Indiana enacted the Consumer Data Protection Act on 1st May 2023, when Governor Eric Holcomb signed Senate Bill 5 into law. Indiana became the seventh US state to pass comprehensive data privacy legislation. The law takes effect on 1st January 2026.
The Indiana Attorney General has historically taken an aggressive approach to data protection enforcement, making early preparation essential.
Who Must Comply?
The Indiana Consumer Data Protection Act applies to businesses that conduct business in Indiana or produce products or services targeted to Indiana residents. To be covered, a business must meet at least one of two thresholds during a calendar year:
Threshold 1: Process personal data of 100,000 or more Indiana consumers.
Threshold 2: Process personal data of 25,000 or more Indiana consumers AND derive more than 50% of gross revenue from selling personal data.
The law doesn’t apply to non-profit organisations, government agencies, financial institutions covered by the Gramm-Leach-Bliley Act, covered entities and business associates under HIPAA, or higher education institutions.
Consumer Rights
Indiana residents have the following rights:
- Right to confirm whether you’re processing their data and access that data
- Right to request corrections to inaccurate information
- Right to request deletion of personal data
- Right to obtain data in a portable, readily usable format
- Right to opt out of targeted advertising, sale of personal data, and profiling
Business Obligations
Covered entities must:
- Maintain a clear, accessible privacy notice
- Respond to consumer requests within 45 days (with possible 45-day extension)
- Implement reasonable data security practices
- Conduct data protection assessments for high-risk processing
- Limit data collection to what is adequate, relevant, and reasonably necessary
- Obtain consent before processing sensitive data
Sensitive Data
The Act requires consent before processing sensitive data, which includes:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnoses
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data
- Personal data of children under 13
- Precise geolocation data
Enforcement and Penalties
The Indiana Attorney General has exclusive enforcement authority. There is no private right of action.
Before taking legal action, the Attorney General must provide 30 days’ written notice and give you the opportunity to cure violations. This right to cure is permanent—it doesn’t expire. This means you’ll always have an opportunity to fix violations before facing penalties.
If violations aren’t cured, penalties can reach up to $7,500 per violation. Each affected consumer can count as a separate violation. The Attorney General may also seek injunctive relief.
Key Dates
- May 1 2023: Indiana Consumer Data Protection Act signed into law
- January 1 2026: Act takes effect
Where to Find Official Resources
- Full legal text: Indiana General Assembly SB 5
- Indiana Attorney General: in.gov/attorneygeneral/consumer-protection
Getting Started
Indiana’s permanent cure period provides some protection, but relying on it is poor practice. Proactive compliance demonstrates respect for consumer privacy and builds trust with your customers.
The law takes effect on 1st January 2026. Start by assessing whether the law applies to you, reviewing your privacy notice, implementing consumer request processes, and training your staff. Building a compliant privacy programme takes time.
