All Blog Posts

Indiana Consumer Data Protection Act (Indiana CDPA) – an overview

The Indiana Consumer Data Protection Act (Indiana CDPA) goes into effect on January 1, 2026 and protects the personal data of Indiana residents. Organizations that do business in the state must be ready to comply with its provisions or face civil penalties.

May 09, 2024

Indiana became the seventh US state to pass a consumer data privacy bill with the Indiana Consumer Data Protection Act (Indiana CDPA) on May 1, 2023. The law goes into effect on January 1, 2026, giving organizations two and a half years to prepare for compliance.

We look at the Indiana data privacy law, who it applies to, and what it means for organizations that do business in the state and collect personal data.

What is the Indiana Consumer Data Protection Act?

The Indiana Consumer Data Protection Act (Indiana CDPA) aims to protect the privacy and personal data of Indiana residents. It establishes rules for businesses that either operate in Indiana or sell products and services to the state’s residents, known as “consumers” under the law, and process their personal data.

The Indiana privacy law defines a consumer as an Indiana resident who is “acting only for a personal, family, or household purpose,” and not for commercial or employment purposes.

Like other US states with consumer privacy laws, Indiana follows an opt-out model. It requires businesses to clearly explain what personal data they collect and why they collect it, third parties they share it with, and how consumers can opt out of its collection and processing for certain purposes.

Definitions under the Indiana Consumer Data Protection Act

The Indiana privacy law defines key terms related to who is protected under the law, what data it protects, and data processing activities.

Personal data under the Indiana CDPA

The Indiana CDPA defines personal data as “information that is linked or reasonably linkable to an identified or identifiable individual”. The definition explicitly excludes de-identified data, aggregate data, or publicly available information.

The law does not provide specific examples of personal data, unlike some other US state-level data privacy laws, but common types that businesses collect include name, email address, phone number, Social Security Number, and passport number.

Sensitive data under the Indiana CDPA

Sensitive personal data is data that presents a risk of harm to consumers if misused and includes:

  • racial or ethnic origin
  • religious beliefs
  • health information or mental or physical health diagnosis made by a healthcare provider
  • sexual orientation
  • citizenship or immigration status
  • genetic or biometric data processed for the purpose of uniquely identifying a specific individual
  • personal data collected from a known child (under 13 years of age)
  • precise geolocation data that can accurately identify a natural person’s specific location within a radius of 1,750 feet or 533.4 meters

The federal Children’s Online Privacy Protection Act (COPPA) covers consent requirements and handling of children’s data. In Indiana, as with most US state-level privacy laws, data of known children is categorized as sensitive data.

The European Union’s General Data Protection Regulation (GDPR) has influenced what consent means under many data privacy laws worldwide, including the Indiana data privacy law.

The law defines consent as “a clear affirmative act that signals a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.”

A “clear affirmative act” can be a written statement — either physically written or by electronic means — or any other unambiguous affirmative action.

It’s also worth mentioning, that unlike the data privacy laws in like California, Colorado, and Connecticut, the Indiana data privacy law doesn’t require that consumers should have a means to revoke or withdraw their consent once given.

Controller under the Indiana CDPA

The Indiana CDPA defines a controller as “a person that, alone or jointly with others, determines the purpose and means of processing personal data.” A controller is also known as a “data controller” under some other privacy laws.

“Person” could mean a natural person, a company, or other organization that is required to comply with the obligations and responsibilities of controllers under the law.

Processor under the Indiana CDPA

A controller may collect and share personal data with a third party for processing purposes. The Indiana CDPA defines this third-party entity as the processor or “a person that processes personal data on behalf of a controller.”

Sale under the Indiana CDPA

The Indiana data privacy law defines sale of personal data as the “the exchange of personal data for monetary consideration by a controller to a third party.” The definition excludes the disclosure of personal data:

  • to a processor that processes the personal data on the controller’s behalf
  • to a third party for purposes of providing a product or service that is requested by the consumer or the parent of a child whose personal data is in question
  • to an affiliate of the controller, including transfer of personal data
  • that the consumer intentionally made available to the public through a mass media channel not restricted to a specific audience (e.g. social media posts)
  • to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets, including transfer of personal data

Targeted advertising under the Indiana CDPA

Targeted advertising means “displaying of an advertisement to a consumer in which the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.”

