This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
header image


Indiana Consumer Data Protection Act (ICDPA)

Passed May 1, 2023
Effective Date January 1, 2026
Who it applies to

Entities that (1) do business in Indiana or provide products or services targeted to Indiana consumers; and (2) control or process data of 100,000+ consumers; or derive 50% revenue from selling data of 25,000+ consumers. Exempt entities include nonprofits, government agencies, higher education institutions, and financial institutions subject to the Gramm-Leach-Bliley Act (GLBA).

Penalties Up to $7,500 per violation

What’s notable about it:

Indiana’s law comes with almost every requirement contained in the other privacy laws—but it doesn’t take effect until 2026, so there’s plenty of time to prepare. And interestingly, Indiana allows you to “re-use” data protection assessments you’ve conducted in other states, as long as they meet the ICDPA’s standards.

The Strict Spectrum

Less Strict