Indiana Consumer Data Protection Act
The Indiana Consumer Data Protection Act grants residents access, correction, deletion, and opt-out rights and requires consent for sensitive data. It follows the Virginia model, took effect January 1, 2026, and is enforced by the Indiana Attorney General with a permanent cure period.
Indiana Consumer Data Protection Act
The Indiana Consumer Data Protection Act (INCDPA), enacted as Senate Bill 5, is Indiana's comprehensive consumer privacy statute. It has one of the latest effective dates among state laws, taking effect on January 1, 2026, which gave businesses an extended runway to prepare. The law closely tracks the Virginia model.
Who It Applies To
The INCDPA applies to persons that conduct business in Indiana or produce products or services targeted to Indiana residents and that, during a calendar year, control or process the personal data of either 100,000 or more consumers, or 25,000 or more consumers while deriving more than 50 percent of gross revenue from the sale of personal data. The law exempts entities and data covered by HIPAA and the Gramm-Leach-Bliley Act, government entities, and nonprofits.
Key Requirements
Controllers must provide a clear privacy notice, minimize collection, and maintain reasonable data security. Consumers may confirm processing, access, correct, delete, obtain a portable copy, and opt out of targeted advertising, sale, and profiling that produces legal or similarly significant effects. Sensitive data requires opt-in consent. Controllers must conduct and document data protection assessments for higher-risk processing. The INCDPA does not require recognition of universal opt-out signals.
Penalties for Non-Compliance
The Indiana Attorney General has exclusive enforcement authority; there is no private right of action. Civil penalties reach up to 7,500 dollars per violation. The law provides a 30-day cure period before the Attorney General may bring an enforcement action, and that cure period does not sunset.
How to Comply
Confirm whether the thresholds apply to your operations. Publish an accurate privacy notice and implement consumer-request handling within 45 days. Build opt-in consent flows for sensitive data and conduct documented data protection assessments for targeted advertising, sales, sensitive data, and significant profiling. Review and update processor contracts to include required terms.
Relationship to Other Laws
Indiana's close adherence to the Virginia model means organizations already compliant in Virginia need only minor adjustments, chiefly confirming Indiana-specific contact and response handling. Its late January 2026 effective date gave teams ample lead time. Indiana does not require universal opt-out recognition, so the lift is lighter than in Colorado, Connecticut, or Oregon. The permanent 30-day cure period offers useful operational breathing room compared with states that sunset cure rights.
Operational Mechanics
Like its sibling state statutes, this law sets concrete operational requirements that engineering and operations teams must implement. Controllers must respond to a verified consumer rights request without undue delay and within 45 days of receipt, with a single 45-day extension permitted where reasonably necessary given the complexity and volume of requests, provided the consumer is notified of the extension and the reason. Where a controller declines to act, it must inform the consumer of the reason and provide instructions for appealing the decision; the law requires an internal appeal process, and if an appeal is denied the controller must give the consumer a method to contact the state Attorney General to submit a complaint. Controllers may not charge a fee for the first request in a defined period and must establish a secure, reliable means for consumers to submit requests, taking into account the ways consumers normally interact with the controller. Relationships with processors must be governed by a binding contract that sets out processing instructions, confidentiality duties, deletion or return of data at the end of the engagement, and the duty to assist the controller with security, breach response, and assessments. Treating these mechanics as shared platform services, rather than rebuilding them per state, is the most efficient path to durable, multistate compliance.