Indiana
Indiana Consumer Data Protection Act (ICDPA)
| Passed | May 1, 2023 |
| Effective Date | January 1, 2026 |
| Who it applies to |
Entities that (1) do business in Indiana or provide products or services targeted to Indiana consumers; and (2) control or process data of 100,000+ consumers; or derive 50% revenue from selling data of 25,000+ consumers. Exempt entities include nonprofits, government agencies, higher education institutions, and financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). |
| Penalties | Up to $7,500 per violation |
What’s notable about it:
Indiana’s law comes with almost every requirement contained in the other privacy laws—but it doesn’t take effect until 2026, so there’s plenty of time to prepare. And interestingly, Indiana allows you to “re-use” data protection assessments you’ve conducted in other states, as long as they meet the ICDPA’s standards.
The Strict Spectrum