VCDPA). The two statutes share the same coverage thresholds, the same five-part rights list, the same opt-in treatment of sensitive data, and the same enforcement-by-attorney-general design.
That lineage matters for compliance. A business that already built a VCDPA program can largely reuse it for Indiana, because the substantive duties line up almost section for section. The privacy notice elements, the appeal process, and the data protection assessment triggers are all recognizably Virginia in origin.
Indiana did make its own choices on a few numbers. The cure period is 30 days rather than Virginia's original 30 days that later sunset, and Indiana's cure right is permanent with no expiration date. The effective date, January 1, 2026, is also far later than Virginia's January 1, 2023 start.
The practical takeaway is that the INCDPA is a mainstream, middle-of-the-road state privacy law. It is neither the strictest (California, Colorado) nor the most business-friendly (Iowa, Utah), and the Virginia template is the best mental model for understanding it.
Who the INCDPA covers: the IC 24-15-1-1 thresholds
The applicability test in IC 24-15-1-1 controls who must comply. The article applies to a person that conducts business in Indiana, or produces products or services targeted to Indiana residents, that during a calendar year meets either of two thresholds.
First, the business "controls or processes personal data of at least one hundred thousand (100,000) consumers who are Indiana residents." Second, the business "controls or processes personal data of at least twenty-five thousand (25,000) consumers who are Indiana residents and derives more than fifty percent (50%) of gross revenue from the sale of personal data."
A "consumer" is defined in Chapter 2 as a natural person who is an Indiana resident acting only in an individual or household context. The definition excludes a person acting in a commercial or employment context, so business-to-business contacts and employees do not count toward the thresholds.
Indiana does not pair its data thresholds with a separate revenue floor. A business clears the test by hitting the 100,000-consumer mark, or the 25,000-consumer-plus-data-sales mark, regardless of total revenue. Small businesses below those data volumes fall outside the INCDPA entirely.
Exemptions under IC 24-15-1-1 and IC 24-15-1-2
Even among businesses that clear the threshold, Chapter 1 removes whole categories of organizations and data from the law's reach. These exemptions are both entity-based and data-based, tracking the pattern set by Virginia and the other state laws.
On the entity side, IC 24-15-1-1 provides that the article does not apply to the state, a state agency, or a political subdivision; a financial institution or data subject to Title V of the federal Gramm-Leach-Bliley Act; a covered entity or business associate governed by HIPAA and its regulations at 45 CFR Parts 160 and 164; a nonprofit organization; or an institution of higher education. The nonprofit and higher-education carve-outs are full entity exemptions, so charities and universities generally fall outside the law even when they hold large volumes of Indiana-resident data.
On the data side, IC 24-15-1-2 excludes protected health information under HIPAA, patient identifying information, human-subjects research data, and information regulated by federal laws such as the Fair Credit Reporting Act, the Driver's Privacy Protection Act, the Family Educational Rights and Privacy Act, and the Farm Credit Act. Employment-related data and data processed under the federal Children's Online Privacy Protection Act are also carved out.
The practical upshot is that banks, credit unions, hospitals, schools, and state agencies generally operate outside the INCDPA as to the data those federal laws already govern. Indiana's exemption list is broad and closely matches Virginia's.
The opt-in sensitive-data rule and the no-UOOM choice
Indiana takes the stricter, opt-in approach to sensitive data. Under IC 24-15-4-1(5), a controller "shall not process sensitive data concerning a consumer without obtaining the consumer's consent," and for a known child must instead process the data in accordance with the federal Children's Online Privacy Protection Act.
That is opt-in consent, the same approach Virginia, Colorado, Connecticut, and most other states use, and the opposite of the notice-and-opt-out model in Utah and Iowa. Sensitive data is defined in IC 24-15-2-28 to include personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, plus genetic or biometric data used to uniquely identify a person, personal data collected from a known child, and precise geolocation data locating an individual within a 1,750-foot radius.
