Articles
State guides
Indiana Consumer Data Protection Act (INCDPA): Everything you need to know
State guides
new

Indiana Consumer Data Protection Act (INCDPA): Everything you need to know

Published  

1/15/2026

by 

Patrick Austin

6
min read

Published  

January 15, 2026

by 

Patrick Austin

10 min read
Summary

Indiana joined the growing number of states enacting comprehensive consumer privacy legislation when Governor Eric Holcomb signed the Indiana Consumer Data Protection Act (INCDPA) into law in May 2023. The consumer data privacy law took effect on January 1, 2026. INCDPA establishes new requirements for businesses that collect and process the personal data of Indiana residents. 

For context, Indiana's approach to data privacy regulation mirrors that of other states, particularly those modeled after the Virginia Consumer Data Protection Act.

However, the INCDPA includes certain unique elements and thresholds that distinguish it from its counterparts in other jurisdictions. Generally speaking, the INCDPA aims to provide Indiana residents with greater control over their personal information while requiring businesses to comply with specific data collection and processing obligations.

Continue reading to discover what you need to know about the INCDPA and how to strengthen your company’s compliance posture accordingly.

Is my company subject to the INCDPA?

The INCDPA applies to persons who conduct business in Indiana or produce products or services targeted to Indiana residents and meet specific thresholds. 

Application thresholds

A business in Indiana must comply with the INCDPA if, during a calendar year, the business:

  • Controls or processes the personal data of at least 100,000 consumers; or 
  • Controls or processes the personal data of at least 25,000 consumers while deriving more than 50 percent of gross revenue from the sale of personal data.

These application thresholds are notably higher than those in other state privacy laws. Generally speaking, this means many small and medium-sized businesses in the state will be exempt from having to comply with the INCDPA.

Exempted entities and data types

Several categories of entities and information are exempt from the INCDPA. For example, the law does not apply to:

  • Government entities
  • Financial institutions subject to the Gramm-Leach-Bliley Act
  • Covered entities and business associates under HIPAA
  • Nonprofit organizations. 

In addition, certain types of data are excluded from coverage. For example, data governed by specific federal laws are generally exempt, including: 

  • Fair Credit Reporting Act data
  • Family Educational Rights and Privacy Act data
  • Health Insurance Portability and Accountability Act data

What rights do consumers have under the INCDPA?

The INCDPA grants Indiana residents several fundamental privacy rights regarding their personal data. These rights empower consumers to exercise greater control over how businesses collect, use, and share their information.

Right to access

Consumers have the right to confirm whether a controller is processing their personal data and to access that data. This transparency requirement ensures that individuals can discover what information companies hold about them. The right of access enables consumers to make informed decisions about their privacy and take appropriate action if they discover inaccuracies or unauthorized processing.

Right to correct

The law also provides consumers with the right to correct inaccuracies in their personal data. When a consumer identifies errors or outdated information, controllers must have mechanisms in place to facilitate corrections, maintaining the accuracy and reliability of personal data holdings.

Right to delete

Consumers possess the right to delete personal data they have provided to a controller. This right acknowledges that individuals should have the ability to remove their digital footprint when they no longer wish to maintain a relationship with a business or when the original purpose for data collection no longer applies.

Right to data portability

The INCDPA grants consumers the right to obtain a copy or a representative summary of their personal data in a portable format that allows them to transmit the data to another controller without hindrance. Data portability promotes competition and consumer choice by reducing switching costs and enabling individuals to move between service providers more easily.

Opt out rights for certain data processing activities

Consumers also have the right to opt out of certain data processing activities. Specifically, individuals can opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.

Processing data subject requests

Controllers must also establish and describe one or more secure and reliable means for consumers to submit requests to exercise their data subject rights. The process for submitting requests should be user-friendly and not impose unreasonable burdens on consumers seeking to exercise their legal rights.

When responding to consumer rights requests, controllers must comply within 45 days of receipt, though this period may be extended by an additional 45 days when reasonably necessary. 

