Indiana State Consumer Privacy Law Summary
Indiana becomes the seventh US state to implement a comprehensive privacy law, the Indiana Consumer Data Protection Act, with effect from the 1st of January 2026, following Iowa, Virginia, Colorado, and Connecticut. The State Governor Eric Holcomb signed on May 1, 2023, a series of regulations which will have a substantial impact on businesses operating in the state. With a wide range of scope, these new rules will address different issues like data collection and sharing, state breaches, and consumer privacy rights.
The law applies to any business with operations in the state or any business that collects personal information of consumers with certain thresholds like the following –
Businesses processing personal data of more than 100,000 consumers in a calendar year.
Businesses processing personal data of more than 25,000 consumers while generating more than 50% of their revenue by selling personal data within a calendar year.
Consumer here refers to the resident of Indiana acting for personal, household, and family purposes. This is different from California Consumer Privacy Act but similar to other privacy laws.
Like the other state privacy laws, the Indiana privacy law also requires that consumers must opt in before companies can begin processing sensitive personal information. Sensitive personal information is defined as data that reveals racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, genetic or biometric data, mental or physical health diagnoses, data collected from a known child, and precise geolocation data. The unique aspect of sensitive information defined in this law compared to other states’ privacy laws is that the health information collected is deemed sensitive only to the extent a healthcare provider makes a diagnosis.
The law also applies to third-party entities that process personal data of the state residents on behalf of covered businesses, requiring every business to ensure that such third parties also comply with the law.
The law does not apply to government organizations (also includes third party entities doing business with such organizations), public utilities, non-profit organizations, and institutions of higher education. Financial institutions, Covered Entities and Business Associates subject to the HIPPA and GLBA are also exempted from this law.
Moreover, the law does not apply the data covered by the existing federal laws like the Patient Safety and Quality Improvement Act, Gramm-Leach-Bliley Act, Fair Credit Reporting Act, Health Care Quality Improvement Act, Fair Credit Reporting Act, Family Educational Rights and Privacy Act, Driver’s Privacy Protection Act, and Farm Credit Act.
The law also does not apply to employment and human research subjects’ data covered under the federal law or any other relevant standards.
The Indiana Attorney General would enforce the law exclusively. As per the law, the Attorney General must first send a written notice to the entities suspected of violating the law, providing a 30-day cure period where the entities must –
Cure a potential violation (if any),
Provide an express written statement to the Attorney General stating that the violations are cured, and appropriate actions would be taken to ensure no violations further.
The attorney general’s office can initiate an action against the entity in case of suspected violation and can seek an injunction restraining the law violations. A civil penalty of up to 7500 USD per each violation can also come into play in case of violations.
The law provides several rights to consumers, including the right to access, right to delete, right to data portability, right to opt out etc. There is a 45-day period to respond to consumer requests, with another 45-day extension under some conditions.
Right to Access
Consumers have the right to confirm if an entity is processing their personal data and to seek access to such data. The law permits covered companies/ entities responding to an access request to release either a copy of the consumer's personal data or a "representative summary" of the same.
Right to Correction
Consumers have the right to place a request to correct any inaccurate information provided to the controllers, based on its nature and purpose.
Controller can be a person or an entity that determines the means and purpose of personal data processing.
Right to Deletion
Consumers can place requests to the controllers to delete their data provided by them or collected by the controllers.
Right to Data Portability
The “representative summary” sent by the controllers should be in a readily usable and portable format, letting the consumers share the same with other controllers. However, the controllers are not required to send the representative summary more than once within a 12-month duration.
Right to Opt-out
Consumers have the right to opt-out of processing their personal data for purposes like sales, targeted advertising, profiling, and selling of data. The term “sale of personal data” is defined as sale for monetary consideration only and does not include sharing for “other valuable consideration.”
Indiana law levies the following obligations to covered entities that collect, share, or use personal data of the state’s residents, regardless of the company’s base.
Controllers are required to limit personal data collection to what is relevant, necessary, and adequate.
Consent needs to be clear, unambiguous, and informed.
Controllers must enforce reasonable physical, technical, and administrative security practices to protect consumers’ personal data.
Consumers must be provided with a meaningful and accessible notice that includes the following information –
Categories of data processed
Purpose of processing personal data
Categories of personal data shared with third parties
The notice should also explain the rights to consumers.
Controllers are also restricted from discriminating against and denying services to consumers exercising their rights.
Data Protection Assessments
Controllers are required to conduct the data protection impact assessments if processing any of the following -
Sale of personal data
Processing sensitive data
Processing personal data for target advertisements
Processing any personal information that presents a heightened risk of harm to consumers.
Personal data processing for profiling purposes – if the action presents risks to consumers.
As per the law, these assessments are applicable to processing activities happening after the 31 of December 2025.
The Indiana Privacy Law aims to provide consumers with better control over their personal data by enhancing privacy regulations and imposing necessary obligations on businesses and other entities accessing such information. Most companies already complying with California, Colorado, Virginia, and other privacy laws should be able to leverage their existing compliance efforts to achieve compliance.