The Indiana Consumer Data Privacy Act (ICDPA): A Comprehensive Analysis

Indiana Consumer Data Privacy Act Privacy Laws (ICDPA)

The Indiana Consumer Data Privacy Act (ICDPA), codified as Indiana Code Title 24, Article 15, represents Indiana’s entry into the growing landscape of state-level comprehensive consumer privacy laws in the United States. Signed into law as Senate Enrolled Act No. 5 on May 1, 2023, by Governor Eric Holcomb, the ICDPA took effect on January 1, 2026, providing businesses with a generous implementation period of over two and a half years.

The law closely mirrors the Virginia Consumer Data Protection Act (VCDPA), often described as one of the more “business-friendly” state privacy frameworks. It grants Indiana residents acting in individual or household contexts meaningful rights over their personal data while imposing balanced obligations on covered businesses. Unlike more stringent laws such as California’s CCPA/CPRA or Colorado’s CPA, the ICDPA features higher applicability thresholds, a permanent 30-day cure period for enforcement, no requirement to recognize universal opt-out mechanisms, and exclusive enforcement by the Indiana Attorney General (no private right of action).

The ICDPA aims to enhance transparency, give consumers control over their data, and encourage responsible data practices without unduly burdening businesses, particularly small and medium-sized enterprises. As stated in educational materials from the Indiana Attorney General’s Office, the law recognizes that personal data collection is integral to modern life but seeks to empower Hoosiers to make informed choices about how their data is used, shared, or sold.

This article provides an exhaustive examination of the ICDPA, drawing directly from the statutory text (IC 24-15), the Attorney General’s Consumer Data Bill of Rights, and practical compliance considerations now that the law is live.

Legislative History and Context

The ICDPA originated as Senate Bill 5 during the 2023 session of the Indiana General Assembly. Introduced with bipartisan support and sponsored primarily by Republicans, the bill passed with strong majorities and became Public Law 94-2023.

Indiana joined a wave of states enacting privacy laws in the absence of federal comprehensive legislation. By 2023, states like Virginia, Colorado, Connecticut, Utah, and California had already implemented similar frameworks. Indiana’s law was crafted to align closely with Virginia’s model, avoiding some of the more onerous requirements found in California or Colorado, such as revenue thresholds for all entities or mandatory recognition of global privacy controls.

The extended effective date—January 1, 2026—was intentional, giving businesses substantial time to prepare. This delay also aligned Indiana’s law with several other states (e.g., Kentucky, Rhode Island) coming online in 2026, facilitating multi-state compliance efforts.

Applicability and Scope (IC 24-15-1)

The ICDPA applies territorially and threshold-based, targeting larger-scale data processors while exempting smaller entities.

Who Is Covered?

Under IC 24-15-1-1, the law applies to for-profit persons (including corporations, LLCs, etc.) that:

• Conduct business in Indiana; or
• Produce products or services targeted to Indiana residents;
• And during a calendar year:
  • Control or process personal data of at least 100,000 Indiana consumers (excluding data processed solely for payment transactions); or
  • Control or process personal data of at least 25,000 Indiana consumers and derive more than 50% of gross revenue from the sale of personal data.

Notably, there is no global revenue threshold (unlike some states), making the law more targeted toward entities with significant Indiana-specific data processing.

Entity-Level Exemptions

IC 24-15-1-1(b) exempts:

• State and local government entities (and their contractors when acting on their behalf);
• Financial institutions and affiliates subject to Gramm-Leach-Bliley Act (GLBA);
• Covered entities and business associates under HIPAA;
• Nonprofit organizations;
• Institutions of higher education;
• Public utilities and affiliated service companies.

Data-Level Exemptions

IC 24-15-1-2 provides broad data-level exemptions, including:

• Protected health information under HIPAA;
• Patient identifying information under 42 U.S.C. 290dd-2;
• Human subjects research data;
• Information under FCRA, Driver’s Privacy Protection Act, FERPA, and others;
• Employment-related data and emergency contact information;
• De-identified data meeting HIPAA standards.

Compliance with COPPA satisfies parental consent obligations for children’s data (IC 24-15-1-3).

Understanding the ICDPA Requirements (IC 24-15-2)

Understanding the ICDPA requires familiarity with its definitions, many of which align with VCDPA.

