Overview
The Indiana Consumer Data Protection Act (INCDPA) is a comprehensive data privacy law that grants Indiana residents new rights over their personal data while setting clear obligations for businesses. Signed into law on May 1, 2023, the INCDPA takes effect on January 1, 2026.
The law is closely modeled after Virginiaโs CDPA and Coloradoโs CPA, making it a business-friendly privacy framework with strong consumer protections but no private right of action.
Who Must Comply?
The INCDPA applies to businesses that operate in Indiana or target Indiana residents and meet one of the following criteria:
โ Process personal data of at least 100,000 Indiana consumers annually
โ Process personal data of at least 25,000 Indiana consumers and derive 50%+ of revenue from selling personal data
Exemptions:
The law does not apply to:
๐ซ Government agencies
๐ซ Nonprofits
๐ซ Financial institutions subject to GLBA
๐ซ HIPAA-covered entities (healthcare providers, insurers)
๐ซ Higher education institutions
Key Consumer Rights Under INCDPA
โ Right to Access โ Consumers can request a copy of their personal data.
โ Right to Correct โ Consumers can request corrections to inaccurate personal data.
โ Right to Delete โ Consumers can request the deletion of personal data.
โ Right to Data Portability โ Consumers can receive their data in a portable format.
โ Right to Opt-Out โ Consumers can opt out of:
- Targeted advertising
- Sale of personal data
- Automated profiling that affects legal or financial decisions
๐ No Private Right of Action โ Unlike Californiaโs CPRA, consumers cannot sue businesses directly for violations.
Business Compliance Requirements
โ Universal Opt-Out Mechanism (Starting January 1, 2026) โ Businesses must recognize Global Privacy Control (GPC) signals.
โ Opt-In Consent for Sensitive Data Processing โ Businesses must obtain explicit consent before processing:
๐ Racial/ethnic origin
๐ Religious beliefs
๐ Biometric data
๐ Health conditions
๐ Childrenโs data
โ Privacy Policy & Transparency โ Companies must publish detailed privacy policies explaining data collection and usage.
โ Data Security & Protection โ Businesses must implement reasonable safeguards to protect personal data.
โ Risk Assessments for High-Risk Processing โ Companies must conduct Data Protection Assessments (DPA) for:
๐ Targeted advertising
๐ Data sales
๐ AI-driven automated decision-making
Real-World Enforcement Cases
The Indiana Attorney General enforces the INCDPA, with penalties of up to $7,500 per violation.
๐ 30-Day Cure Period for Violations โ Before fines are imposed, businesses have 30 days to fix compliance issues.
Since INCDPA does not take effect until January 1, 2026, major enforcement cases have not yet occurred, but businesses failing to provide opt-out mechanisms or proper security measures are likely to be early enforcement targets.
๐ Comparison with Other State Privacy Laws
The Indiana INCDPA is more flexible for businesses than Californiaโs CPRA but closely resembles Virginiaโs CDPA:
โ
No Private Right of Action โ Consumers cannot sue companies directly.
โ
Stronger Opt-Out Requirements โ Businesses must honor universal opt-out signals in 2026.
โ
Less Strict Than CPRA โ Indianaโs law has fewer compliance obligations than Californiaโs CPRA.
Future of INCDPA Regulation
๐ Stronger enforcement expected in 2026, particularly for AI-driven profiling.
๐ Possible expansion of consumer rights in future amendments.
๐ Potential updates to align with federal privacy laws if enacted.
Indianaโs INCDPA is a consumer-friendly but business-oriented privacy law, balancing consumer rights with clear compliance measures.
