Indiana Consumer Data Protection Act

Posted: May 12 2026

The Indiana Consumer Data Protection Act (“INCDPA”) is a state law that provides residents of Indiana rights when interacting with businesses that collect, use, and sell their personal data.

History

2023

Governor Eric Holcomb signed the Indiana Consumer Data Protection Act (“INCDPA”), Senate Bill 5, into law on May 1, 2023.

2026

The INCDPA went into effect on January 1, 2026.

Scope

Who

The Indiana Consumer Data Protection Act (“INCDPA”) is intended to protect personal data of consumers. Under the INCDPA, "consumer" means an Indiana resident acting in a personal, family, or household context.1

The INCDPA applies to persons that conduct business in Indiana or produce products or services that are targeted to residents of Indiana and do one or more of the following2:

  • control or process personal data of at least 100,000 Indiana residents in a calendar year, or
  • control or process personal data of at least 25,000 Indiana residents and derives over 50% of gross revenue from the sale of personal data in a calendar year.

The INCDPA distinguishes between controllers and processors.3 A controller is an entity that alone, or jointly with others, determines the purposes and means for processing personal data.4 A processor is an entity that processes personal data on behalf of a controller. 5

Processing means any operation performed on personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.6

The INCDPA imposes restrictions and obligations on the controller-processor relationship. Processors must follow the controller's instructions for processing personal data and implement appropriate controls to protect it.7 Contracts between controllers and processors must include the following8:

  • the types of personal data to be processed,
  • instructions for processing the personal data,
  • the purpose for processing the personal data,
  • a duty of confidentiality, meaning the data is protected from disclosure to or access by unauthorized parties
  • an obligation to delete or return personal data upon the controller’s request,
  • the ability to demonstrate compliance with the contractual requirements,
  • the right for the controller to engage an independent third party to assess the processor’s technical and organizational measures related to the protection of personal data, and
  • requirements governing the processor’s use of subcontractors, who must be bound by written contract to the same obligations as the processor.

What

Personal Data

The INCDPA regulates how companies can collect, use, and share personal data. “Personal data” means information that is linked or reasonably linkable to an identified or identifiable person, subject to some exceptions.9

Sensitive Data

The INCDPA provides additional guidance for sensitive data, a subcategory of personal data. Misuse of sensitive data can cause discrimination, financial loss, identity theft, or reputational damage, so the INCDPA treats it differently from other personal data.

Sensitive data includes:10

  • racial or ethnic origin,
  • religious beliefs,
  • mental or physical health diagnosis made by a healthcare provider,
  • sexual orientation,
  • citizenship or immigration status,
  • genetic or biometric data that is processed for the purpose of uniquely identifying an individual,
  • personal data of children (someone younger than 13 years of age), and
  • precise geolocation data (information that directly identifies the specific location of a person within a radius of 1,750 feet).

Exemptions

Exempt Entities

The INCDPA does not apply to the following entities11:

  • the state, state agencies, and any body, authority, board, bureau, commission, district or agency of any political subdivision of Indiana or persons who have entered into contracts with such entities,
  • nonprofit organizations,
  • higher education institutions,
  • financial institutions subject to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq., and
  • covered entities or business associates as defined in the Health Insurance Portability and Accountability Act (HIPAA), and
  • any public utility (as defined in Indiana Code 8-1-2-1(a)) or service company affiliated with a public utility, such as entities that provide electricity, natural gas, or water, and
  • 501(c)(4) organizations established to detect or prevent insurance-related crime or fraud and operating under a memorandum of understanding with a statewide law enforcement agency.

Exempt Data

The following types of data are exempt from the INCDPA12:

  • Protected health information under the Health Insurance Portability and Accountability Act (HIPAA),
  • patient identifying information for the purposes of 42 U.S.C. § 290dd-2, which covers confidentiality of records related to substance abuse and mental health services,
  • identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46, which governs research involving human subjects,
  • identifiable private information that is collected as part of human subjects research pursuant to the “Good Clinical Practice” guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or for the protection of human subjects under 21 C.F.R. Parts 50 and 56, which govern research involving human subjects,
  • information and documents created for purposes of the Health Care Quality Improvement Act of 1986 (42 USC 11101 et seq.),
  • patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act (42 U.S.C. § 299b-21 et seq.),
  • health care information listed above that has been deidentified under HIPAA standards,
  • information that originates from, is intermingled with, or is treated the same as the exempt health information above, when held by a HIPAA covered entity or business associate,
  • information used for public health activities and purposes as authorized by HIPAA,
  • collection, maintenance, disclosure, sale, communication, or use of personal data bearing on a consumer's credit worthiness to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.),
  • personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994 (18 U.S.C. § 2721 et seq.),
  • personal data regulated by the federal Family Educational Rights and Privacy Act (20 U.S.C. § 1232g et seq.),
  • personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (12 U.S.C. § 2001 et seq.),
  • data processed or maintained for applications for employment purposes or in acting as a contractor of a controller or processor to the extent such data is used within the context of that role
  • emergency contact information used for emergency contact purposes in an employment or contractor setting, and
  • data necessary to administer benefits in an employment or contractor setting.

