PrivacyLawMap
IN

Indiana Privacy Law

Indiana Consumer Data Protection Act

Effective: January 1, 2026Active

Overview

The Indiana Consumer Data Protection Act (INCDPA) was signed into law on May 1, 2023, and becomes effective on January 1, 2026. Indiana's law closely follows the Virginia VCDPA framework, providing a moderate set of consumer privacy rights while maintaining a relatively business-friendly approach to enforcement. The INCDPA grants Indiana consumers the right to access, correct, delete, and obtain a portable copy of their personal data, as well as the right to opt out of the sale of personal data, targeted advertising, and profiling. The law includes an appeals process for denied consumer requests, aligning with the Virginia model. Like most state privacy laws modeled after the VCDPA, the INCDPA does not include a private right of action. The law applies to entities conducting business in Indiana or targeting Indiana consumers that control or process personal data of 100,000 or more consumers, or control or process personal data of 25,000 or more consumers while deriving over 50% of gross revenue from the sale of personal data. The INCDPA includes a 30-day cure period and penalties of up to $7,500 per violation, enforced by the Indiana Attorney General.

Applicability Thresholds

Conditions are joined by OR meeting ANY one triggers applicability.

100,000+
Indiana consumers' data processed
25,000+ consumers
AND 50%+ revenue from data sales

Consumer Rights

Right to Access
Right to Delete
Right to Correct
Data Portability
Opt-Out of Sale
Opt-Out of Targeted Ads
Opt-Out of Profiling
Limit Sensitive Data Use
Right to Appeal
Private Right of Action

Key Changes in 2025-2026

  • Law became effective January 1, 2026 — businesses must be in full compliance
  • Indiana AG released a Consumer Data Privacy Bill of Rights outlining consumer protections under the INCDPA
  • Permanent 30-day cure period (does not sunset) — one of the most business-friendly enforcement provisions among state privacy laws
  • Indiana AG developing enforcement priorities and compliance guidance

Enforcement Details

Enforced By
Indiana Attorney General
Penalty Per Violation
$7,500
Cure Period
30 days
Private Right of Action
No — AG enforcement only

Sensitive Data Categories

Consent model: opt-in

Racial or ethnic originReligious beliefsMental or physical health diagnosisSexual orientationCitizenship or immigration statusBiometric data for identification

Universal Opt-Out / GPC Requirements

No Universal Opt-Out Requirement

The INCDPA does not currently require businesses to honor universal opt-out mechanisms such as GPC. Businesses may voluntarily support such signals.

Minor / Child Protections

The INCDPA requires opt-in consent before processing personal data of known children under 13. For consumers aged 13-17, businesses must obtain consent before processing data for targeted advertising or sale of personal data.

Compliance Checklist

  1. 1Assess whether your organization meets the INCDPA applicability thresholds
  2. 2Update privacy notices to include all INCDPA-required disclosures about data processing and consumer rights
  3. 3Implement opt-out mechanisms for data sales, targeted advertising, and profiling
  4. 4Obtain opt-in consent before processing sensitive personal data
  5. 5Establish consumer rights request processes with a 45-day response window
  6. 6Create an appeals process for denied consumer rights requests
  7. 7Review data processor agreements to include INCDPA-mandated provisions

Indiana Privacy Law FAQ

Official Resources

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.