Indiana Consumer Data Protection Act (ICDPA): Complete 2026 Compliance Guide

Indiana’s Privacy Law Is Now in Effect

The Indiana Consumer Data Protection Act (ICDPA), also referred to as the INCDPA, took effect on January 1, 2026. Indiana became the seventh US state to enact a comprehensive consumer data privacy law when Governor Holcomb signed SB 5 in May 2023. The law closely follows the Virginia Consumer Data Protection Act (VCDPA) model, making it relatively straightforward for businesses already compliant with other state privacy laws.

With 21 states now having comprehensive privacy laws, Indiana adds another jurisdiction to the growing patchwork of requirements that businesses must navigate.

Who Does the ICDPA Apply To?

The Indiana Consumer Data Protection Act applies to entities that conduct business in Indiana or produce products or services targeted to Indiana residents, and that during a calendar year meet either threshold:

Control or process personal data of 100,000 or more Indiana consumers, OR
Control or process personal data of 25,000 or more Indiana consumers and derive more than 50% of gross revenue from the sale of personal data

These thresholds are identical to those in Virginia, Kentucky, and Oklahoma. Use our Privacy Law Calculator to check whether the ICDPA applies to your business alongside all other state privacy laws.

Who Is Exempt?

The ICDPA exempts several categories of entities and data:

State and local government bodies
Nonprofit organizations
Institutions of higher education
Entities and data regulated under HIPAA (Health Insurance Portability and Accountability Act)
Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
Data regulated under FERPA, FCRA, DPPA, and the Farm Credit Act

The exemptions apply at both the entity level and the data level — so a covered entity that also processes HIPAA-regulated data does not need to apply the ICDPA to that specific data.

Consumer Rights Under the ICDPA

Indiana residents have the following rights regarding their personal data:

Right to confirm and access — confirm whether a controller is processing their personal data and access that data
Right to correct — request correction of inaccurate personal data
Right to delete — request deletion of personal data provided by or obtained about the consumer
Right to data portability — obtain a copy of their personal data in a portable, readily usable format
Right to opt out of targeted advertising — opt out of the processing of personal data for targeted advertising purposes
Right to opt out of sale — opt out of the sale of personal data
Right to opt out of profiling — opt out of profiling in furtherance of decisions that produce legal or similarly significant effects

Controllers must respond to consumer requests within 45 days, with a possible 45-day extension if reasonably necessary. If a request is declined, the controller must provide an appeals process.

Business Obligations

Privacy Notice

Controllers must provide an accessible, clear, and meaningful privacy notice that includes:

Categories of personal data processed
Purposes of processing
How consumers can exercise their rights (including the appeals process)
Categories of personal data shared with third parties
Categories of third parties with whom data is shared

Data Minimization

The ICDPA requires controllers to limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes. Businesses must also implement reasonable data retention policies and not keep personal data longer than necessary.

Sensitive Data Consent

Processing sensitive personal data requires the consumer’s opt-in consent. Under the ICDPA, sensitive data includes:

Racial or ethnic origin
Religious beliefs
Mental or physical health diagnosis
Sexual orientation
Citizenship or immigration status
Genetic or biometric data used for identification
Personal data of a known child (under 13)
Precise geolocation data

Data Protection Assessments

Controllers must conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers, including targeted advertising, sale of personal data, processing of sensitive data, and profiling.

Processor Contracts

Controllers must have written contracts with their processors that outline the nature and purpose of processing, the type of data subject to processing, the duration of processing, and obligations regarding confidentiality and data deletion or return.

Enforcement and Penalties

The ICDPA is enforced exclusively by the Indiana Attorney General. There is no private right of action.

Cure period — businesses receive a 30-day notice and opportunity to cure alleged violations
Penalties — up to $7,500 per violation
Injunctive relief — the AG can seek injunctions to stop ongoing violations

The cure period is permanent under the current law (it does not sunset), placing Indiana among the more business-friendly privacy regimes. For comparison with other states’ enforcement approaches, use our state comparison tool.

The Indiana AG has released a Consumer Data Privacy Bill of Rights outlining consumer protections and is actively developing enforcement priorities. See our enforcement tracker for the latest state privacy enforcement actions.

How the ICDPA Compares to Other State Laws

The ICDPA follows the Virginia model closely. Key comparisons:

Thresholds: Same as Virginia, Kentucky, and Oklahoma (100K consumers or 25K + 50% revenue from data sales)
No universal opt-out requirement: Unlike California, Colorado, Connecticut, and several other states, Indiana does not require businesses to honor universal opt-out mechanisms like GPC. Check your GPC obligations with our GPC Compliance Checker.
Permanent cure period: More business-friendly than states where the cure period has expired (California, Colorado, Connecticut, Oregon, Virginia)
Standard consumer rights: Mirrors the rights found in most state privacy laws — access, correct, delete, portability, opt out of sale/targeted advertising/profiling

Step-by-Step Compliance Plan

If the ICDPA applies to your business, follow these steps to ensure compliance:

Determine applicability — Calculate whether you meet the 100K consumer or 25K + revenue threshold for Indiana residents. Our calculator can help.
Map your data — Identify what personal data you collect from Indiana consumers, how it flows through your organization, and who has access.
Update your privacy notice — Add the required disclosures covering categories, purposes, rights, and third-party sharing.
Implement consumer rights mechanisms — Set up processes to receive, verify, and respond to access, correction, deletion, and opt-out requests within 45 days.
Obtain consent for sensitive data — Review your data practices and add opt-in consent flows for any sensitive data processing.
Conduct data protection assessments — Document risk assessments for high-risk processing activities (targeted advertising, data sales, sensitive data, profiling).
Review processor agreements — Ensure contracts with vendors and processors include the required provisions.
Train your team — Ensure employees who handle consumer data or requests understand their obligations under the ICDPA.

For a full breakdown, visit the Indiana compliance checklist.

The Bottom Line

The Indiana Consumer Data Protection Act follows the familiar Virginia model, making compliance relatively manageable for businesses already meeting obligations under similar state laws. With the law now in effect, businesses processing Indiana consumer data should verify compliance immediately. The 30-day cure period offers a safety net, but at $7,500 per violation, waiting is a risk you don’t need to take.

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 28, 2026.