What You Need To Know About Indiana’s New Privacy Law

On January 1, 2026, the Indiana Consumer Data Protection Act (INCDPA) will take effect, making Indiana the latest state to implement a comprehensive privacy framework. Indiana’s law sticks closely to the early Virginia model, reflecting a more uniform approach to consumer data protection compared to the newer, more complex laws passed in 2024.

Even so, the INCDPA establishes meaningful requirements around consumer rights, data processing, and transparency, adding yet another layer to the growing patchwork of state privacy laws businesses must navigate.

In this blog, we’ll break down the key provisions of the INCDPA, explain how it compares to other state laws, and outline what organizations should do to prepare ahead of the 2026 enforcement date.

Understanding the INCDPA

On May 1, 2023, Indiana Governor Eric Holcomb signed Senate Bill 5, known as the Indiana Consumer Data Protection Act (INCDPA). The INCDPA largely follows the early Virginia model, providing a familiar framework for businesses already complying with similar state laws, but it also introduces several unique provisions. 

What Makes the INCDPA Notable: 

• Sale of Personal Data: Indiana narrowly defines the “sale of personal data” strictly as a monetary exchange between a controller and a third party. This aligns with laws in Virginia, Utah, and Iowa, but is more limited than the broader definitions seen in California and Colorado.
• Access Requests Flexibility: Controllers can respond to consumer access requests with either a full copy of the personal data or a “representative summary.” By explicitly allowing summaries, Indiana reduces the complexity and cost of fulfilling requests while maintaining transparency for consumers.
• Data Protection Assessments: Required only for high-risk processing activities conducted after December 31, 2025.
• Consent Management: Unlike some other states, Indiana does not require controllers to provide consumers a method to revoke consent once given. 
• Special Exemptions: The law includes unique carve-outs, such as for riverboat casinos using facial recognition technology authorized by the Indiana Gaming Commission.
• Enforcement & Cure Period: Indiana provides a non-expiring cure period before penalties can be enforced, consistent with frameworks in Utah and Virginia. This allows covered entities ongoing opportunities to resolve potential violations before facing fines.

We’ll break down these provisions further and explore the scope of the law next.

Scope of Application

The Indiana Consumer Data Protection Act (INCDPA) applies to for-profit entities that conduct business in Indiana or offer products or services targeted to Indiana residents if they meet one of the following thresholds in the prior calendar year:

• Controlled or processed the personal data of at least 100,000 Indiana residents, or
• Controlled or processed the personal data of at least 25,000 Indiana residents and derived more than 50% of gross revenue from the sale of personal data.

Notably, unlike some other state privacy laws, the INCDPA does not impose a general revenue threshold for applicability.

Exemptions
The INCDPA provides exemptions for certain entities and categories of data, similar to other U.S. state privacy laws:

• Government entities
• Nonprofit organizations
• HIPAA-covered entities and business associates
• Public or private institutions of higher education
• Entities regulated under the Gramm-Leach-Bliley Act (GLBA)
• Certain classes of data, including health records, scientific research data, consumer credit-reporting data, data governed by FERPA or the federal Farm Credit Act, and employment-related information
• Unique exemption: licensed riverboats using facial recognition approved by the Indiana Gaming Commission.

Organizations that fall into exempt categories or process excluded data types are generally not subject to the INCDPA, but should consult legal counsel to confirm eligibility for any exemptions.

Rights Granted to Consumers

The Indiana Consumer Data Protection Act (INCDPA) gives Indiana residents a set of rights to manage and control their personal data:

1. Right to Access: Consumers can confirm whether a controller is processing their personal data and request access to it. Controllers may provide either a full copy or a “representative summary” of the personal data.
2. Right to Correction: Consumers can request corrections to inaccurate personal data.
3. Right to Deletion: Consumers may request the deletion of personal data collected or maintained by the controller.
4. Right to Data Portability: Consumers can obtain a copy of their personal data in a readily usable format.
5. Right to Opt-Out: Consumers may opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or profiling that produces legal or similarly significant effects.

Controllers must respond to consumer requests generally within 45 days, with a possible 45-day extension if reasonably necessary. 

Additionally, the law does not require controllers to provide a way for consumers to revoke consent once given. While this simplifies compliance for businesses, it slightly limits consumer control compared with states like California or Virginia. Together, these provisions reflect Indiana’s practical, business-friendly approach, sticking closely to the early Virginia model while still giving consumers meaningful rights.

Key Obligations for Businesses Under Indiana’s Privacy Law

Businesses operating in Indiana or providing products or services to Indiana residents must take several critical steps to ensure compliance. The Indiana Consumer Data Protection Act (INCDPA) imposes obligations on both controllers and processors of personal data.