Controllers must inform consumers of any extension and the reason for it. If a controller declines to take action on a request, it must inform the consumer of the reasons and provide information about how to appeal the decision.

What must companies do to comply with the INCDPA?

Companies subject to the INCDPA must implement various measures to protect consumer privacy and ensure compliance with the law. 

Controllers, which is a statutory term generally referring to Indiana businesses that collect and maintain consumer data, must limit their collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes. 

This data minimization principle prevents the excessive accumulation of personal information and reduces privacy risks. In effect, organizations cannot engage in indiscriminate data hoarding but must instead justify each category of data they collect based on specific, legitimate purposes.

Data security requirements

The INCDPA requires controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. 

Security measures must be appropriate to the volume and nature of the personal data at issue, reflecting a risk-based approach to data protection.

Privacy notice

In addition to data security measures, controllers are required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes specific information about data processing practices. 

The privacy notice must disclose the following: 

  • Categories of personal data processed
  • Purposes for processing
  • How consumers can exercise their rights
  • Categories of personal data shared with third parties
  • Information about targeted advertising and data sales.

Consent requirements for sensitive personal data

The INCDPA establishes heightened protections for sensitive data. For example, the law requires companies to obtain consumer consent before processing sensitive personal data

Examples of sensitive data

Generally speaking, sensitive data includes personal data that reveals the following: 

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data processed to uniquely identify an individual 
  • Personal data collected from a known child
  • Precise geolocation data.

For these categories of data, companies generally cannot process the information without first obtaining the consumer's consent. This consent must be: (1) freely given, (2) specific, (3) informed, and (4) unambiguous. 

{{sensitive-personal-information-us}}

Sale of personal data and targeted advertising

The INCDPA regulates the sale of personal data and targeted advertising, two practices that have generated significant privacy concerns in recent years. The INCDPA defines the sale of personal data as

“the exchange of personal data for monetary consideration by a controller to a third party.” 

However, certain disclosures are excluded from this definition, such as disclosures to processors acting on behalf of the controller, disclosures to third parties for purposes consistent with consumer expectations, and disclosures that the consumer intentionally makes public.

Notice is necessary when selling data or engaging in targeted advertising

Controllers that sell personal data or engage in targeted advertising must provide consumers with clear notice of these practices and offer mechanisms to opt out. For context, targeted advertising means:

“displaying advertisements based on personal data obtained from a consumer's activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests.”

This definition captures the sophisticated tracking and profiling techniques commonly used in digital advertising.

Processor requirements and contractual obligations

The INCDPA distinguishes between controllers and processors, imposing specific requirements on each. For context, a processor is an entity that processes personal data on behalf of a controller. 

The relationship between controllers and processors must be governed by a contract that clearly delineates the responsibilities of each party.

Contracts between controllers and processors must include specific provisions, such as: 

  • Instructions for processing data
  • Description of the nature and purpose of processing
  • Types of data subject to processing
  • Duration of processing
  • Rights and obligations of both parties 

In addition, contracts must require processors to take the following actions:

  • Implement appropriate security measures
  • Ensure that any person processing personal data is subject to confidentiality obligations
  • Assist the controller in meeting its obligations under the INCDPA
  • Delete or return personal data at the controller's request or upon conclusion of services.

These contractual requirements are intended to create accountability in data processing relationships and help ensure that processors handle personal data in compliance with the controller's obligations under the law. 

Data protection assessments

Companies must conduct and document data protection assessments for processing activities that present heightened risks to consumers. For example, a data protection assessment will likely be required for processing personal data for purposes of: 

  • Targeted advertising
  • Selling personal data
  • Processing sensitive data
  • Processing activities that present a heightened risk of harm to consumers.

A data protection assessment must identify and weigh the benefits of processing against the potential risks to consumer rights, considering the use of de-identification techniques, reasonable expectations of consumers, the context of processing, and the relationship between the controller and consumers. 

What can happen if my company fails to comply with the INCDPA?