• Consumer: An Indiana resident acting in an individual or household context (excludes employment or B2B contexts).
• Personal data: Any information linked or reasonably linkable to an identified or identifiable individual (excludes de-identified, pseudonymous, or publicly available data).
• Sensitive data: Includes data revealing racial/ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship/immigration status, genetic or biometric data processed for identification, children’s data, and precise geolocation (1-meter accuracy).
• Controller: Entity that determines purposes and means of processing.
• Processor: Entity that processes data on behalf of a controller.
• Sale of personal data: Exchange for monetary consideration (narrower than some states; excludes disclosures to processors, affiliates, or for consumer-requested services).
• Targeted advertising: Ads based on cross-site behavior (excludes contextual or affiliate-site ads).
• Profiling: Automated processing producing legal or similarly significant effects (e.g., denial of housing, employment, credit).
• Consent: Clear affirmative act (freely given, specific, informed, unambiguous).

The Attorney General’s Bill of Rights provides consumer-friendly explanations, noting that “personal data” excludes publicly available information and that “sale” is limited to monetary exchanges.

Consumer Rights (IC 24-15-3)

The ICDPA grants five core rights, exercisable free of charge (with limited exceptions for manifestly unfounded requests).

1. Right to Confirm and Access: Confirm whether a controller processes the consumer’s data and access it (or a representative summary) once per year.
2. Right to Correct: Correct inaccuracies in personal data provided by the consumer.
3. Right to Delete: Delete personal data provided by or obtained about the consumer.
4. Right to Portability: Obtain data in a readily usable format for transmission.
5. Right to Opt-Out: Opt out of processing for targeted advertising, sale, or profiling with legal/significant effects.

Additional protections:

• Opt-in consent required for sensitive data processing.
• No discrimination for exercising rights (though bona fide loyalty programs are permitted).
• Appeal right if a request is denied (controller must respond within 45 days; consumer can contact AG if appeal denied).
• Controllers must respond within 45 days (extendable once by 45 days).
• Authentication required but cannot be unduly burdensome.

The AG’s Bill of Rights emphasizes that consumers can exercise rights for their children and that sensitive data requires consent.

Controller Responsibilities (IC 24-15-4 and IC 24-15-5)

Controllers bear primary responsibility.

Transparency

Provide a clear, accessible privacy notice detailing:

• Categories of personal data processed;
• Purposes;
• Categories shared with third parties;
• How to exercise rights and appeal.

If selling data or using for targeted advertising, disclose and provide opt-out mechanism.

Data Minimization and Purpose Limitation

Collect only adequate, relevant, necessary data; no secondary use without consent if incompatible.

Sensitive Data

Opt-in consent required; no processing of children’s data without COPPA-compliant consent.

Security and Non-Discrimination

Reasonable safeguards; no denial of services or price discrimination for rights exercise.

Processor Contracts

Binding contracts requiring processors to assist with obligations, maintain confidentiality, and allow assessments.

Data Protection Impact Assessments (IC 24-15-6)

Required for processing posing heightened risk:

• Targeted advertising;
• Sale of data;
• Profiling with significant effects;
• Sensitive data processing;
• Activities with substantial privacy risk.

Assessments must weigh benefits vs. risks and be available to AG upon request. Applies prospectively to processing after January 1, 2026.

Enforcement and Penalties (IC 24-15-10)

Exclusive enforcement by Indiana Attorney General.

• 30-day written notice and cure period (permanent, no sunset);
• Penalties up to $7,500 per violation;
• Injunctive relief;
• No private right of action.

As of now, no public enforcement actions have been announced, consistent with the educational focus signaled by the AG’s Bill of Rights release in late 2025.

Comparison to Other State Laws

The ICDPA is notably business-friendly:

• Higher thresholds than many states (e.g., no applicability to entities processing fewer than 100,000 Indiana consumers);
• Narrower “sale” definition (monetary only);
• No universal opt-out requirement;
• Permanent cure period;
• Alignment with VCDPA facilitates compliance for multi-state operations.

It is stricter than Utah but less burdensome than California or Colorado.

Practical Compliance Guidance

Now that the law is effective, covered entities should:

1. Conduct data mapping to identify Indiana consumer data flows;
2. Update privacy notices;
3. Implement rights request intake and authentication processes;
4. Obtain consents for sensitive data;
5. Conduct and document DPIAs;
6. Review and update processor contracts;
7. Train staff and monitor AG guidance.

The AG’s Consumer Data Bill of Rights serves as an excellent reference for notice language and consumer education.

The ICDPA strikes a thoughtful balance, enhancing consumer privacy while providing clear, achievable obligations for businesses. As enforcement begins in 2026, proactive compliance will be key. Indiana’s approach may serve as a model for future state laws, emphasizing education and cooperation over punitive measures.