Controllers’ Responsibilities

Controllers—entities that determine the purposes and means of processing personal data—are required to:

• Data Minimization: Collect only personal data that is adequate, relevant, and reasonably necessary for the disclosed purposes.
• Data Security: Implement appropriate administrative, technical, and physical safeguards to protect personal data based on its volume and sensitivity.
• Non-Discrimination: Ensure processing does not violate state or federal anti-discrimination laws, while still allowing different offers or pricing if consumers opt out of sales, profiling, or targeted advertising.
• Consumer Rights Fulfillment: Respond to requests to access, correct, delete, port, or opt out of personal data processing for targeted advertising, sales, or profiling. Requests must generally be fulfilled within 45 days, with a possible 45-day extension. Include an appeals process for denied requests.
• Transparency & Privacy Notices: Provide clear, accessible notices detailing categories of data collected, processing purposes, third-party recipients, opt-out options, and instructions for exercising rights. Clearly disclose if personal data is sold or used for targeted advertising.
• Sensitive Data & Children’s Data: Obtain opt-in consent for sensitive data and handle personal data of known children in accordance with COPPA.
• Data Protection Impact Assessments (DPIAs): Conduct assessments for high-risk processing activities, including targeted advertising, sale of personal data, sensitive data, and profiling that presents reasonably foreseeable risks, for processing activities after December 31, 2025.
• Processor Oversight: Maintain binding contracts with processors detailing processing instructions, obligations, and rights. Ensure processors return or delete personal data at the end of their service.

Processors’ Responsibilities

Processors—entities that process personal data on behalf of a controller—are required to:

• Follow Controller Instructions: Process data only as directed by the controller.
• Assist with Compliance: Support controllers in responding to consumer requests and conducting DPIAs.
• Implement Security Measures: Maintain appropriate technical and organizational safeguards for the data processed.
• Data Handling Obligations: Delete or return personal data upon controller request and require subcontractors to follow the same contractual obligations.

Enforcement of INCDPA

The Indiana Consumer Data Protection Act (INCDPA) is enforced exclusively by the Indiana Attorney General (AG); the law does not provide a private right of action.

Notice and Cure Period: Before initiating enforcement, the AG must provide controllers or processors with written notice of an alleged violation and a 30-day period to cure it. During this period, the entity must submit a written statement confirming that the violations have been addressed and that they will not recur. Unlike some other laws such as California’s CCPA, this right to cure does not expire, giving businesses ongoing opportunities to resolve issues before penalties are imposed.

Penalties: If the violation is not remedied within the cure period or the entity breaches its written assurance, the AG may seek civil penalties of up to $7,500 per violation. The AG may also pursue injunctive relief to ensure compliance.

Additional Support: To help businesses prepare for compliance, the Indiana Attorney General’s office provides resources on its website, including sample privacy notices and disclosures. These tools make it easier for organizations already familiar with other state privacy laws to align their practices with the INCDPA before it takes effect on January 1, 2026. Explore the Indiana Privacy Toolkit here.

How DataGrail Can Help

DataGrail helps simplify compliance with complex state privacy laws like the Indiana Consumer Data Protection Act (INCDPA). 

Here’s how:

• Automate Consumer Rights Requests: DataGrail’s Request Manager enables you to efficiently handle access, correction, deletion, data portability, and opt-out requests within the INCDPA’s 45-day response window. With the ability to extend an additional 45 days when necessary, DataGrail ensures timely fulfillment across all systems and vendors while maintaining compliance with other major privacy laws like CCPA and GDPR.
• Maintain a Compliant Data Inventory: Indiana’s law requires transparency into personal data collection, processing, and sharing, including third-party disclosures. DataGrail’s Live Data Map provides a centralized, automated inventory of personal data—covering sensitive data, known children’s data, and high-risk processing activities—reducing reliance on spreadsheets and manual tracking.
• Simplify Consent and Opt-Out Management: DataGrail’s Consent solution automates consent collection and manages opt-outs for targeted advertising, the sale of personal data, and profiling. This ensures consumers can exercise their rights easily while minimizing operational burden.
• Third-Party Oversight & AI-Powered Risk Management: Leverage DataGrail’s AI-powered platform to monitor data shared with vendors and partners—including the entities to which personal data may be sold. Automatically identify high-risk relationships, track data flows to third parties, and flag unusual sharing behaviors, keeping your business enforcement-ready under the INCDPA.
• Effortless Data Protection Assessments: DataGrail supports the creation, tracking, and updating of Data Protection Impact Assessments (DPIAs) for high-risk processing activities, helping your organization stay compliant with INCDPA requirements without adding administrative overhead.

With DataGrail, your business can reduce risk, stay ahead of evolving state privacy laws, and maintain trust with your customers.

Ready to simplify compliance? Request a demo here.

Stay ahead of evolving state privacy laws. Check out our Guide to State Privacy Laws to understand how upcoming regulations may impact your business and keep your compliance strategy up to date.

Lastly, join Privacy Basecamp, our exclusive Slack community for privacy professionals, to connect, share resources, and discuss best practices. Stay informed on the latest state privacy legislation and engage with experts in the field.