Deidentified Data

The INCDPA includes an exemption for deidentified data.13

Deidentified data is data that cannot reasonably be linked to an identified or identifiable individual.14 Controllers processing deidentified data must15:

  • take reasonable measures to ensure that the data is deidentified and cannot be linked to an individual,
  • publicly commit to not attempt to reidentify the data, and
  • contractually obligate recipients to not attempt to reidentify the data.

Publicly Available Data

The INCDPA does not apply to publicly available information.16 Publicly available information is information that is17:

  • lawfully made available through government records or widely distributed media, or
  • lawfully made available to the general public by the data subject or a person to whom the data subject has disclosed the information.

Pseudonymous Data

Pseudonymous data is data that cannot be attributed to a specific individual without additional information held separately.18 A controller need not grant rights to access, deletion, or control over a consumer’s pseudonymous data if the controller can demonstrate that the identifying information is held separately and protected by technical and organizational controls that prevent the controller from accessing it.19

Rights

Consumers have several rights under the INCDPA20:

  • Right to Know,
  • Right to Correct,
  • Right to Delete,
  • Right to Opt-Out,
  • Right to Opt-In to the Processing of Sensitive Data, and
  • Right to Not Be Discriminated Against.

Right to Know

Consumers have the right to know whether a controller is processing their personal data and what personal data is being processed about them.21 This includes the right to obtain a copy of their data in a portable format the consumer can transmit to another controller.22

Controllers must also disclose related information in their privacy notice, which must include23:

  • the categories of personal data processed by the controller,
  • the purpose for processing personal data,
  • how consumers can exercise their rights,
  • the categories of personal data that the controller shares with third parties,
  • the categories of third parties with whom the controller shares personal data,
  • a mechanism the consumer can use to submit a request to exercise their rights.

Right to Correct

Consumers have the right to request that a controller correct inaccuracies in the consumer’s personal data.24

Right to Delete

Consumers have the right to request that a controller delete any personal data provided by the consumer or obtained about the consumer.25

Right to Opt Out

Consumers have the right to opt out of a controller processing their personal data for the purpose of targeted advertising, the sale of personal data, or consumer profiling used to analyze individuals and make decisions about them that have legal consequences or have other serious impacts on their lives.26

Targeted advertising is the display of ads to a consumer selected based on personal data the controller has obtained over time and across nonaffiliated websites or online applications, used to predict the consumer’s preferences or interests.27 Targeted advertising does not include28:

  • advertisements based on activities within a controller's own or affiliated websites or online applications,
  • advertisements based on the context of a consumer's current search query or current visit to a website or online application,
  • advertisements directed to a consumer in response to the consumer's request for information or feedback, or
  • personal data processed solely for measuring or reporting advertising performance.

Sale of data is the exchange of personal data with a third party for money.29 Sale does not include30:

  • the disclosure of personal data to a processor that processes the personal data on behalf of the controller,
  • the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer,
  • the disclosure or transfer of personal data to an affiliate of the controller or that is made as part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets, or
  • the disclosure of information that the consumer intentionally made available to the general public or has not been restricted to a specific audience.

Profiling is automated processing of personal data to evaluate, analyze, or predict a consumer’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.31

Right to Opt In for Sensitive Data

Controllers may not process sensitive data without obtaining consent from the consumer.32 Accordingly, the consumer has the right to not have their sensitive data processed unless they have opted into such processing.33

Consent must be: 34

  • freely given, meaning the consent is given voluntarily,
  • specific, meaning the consent is given for a clearly defined purpose,
  • informed, meaning the data subject is provided an explanation of how the data will be processed, and
  • unambiguous, meaning it is clear the data subject has consented (e.g., by clicking “I agree”).

Indiana’s opt-in standard for sensitive data is stricter than California’s opt-out: under the INCDPA, controllers must obtain consent before processing.