On opt-out signals, Indiana made the business-friendly choice. IC 24-15-4-4 requires a controller that sells personal data or uses it for targeted advertising to "clearly and conspicuously disclose" that activity and how a consumer may opt out, but the statute does not require the controller to recognize a universal opt-out mechanism. There is no obligation to honor Global Privacy Control or similar browser-level signals, a duty that Colorado, Connecticut, and several other states do impose.
Enforcement, the 30-day cure, and no private right of action
The INCDPA is enforced through the Attorney General alone. IC 24-15-10-1 provides that "the attorney general has exclusive authority to enforce the provisions of this article," backed by the investigative authority in Chapter 9.
Under IC 24-15-10-2, the Attorney General may initiate an action in the name of the state, seek an injunction to restrain violations, and recover a civil penalty "not to exceed seven thousand five hundred dollars ($7,500) for each violation." The Attorney General may also recover reasonable investigation and litigation expenses.
Before filing, IC 24-15-10-3 requires the Attorney General to give the controller or processor 30 days' written notice identifying the specific provisions allegedly violated. If the business cures the violation within that window and provides an express written statement that the violation has been cured and that steps have been taken to prevent recurrence, the Attorney General "shall not initiate an action." Unlike several states whose cure rights expire, Indiana's 30-day cure has no sunset and is a permanent feature of the law. The article contains no private right of action, so individual Indiana residents cannot sue a business directly under the INCDPA.
INCDPA vs. CCPA: the key differences
Companies operating nationally often compare Indiana's law to California's CCPA. Our state data privacy law comparison page covers the full multistate picture, but a few distinctions between the INCDPA and California's CCPA matter most.
| Feature | Indiana INCDPA (Art. 24-15) | California CCPA |
|---|---|---|
| Statutory model | Virginia VCDPA clone | California sui generis |
| Sensitive data | Opt-in consent (24-15-4-1(5)) | Right to limit use |
| Universal opt-out signal | Not required (24-15-4-4) | Required (GPC) |
| Response window | 45 days (24-15-3-1(c)) | 45 days |
| Cure period | 30 days, permanent (24-15-10-3) | None as of 2023 |
| Private right of action | None | Limited, for data breaches |
Model and rights. The INCDPA follows the Virginia template, granting access, correction, deletion, portability, and three opt-outs under IC 24-15-3-1. California's CCPA uses a different structure built around a right to limit the use of sensitive personal information and a right to opt out of sharing for cross-context behavioral advertising.
Opt-out signals. California requires businesses to honor opt-out preference signals such as Global Privacy Control. Indiana does not; IC 24-15-4-4 only requires disclosure of how to opt out, leaving universal-signal recognition voluntary.
Remedies. California retains a limited private right of action for certain data breaches, with statutory damages. The INCDPA has no private right of action at all; under IC 24-15-10, only the Indiana Attorney General may enforce.
Related guides
- Indiana Data Privacy Laws (INCDPA hub)
- INCDPA Consumer Rights: What Indiana Residents Can Do
- INCDPA Compliance Checklist for Businesses
- US State Privacy Laws Comparison
- What Is the CCPA? California's Privacy Law Explained
Sources
Sources and References
- Indiana Code Article 24-15: Consumer Data Protection (Full Text)(iga.in.gov).gov
- Indiana Code 24-15-1-1: Applicability to Persons; Exceptions(iga.in.gov).gov
- Indiana Code 24-15-1-2: Exempt Information and Data(iga.in.gov).gov
- Indiana Code 24-15-2-28: Definition of Sensitive Data(iga.in.gov).gov
- Indiana Code 24-15-3-1: Personal Data; Consumer Rights(iga.in.gov).gov
- Indiana Code 24-15-4-1: Responsibilities of Controller; Sensitive Data Consent(iga.in.gov).gov
- Indiana Code 24-15-4-4: Opt-Out Disclosure for Sale and Targeted Advertising(iga.in.gov).gov
- Indiana Code 24-15-10: Enforcement and Penalties(iga.in.gov).gov
- Indiana Senate Bill 5 (2023): Consumer Data Protection(iga.in.gov).gov
- Indiana Attorney General: Consumer Protection(in.gov).gov