The Indiana privacy law’s definition excludes:

  • ads based on activities within a controller’s own or affiliated websites or online applications
  • ads based on the context of a consumer’s current search query, visit to a website, or online application
  • ads directed to a consumer in response to the consumer’s request for information or feedback
  • the processing of personal data solely for measuring or reporting advertising performance, reach, or frequency

Who must comply with the Indiana Consumer Data Protection Act

The Indiana data privacy law applies to businesses that operate in Indiana or produce products or services targeted to Indiana residents, even if the business itself is located outside the state.

To be subject to Indiana CDPA compliance, businesses must either:

  • control or process the personal data of at least 100,000 Indiana residents during a calendar year

or

  • control or process the personal data of at least 25,000 Indiana consumers and make over 50% of their gross revenue from the sale of personal data within a calendar year

Indiana’s privacy law differs from some other states like the California Consumer Privacy Act (CCPA) in that Indiana’s CDPA does not have a standalone revenue threshold. In states with such a threshold, businesses might need to comply based solely on having annual gross revenues exceeding a specific amount, regardless of how much consumer data they process.

Under the Indiana data privacy law, any business that meets the specified thresholds regarding consumer data processed or the combination of consumer data processed and revenue percentage must comply with the CDPA, regardless of the business’s overall revenue or size.

Exemptions to Indiana Consumer Data Protection Act compliance

Similar to other US data privacy laws, the Indiana privacy law exempts certain entities from compliance, including:

  • state government agencies, including third parties under contract with state government agencies when acting on their behalf
  • financial institutions and affiliates or subject to the Gramm-Leach-Bliley Act
  • covered entity or business associate governed by the Health Insurance Portability and Accountability Act (HIPAA)
  • nonprofit organizations
  • institutions of higher education
  • public utilities or service company affiliated with a public utility

Data that is exempt from the law includes protected health information; research data; data that is processed or maintained for employment-related purposes; and information created for or collected in pursuance to several federal laws, including HIPAA, Health Care Quality Improvement Act, Patient Safety and Quality Improvement Act, Fair Credit Reporting Act, and Driver’s Privacy Protection Act, among others.

Consumers’ rights under the Indiana Consumer Data Protection Act

The Indiana CDPA grants several rights to consumers to protect their personal data.

  • Right to access: consumers can confirm if the controller is processing their personal data and can access their data, with some exceptions
  • Right to correction: consumers have the right to have any incomplete or inaccurate personal data that they previously provided to the controller corrected
  • Right to deletion: consumers can request the deletion of any of their personal data that the controller holds, with exceptions
  • Right to data portability: consumers can obtain a copy of personal data they previously provided to the controller, in a readily usable format, with some exceptions
  • Right to opt out: consumers can opt out of the processing of their personal data for the purposes of its sale, targeted advertising, or profiling

Parents or legal guardians can exercise these rights on behalf of children.

Under Indiana privacy law, consumers cannot directly sue a controller in the event of a violation, also known as private right of action. California is the only US data privacy law that gives consumers this right.

Controllers’ obligations under the Indiana Consumer Data Protection Act

Controllers have several responsibilities under the Indiana data privacy law to safeguard consumers’ personal data.

Consumer rights requests under the Indiana CDPA

Controllers must notify consumers about:

  • their rights
  • how consumers may exercise their rights
  • contact information for the controller
  • how to appeal against the controller’s decision (e.g. rejection of a consumer request)

This information is usually contained in a privacy notice or privacy policy, which a controller is required to publish under the Indiana CDPA. Consumer rights requests are commonly referred to as data subject requests (DSR) or data subject access requests (DSAR).

Controllers must establish one or more easily accessible and commonly used methods by which consumers can exercise their rights. While controllers can require consumers to login to an existing account (as part of identity verification) to make a request, consumers must not be required to create a new account to exercise their rights. The controller has 45 days to respond to a consumer request and can extend that period by another 45 days if reasonably necessary to comply. If the controller extends the response period, it must notify the consumer before the initial 45-day period is over.

