Passed in 2023, the Indiana Consumer Data Protection Act (INCDPA) carried one of the longest lead times of any state privacy law and did not take effect until January 1, 2026. Modeled on Virginia's law, it gives Indiana residents the right to access, correct, delete, and obtain a copy of their personal data and to opt out of targeted advertising, the sale of their data, and profiling.
In 2025, the Data Breach Chronology captured 8,019 data breach notification filings from state and federal agencies that publish breach reports. These represented 4,080 unique breach events impacting at least 375 million individuals. This report examines what those 4,080 breaches tell us about the state of data security, and where the gaps in breach reporting leave consumers in the dark.
This survey analyzes and compares data breach notification laws across all 50 U.S. states and the District of Columbia. Using a standardized framework of 50 questions, we examined each jurisdiction's requirements for breach notification timing, covered data types, notification recipients, enforcement mechanisms, and consumer remedies.
The survey reflects statutes enacted as of January 1, 2026.
The survey reflects statutes enacted as of January 1, 2026.