Indiana enacted the Consumer Data Protection Act on 1st May 2023, when Governor Eric Holcomb signed Senate Bill 5 into law. Indiana became the seventh US state to pass comprehensive data privacy legislation. The law took effect on 1st January 2026.
If your organisation processes personal data of Indiana residents—whether you’re based in Indiana, elsewhere in the US, or internationally—this law may apply to you.
Key distinction: Indiana’s law includes a permanent 30-day cure period that never expires. Unlike California (which eliminated its cure period) or other states where cure periods have sunset dates, Indiana businesses will always have the opportunity to fix violations before facing penalties. This makes Indiana one of the most business-friendly state privacy laws in the US.
How Indiana Compares to Other Business-Friendly State Laws
Indiana’s law closely follows the Virginia model, taking a middle path between consumer protection and business practicality. Here’s how it compares to other “business-friendly” state laws:
| Feature | Indiana | Virginia | Utah |
|---|---|---|---|
| Effective date | 1 Jan 2026 | 1 Jan 2023 | 31 Dec 2023 |
| Consumer threshold | 100,000 consumers | 100,000 consumers | 100,000 consumers |
| Alternative threshold | 25,000 + 50% revenue from data sales | 25,000 + 50% revenue from data sales | 25,000 + 50% revenue from data sales |
| Revenue threshold | None | None | $25 million required |
| Cure period | 30 days (permanent) | 30 days (had sunset) | 30 days (permanent) |
| Right to correct | Yes | Yes | No |
| Right to opt out of profiling | Yes | Yes | No |
| Sensitive data approach | Consent required | Consent required | Notice + opt-out only |
| Data protection assessments | Required for high-risk processing | Required for high-risk processing | Not required |
| Private right of action | No | No | No |
| Maximum penalty | $7,500 per violation | $7,500 per violation | $7,500 per violation |
| Representative summary option | Yes (unique feature) | No | No |
Indiana’s unique feature: Controllers can respond to consumer access requests with either a full copy of personal data or a “representative summary.” This reduces the complexity and cost of fulfilling requests while maintaining transparency—no other state law explicitly allows this.
Who Must Comply?
The Indiana Consumer Data Protection Act applies to businesses that conduct business in Indiana or produce products or services targeted to Indiana residents and meet specific data processing thresholds.
You must comply if you:
- Process personal data of 100,000 or more Indiana consumers during a calendar year, OR
- Process personal data of 25,000 or more Indiana consumers AND derive more than 50% of gross revenue from selling personal data
The law doesn’t apply to:
- Non-profit organisations
- Government agencies
- Financial institutions covered by the Gramm-Leach-Bliley Act
- Covered entities and business associates under HIPAA
- Higher education institutions
- Information covered by certain federal privacy laws
Most small businesses won’t meet these thresholds unless they specifically sell personal data as part of their business model.
Consumer Rights Under the Act
Indiana residents have five key rights regarding their personal data:
- Right to confirm and access: Confirm whether you’re processing their data and access that data (unless it would reveal trade secrets)
- Right to correct: Request corrections to inaccurate information
- Right to delete: Request deletion of personal data they’ve provided or you’ve obtained about them
- Right to portability: Obtain their data in a portable, readily usable format
- Right to opt out: Opt out of targeted advertising, the sale of their personal data, and profiling used for automated decisions with legal or significant effects
Business Obligations
If the Indiana Consumer Data Protection Act applies to your organisation, you must:
Privacy notices: Maintain a reasonably accessible, clear, and meaningful privacy notice that includes the categories of personal data you collect, the purposes for processing, how consumers can exercise their rights, the categories of data you share and with whom, and how to appeal decisions.
Response times: Respond to consumer requests within 45 days, with an optional 45-day extension if necessary. You must inform consumers of any extension and explain why.
Data security: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of personal data you process.
Data protection assessments: For high-risk processing activities—including targeted advertising, sale of personal data, profiling with legal effects, and processing sensitive data—you must conduct and document assessments. These evaluate the benefits of processing against potential privacy risks and your safeguards.
Data minimisation: Limit collection to what is adequate, relevant, and reasonably necessary for your disclosed purposes. Collecting data “just in case” violates this principle.
Sensitive data consent: Obtain consumer consent before processing sensitive data, which includes racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data, children’s data (under 13), and precise geolocation.