If the controller can’t reasonably verify the consumer’s identity, it can make additional verification requests or decline the consumer’s request. If the controller declines the consumer’s request, it must inform the consumer of its decision within 45 days from the receipt of the request. The controller must also inform the consumer of the reason for denying the request and the process for appealing the decision. The controller has 60 days to respond to an appeal.

Purpose limitation under the Indiana CDPA

The law requires controllers to disclose the purpose(s) for which they are collecting personal data, and they must limit the personal data they collect to what is “adequate, relevant, and reasonably necessary” for those purposes.

Data security under the Indiana CDPA

Controllers are responsible for maintaining the confidentiality, integrity, and accessibility of personal data. The Indiana privacy law requires them to establish, implement, and maintain reasonable administrative, technical, and physical security measures appropriate to the volume and nature of personal data processed.

Data protection impact assessments (DPIA) under the Indiana CDPA

Controllers must conduct and document data protection impact assessments when they:

  • process personal data for targeted advertising purposes
  • sell personal data
  • process personal data for profiling purposes if that profiling creates a foreseeable risk of unfair or deceptive treatment or impact on consumers; financial, physical, or reputational injury; offensive intrusion into consumers’ private affairs; or other substantial injury
  • process sensitive data
  • process any personal data in a way that creates a heightened risk of harm to consumers

Although the law comes into effect on July 1, 2026, the DPIA requirement applies to processing activities occurring after December 31, 2025.

Similar to privacy laws in other US states, Indiana primarily uses an opt-out model, meaning businesses can collect and process information without prior consumer consent in most cases. However, there’s a key exception: when it comes to sensitive personal data, companies must get explicit consent before collection or use. Consumers must be clearly informed about the processing activities and be able to opt out of the sale of their personal data or its use for targeted advertising or profiling.

When it comes to the privacy of minors, Indiana aligns with federal guidelines set by the Children’s Online Privacy Protection Act (COPPA). Businesses must have consent from a parent or guardian before processing personal data from users known to be under 13 years since all personal data of children under 13 is classified as sensitive data under the Indiana privacy law.

Nondiscrimination under the Indiana CDPA

Controllers must not engage in unlawful discrimination against consumers, and they can’t process personal information if it violates state or federal discrimination laws. Controllers also can’t discriminate against consumers who exercise their rights under the law. For instance, a consumer can’t be denied access to a website if they choose to opt out of allowing personal data collection.

However, some website features may require specific cookies (known as essential or necessary cookies), and if a consumer declines these cookies, certain features of the site might not function properly. This is not considered discriminatory.

Controllers may offer incentives to consumers, such discounts or rewards for participating in activities that involve processing personal data. These incentives must be reasonable and proportionate to the request to avoid being coercive rather than optional and voluntary.

Privacy notice under the Indiana CDPA

The law requires controllers to provide consumers with a clear, accessible, and meaningful privacy notice, which must include:

  • categories of personal data the controller processes
  • purposes for processing personal data
  • how consumers may exercise their rights, as well as how they may appeal a controller’s decision regarding a consumer rights request
  • categories of personal data the controller shares with third parties, if any
  • categories of third parties who receive the personal data, if any
  • how consumers can opt out of the sale of personal data to third parties or processing of personal data for targeted advertising or profiling
  • contact information for the controller

The privacy notice or privacy policy is usually published in an accessible place on the controller’s website and linked to from elsewhere, like the footer, to make it easy to find.

Data processing agreements (DPA) under the Indiana CDPA

Controllers must enter into contracts with third-party processors that govern data processing procedures. The contract, known as a “data processing agreement” (DPA) in laws such as the GDPR and Virginia Consumer Data Protection Act (VCDPA), must contain:

  • instructions for processing personal data
  • nature and purpose of processing
  • type of data subject to processing
  • duration of processing
  • rights and obligations of both parties

Processors must also assist controllers in meeting their duties related to security, transparency, retention, deletion, assessment, and reporting under the Indiana data privacy law.

A DPA is crucial as controllers are legally responsible for data processing activities, privacy breaches, or violations resulting from processors’ activities.