Failure to comply with the INCDPA can lead to a regulatory enforcement action, large fines, and penalties. For context, the Indiana Attorney General’s Office has exclusive authority to enforce the INCDPA. Unlike some state privacy laws, the INCDPA does not provide for a private right of action, meaning consumers cannot sue companies directly for violations. Instead, enforcement occurs through the Attorney General's office.

30-day cure period

It is important to note that Indiana businesses are provided a period of time to correct any identified compliance violations. Specifically, prior to initiating an enforcement proceeding, the Attorney General’s Office must provide a company with 30 days' written notice identifying the specific provisions alleged to have been violated. 

If a company is able to cure the violation within a 30-day period and provides the Attorney General with a written statement confirming the remedial measures, then no enforcement action will be taken. This cure provision, particularly in the law's early years, gives businesses an opportunity to come into compliance before facing fines, penalties, and other enforcement measures.

How can Didomi help companies comply with the Indiana Consumer Data Privacy Law?

The U.S. consumer data privacy landscape continues to evolve with new laws and regulations going into effect in 2026, including the Indiana law. 

Keeping up with the pace and scope of these new regulations adds a layer of complexity and risk to your business. Learn more about our multi-regulation Consent Management Platform (CMP), which covers privacy laws and regimes in the U.S. and worldwide. Discuss your challenges and how Didomi could help with one of our experts:

{{talk-to-an-expert}}

Indiana Consumer Data Protection Act: Frequently Asked Questions (FAQs)

When did the Indiana Consumer Data Protection Act go into effect? 

INCDPA went into effect on January 1, 2026. Businesses subject to INCDPA must now take steps to ensure they have implemented appropriate compliance measures, including updating privacy notices, establishing consumer rights request mechanisms, obtaining consent for sensitive data processing, providing opt-out options for data sales and targeted advertising, and conducting required data protection assessments.

Does my business need to comply with the INCDPA?

It depends on the scope of data processing by your business. Specifically, the INCDPA applies to businesses in Indiana that either:

  • control or process personal data of at least 100,000 Indiana residents; or 
  • control or process personal data of at least 25,000 Indiana residents and derive more than 50 percent of gross revenue from the "sale" of any personal data.

How long does an Indiana company have to process a data subject request?

The INCDPA requires companies to respond to a data subject request within 45 days of receipt of such request. Companies have the option to extend the response period by an additional 45 days when necessary and in light of the complexity of the request. 

Can a data subject appeal a denial of a request?

Yes, the INCDPA provides consumers the right to file a formal appeal if a company denies a data subject request. An appeal is subject to the same processing deadlines as a data subject request. If a consumer is unhappy with the company’s response to the appeal, they can contact the Indiana Attorney General’s Office to file a complaint.

Can a consumer sue a company for violating the INCDPA?

No, there is no private right of action afforded to consumers for alleged violations of the INCDPA.

What are other U.S. privacy laws I should know about?

The U.S. privacy ecosystem is constantly evolving. Head to our comprehensive guide to learn more:

{{us-map-link}}

The author
The authors
Patrick Austin
Cybersecurity & Data Privacy Counsel at Woods Rogers
U.S.-based data privacy attorney and Certified Information Privacy Professional (CIPP/US, CIPP/E, CIPM)
Access author profile
Patrick Austin
Cybersecurity & Data Privacy Counsel at Woods Rogers
U.S.-based data privacy attorney and Certified Information Privacy Professional (CIPP/US, CIPP/E, CIPM)
Access author profile
Access author profile

Related Articles

State guides
Minnesota Consumer Data Privacy Act: Everything you need to know
February 26, 2026
Read article
State guides
Maryland Online Data Privacy Act (MODPA): Everything you need to know
February 16, 2026
Read article
State guides
California Invasion of Privacy Act (CIPA): The essential guide
January 16, 2026
Read article
State guides
Data protection in the United States: June 2025 update
June 11, 2025
Read article
State guides
Everything you need to know about the California Delete Act
March 12, 2025
Read article
State guides
Understanding sensitive personal information (SPI) in U.S. data privacy laws
December 20, 2024
Read article