Enforcement and Penalties
The Indiana Attorney General has exclusive authority to enforce the Act. There is no private right of action—individual consumers cannot sue you directly for violations.
The Permanent Cure Period
Before taking legal action, the Attorney General must provide you with 30 days’ written notice identifying specific violations and give you the opportunity to cure them. The Attorney General can only proceed with enforcement if you fail to cure.
This cure period is permanent—it never expires. Unlike California (which eliminated its cure period entirely under CPRA) or states like Colorado and Connecticut (where cure periods had sunset dates), Indiana businesses will always have 30 days to fix violations before facing penalties.
If violations aren’t cured, the Attorney General may seek:
- Civil penalties of up to $7,500 per violation
- Injunctive relief to stop ongoing violations
Each affected consumer can count as a separate violation, so penalties can accumulate quickly for widespread issues.
Training Your Team
Whilst the Indiana Consumer Data Protection Act doesn’t explicitly mandate employee training, implementing a data protection programme without training your staff is impractical and risky.
Your training programme should cover:
- What personal data your organisation collects and why
- How to recognise and respond to consumer rights requests
- Data security best practices
- The importance of data minimisation
- How to handle sensitive data
- Your organisation’s specific privacy policies
For guidance on training requirements across privacy regulations, see our article on GDPR training requirements—many principles apply to US state privacy laws as well.
Frequently Asked Questions
Does Indiana’s law apply to businesses outside the US?
Yes. The law applies to any business that conducts business in Indiana or targets products or services to Indiana residents, regardless of where the business is located. A UK company serving Indiana customers could be subject to the law if it meets the data processing thresholds.
What makes Indiana’s law “business-friendly”?
Several features: the permanent 30-day cure period (you always get a chance to fix violations before penalties), the option to provide “representative summaries” instead of full data copies for access requests, no requirement to allow consumers to revoke consent once given, no specific provisions on dark patterns or automated decision-making, and no private right of action.
How is Indiana different from California?
California’s CPRA eliminated its cure period entirely—enforcement can proceed immediately. California also has lower thresholds, requires businesses to honour Global Privacy Control signals, has stricter requirements around “sharing” data for advertising, and has a dedicated enforcement agency (CPPA). Indiana’s approach is more forgiving for businesses.
Do I need to comply with both Indiana and other state laws?
If you do business nationally, you may be subject to multiple state privacy laws simultaneously. Each law applies based on where your consumers are located. A business with customers across multiple states may need to comply with California, Virginia, Colorado, Texas, Indiana, and others. Many businesses adopt a single comprehensive privacy programme that meets the strictest requirements.
What is a “representative summary” for access requests?
Indiana uniquely allows businesses to respond to data access requests with a representative summary of the consumer’s data rather than providing a complete copy. This reduces the burden on businesses while still giving consumers meaningful information about what data is held. No other state law explicitly permits this approach.
Does Indiana require honouring Global Privacy Control (GPC)?
No. Unlike California, Indiana does not require businesses to treat browser-based opt-out signals like GPC as valid consumer requests. However, if you already honour GPC for California compliance, continuing to do so for all users is good practice.
Key Dates
- 1st May 2023: Governor Holcomb signed Senate Bill 5 into law
- 1st January 2026: Law took effect
Official Sources
- Indiana General Assembly Senate Bill 5 — Full text of the legislation
- Indiana Data Consumer Bill of Rights (PDF) — Attorney General’s consumer summary
- Indiana Attorney General Consumer Protection Division
Related US State Privacy Laws
Understanding Indiana’s law in context helps with multi-state compliance:
- California CCPA/CPRA — The most comprehensive, no cure period
- Virginia VCDPA — The model Indiana followed
- Colorado CPA — Similar structure, cure period expired
- Connecticut CTDPA — Similar structure, cure period expired
- Utah UCPA — Most business-friendly (highest thresholds)
- Texas TDPSA — Largest state by population with privacy law
- Oregon OCPA — Additional protections for children
Getting Started
The permanent cure period provides some protection, but relying on it is poor practice. Proactive compliance demonstrates respect for consumer privacy and builds trust with your customers.
Start by assessing whether your business meets the thresholds. If it does, review your privacy notices, implement processes for handling consumer requests within 45 days, and ensure you have consent mechanisms for sensitive data processing.
If your team handles personal data, consider data protection training to ensure everyone understands their responsibilities. Building a privacy-aware culture takes time, but it’s far easier than fixing problems after enforcement begins.