Universal opt-out signal under the Indiana CDPA

Unlike California’s privacy law, the Indiana privacy law does not explicitly mention the Global Privacy Control (GPC) or similar universal opt-out mechanisms, which aim to standardize user consent online. The GPC enables consumers to set their privacy preferences once, which can then be communicated to all websites or apps they visit, eliminating the need to set new preferences on each site. This mechanism simplifies the user experience and helps businesses comply with applicable privacy laws.

Enforcement of the Indiana Consumer Data Protection Act

The Indiana Attorney General is responsible for enforcing the Indiana CDPA. Because the law does not grant consumers a private right of action, consumers can report violations or complaints regarding denied consumer rights requests to the Attorney General’s office.

If the Attorney General’s office reasonably believes that there has been a violation of the Act, it can issue a civil investigative demand. The Attorney General is required to provide written notice listing the alleged violations to the party suspected of being in violation.

The law provides for a 30-day cure period during which organizations can address the issues and take measures to prevent the recurrence of violations. They must also furnish a written statement confirming the remedy of any violations and the actions taken to prevent future occurrences. Under some recent state-level privacy laws, the right to cure ends after a certain period of time, or “sunsets”, after which a cure period is at the discretion of the Attorney General. There is no sunset for the cure period in Indiana’s privacy law.

Fines and penalties under the Indiana CDPA

The Indiana Attorney General can commence enforcement proceedings against a controller or their data processors if they remain in violation after the 30-day cure period or after submitting their statement. This may involve issuing an injunction and/or seeking civil penalties.

Controllers or processors that violate the Indiana CDPA could face penalties up to USD 7,500 for each violation. They may also be held responsible for reasonable legal costs, such as attorney’s fees.

Consent management and the Indiana Consumer Data Protection Act

Like all other current US state-level data privacy laws, the Indiana data privacy law adopts the opt-out consent model. This means that controllers do not have to obtain prior consent to collect or process consumers’ personal data except for sensitive personal data and all personal data belonging to children.

Consumers must have the option to opt out of collection and processing of their personal data for sale, targeted advertising, or profiling at any point. Businesses must inform consumers about their right to opt out and how to do so, which is typically done on the website’s privacy notice. Controllers must cease data processing right away if they receive an opt-out request.

Businesses often display a cookie consent banner with a clear link or button that enables users to opt out of data processing. A CMP simplifies providing information to users about categories of personal data collected, services the controller and/or processors use, and third parties the data is shared with — as they are automatically scanned for and detected — as required by Indiana’s privacy law and most data privacy laws worldwide.

In the absence of a unified federal privacy law in the US, businesses operating nationwide and/or internationally may need to comply with various consumer privacy laws to safeguard consumers’ personal data. CMPs can make this easier by enabling the customization of cookie banners targeted to the user’s geographic location. Businesses can achieve compliance with state-level laws like the Indiana CDPA, as well as other current and upcoming laws across the US and international regulations.

How to prepare for the Indiana Consumer Data Protection Act

Businesses operating in Indiana have until 2026 to prepare for compliance with the Indiana CDPA. If businesses have already achieved compliance with the privacy laws of states like Virginia, Connecticut, or Colorado, a significant portion of the groundwork for Indiana data privacy law compliance is already completed. Businesses that meet the Indiana data privacy law’s specific requirements must be ready with a solution to provide users with the required privacy notice and opt-out options.

Solutions like Cookiebot CMP provide a centralized system for managing user consent or opt-out for cookie use. Cookiebot CMP alerts users to the cookies used and enables them to control their consent preferences. Additionally, Cookiebot CMP’s cookie checker, categorization, and consent record-keeping is essential for demonstrating compliance and accountability during regulatory audits or data subject access requests.

Scan your website for free with Cookiebot CMP to see what cookies and trackers it uses.

Scan now

As with any new regulation, we can expect updates to the Indiana privacy law over time as both technology and consumer expectations evolve. Initially inspired by the EU’s GDPR and California’s CCPA, Indiana’s regulation has been shaped through collaborations between lawmakers and the local business community, resulting in a law that closely resembles Virginia’s privacy law. Businesses must consult a qualified legal professional or data privacy expert, such as a Data Protection Officer, to navigate these changes and achieve compliance as the law evolves.

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.