Right to Not Be Discriminated Against

Consumers have the right for their personal data to not be processed in violation of state and federal laws that prohibit unlawful discrimination.35 Consumers also have the right to not be discriminated against by a controller for exercising their consumer rights.36 A controller cannot deny goods or services, charge different prices or rates for goods or services, or provide a different level of quality of goods and services to the consumer because that consumer exercised their INCDPA rights.37

However, the INCDPA does not prevent a controller from offering different prices, rates, levels, qualities, or selections of goods or service if such difference is unrelated to the consumer’s assertion of their consumer rights.38

Exercising Rights

A consumer may exercise their rights to know, correct, delete, or opt out under the INCDPA by submitting a request to the controller that specifies the right they wish to invoke.39

Within the controller’s privacy notice, the controller must describe one or more means by which a consumer can submit a request to exercise their consumer rights.40 This mechanism cannot require the creation of a new account to exercise the consumer’s rights.41

A controller must respond to the consumer’s request within 45 days of receipt and may request additional information needed to authenticate the consumer and their request.42 If reasonably necessary due to the complexity or quantity of consumer requests, the controller may extend their response period by 45 days so long as the controller notifies the consumer within the initial 45-day period of such extension and provides a reason for the extension.43

A controller must provide the information free of charge, up to one time per year.44 If a consumer’s requests are unfounded, excessive, or repetitive, the controller may charge a reasonable administrative fee or refuse to act on the request.45 A controller may also refuse the request if they cannot reasonably authenticate the consumer.46

Controllers must establish an appeals process for a consumer to appeal any refusal by the controller to take action on a request.47 If an appeal is denied, the controller must also provide the consumer with a mechanism for the consumer to contact the attorney general’s office to submit a complaint.

Enforcement

The Attorney General of Indiana has sole authority to enforce the provisions of the INCDPA, and there is no private right of action for consumers.48 Before initiating an enforcement action, the Attorney General must provide the subject of their investigation with a written explanation of each allegation and an opportunity to cure the violation within 30 days.49 If the violation is not cured, penalties may include an injunction related to any violations and civil penalties of up to $7,500 per violation.50 The Attorney General may also recover reasonable expenses incurred during the investigation and in preparing the case, such as attorney’s fees.51

Notes

  1. Ind. Code § 24-15-2-8
  2. Ind. Code § 24-15-1-1
  3. Ind. Code § 24-15-2
  4. Ind. Code § 24-15-2-9
  5. Ind. Code § 24-15-2-22
  6. Ind. Code § 24-15-2-21
  7. Ind. Code § 24-15-5-1
  8. Ind. Code § 24-15-5-2
  9. Ind. Code § 24-15-2-19
  10. Ind. Code § 24-15-2-28
  11. Ind. Code § 24-15-1-1
  12. Ind. Code § 24-15-1-2
  13. Ind. Code § 24-15-7
  14. Ind. Code § 24-15-2-12
  15. Ind. Code § 24-15-7-1
  16. Ind. Code § 24-15-2-19
  17. Ind. Code § 24-15-2-26
  18. Ind. Code § 24-15-2-25
  19. Ind. Code § 24-15-7-2
  20. Ind. Code § 24-15-3-1
  21. Ind. Code § 24-15-3-1
  22. Ind. Code § 24-15-3-1
  23. Ind. Code § 24-15-4-3
  24. Ind. Code § 24-15-3-1
  25. Ind. Code § 24-15-3-1
  26. Ind. Code § 24-15-3-1
  27. Ind. Code § 24-15-2-30
  28. Ind. Code § 24-15-2-30
  29. Ind. Code § 24-15-2-27
  30. Ind. Code § 24-15-2-27
  31. Ind. Code § 24-15-2-23
  32. Ind. Code § 24-15-4-1
  33. Ind. Code § 24-15-4-1
  34. Ind. Code § 24-15-2-7
  35. Ind. Code § 24-15-4-1
  36. Ind. Code § 24-15-4-1
  37. Ind. Code § 24-15-4-1
  38. Ind. Code § 24-15-4-1
  39. Ind. Code § 24-15-3-1
  40. Ind. Code § 24-15-4-5
  41. Ind. Code § 24-15-4-5
  42. Ind. Code § 24-15-3-1
  43. Ind. Code § 24-15-3-1
  44. Ind. Code § 24-15-3-1
  45. Ind. Code § 24-15-3-1
  46. Ind. Code § 24-15-3-1
  47. Ind. Code § 24-15-3-1
  48. Ind. Code § 24-15-10-1
  49. Ind. Code § 24-15-10-3
  50. Ind. Code § 24-15-10-2
  51. Ind. Code § 24-15-10-2