Overview of the Law
The Indiana Consumer Data Protection Act (INCDPA), enacted as Senate Bill 5 and signed into law on 24 March 2022, officially took effect on 1 January 2026. Indiana joins a growing list of US states — including Virginia, Colorado, Connecticut, Texas, and Florida — that have enacted comprehensive consumer data privacy legislation modelled broadly on the European GDPR framework.
Critical timing: The INCDPA took effect on 1 January 2026. The Indiana Attorney General has exclusive enforcement authority and must provide 30 days written notice before bringing an action, giving a controller or processor an opportunity to cure the alleged violation.
For the official bill text, see: Indiana Senate Bill 5 — Indiana General Assembly
Key Provisions
The INCDPA establishes a framework of consumer rights and controller obligations that closely resembles similar laws in Virginia (CDPA), Colorado (CPA), and Connecticut (CTDPA).
Consumer Rights
Indiana residents have the following rights under the INCDPA:
| Right | Description |
|---|---|
| Access | Right to confirm whether a controller is processing their personal data and to access it |
| Correction | Right to correct inaccuracies in their personal data |
| Deletion | Right to delete personal data provided by or obtained about them |
| Portability | Right to obtain a portable copy of their personal data |
| Opt-out | Right to opt out of: (1) targeted advertising, (2) the sale of personal data, and (3) profiling for decisions with significant effects |
Controller Obligations
Organisations that qualify as “controllers” under INCDPA must:
- Respond to consumer requests within 45 days (extendable by 45 days in complex cases)
- Provide a clear and accessible privacy notice describing data categories, purposes, and consumer rights
- Establish a secure and reliable means for consumers to exercise their rights
- Conduct Data Protection Assessments for high-risk processing activities, including:
- Processing for targeted advertising
- Sale of personal data
- Processing for certain profiling activities
- Processing sensitive personal data
- Limit data collection to what is adequate, relevant, and reasonably necessary for stated purposes
- Implement reasonable data security measures appropriate to the volume and sensitivity of data
- Not discriminate against consumers for exercising their privacy rights
Sensitive Personal Data
The INCDPA applies heightened protections to “sensitive data,” which includes: racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation or gender identity, immigration status, genetic or biometric data, children’s data, and precise geolocation.
Consent is required before processing sensitive data.
Who Must Comply
The INCDPA applies to organisations that conduct business in Indiana or produce products or services targeted to Indiana residents, AND that, during a calendar year, either:
- Control or process personal data of at least 100,000 consumers, OR
- Control or process personal data of at least 25,000 consumers AND derive more than 50% of gross revenue from the sale of personal data
Exemptions: The INCDPA exempts a range of entities and data types, including:
- State and local government entities
- Financial institutions and data subject to the Gramm-Leach-Bliley Act (GLBA)
- HIPAA-covered entities and business associates (for HIPAA-covered data)
- Non-profit organisations
- Higher education institutions
- Data processed under FERPA, COPPA, the Fair Credit Reporting Act, and certain other federal frameworks
For multi-state guidance, see: IAPP US State Privacy Legislation Tracker and NCSL State Privacy Laws Summary
Effective Date & Enforcement Timeline
| Milestone | Date |
|---|---|
| INCDPA signed into law | 1 May 2023 |
| INCDPA effective date | 1 January 2026 |
| Attorney General notice-and-cure period | 30 days after written notice of an alleged violation |
The cure right is a pre-enforcement notice mechanism, not a delayed compliance date. Covered organisations should treat INCDPA obligations as live now and be ready to evidence remediation quickly if the Attorney General issues a notice.
Enforcement is exclusively by the Indiana Attorney General. There is no private right of action under the INCDPA — Indiana consumers cannot sue companies directly under this law.
Comparison with Other State Laws
Indiana broadly follows the Virginia-style model: no private right of action, Attorney General enforcement, consumer opt-out rights for targeted advertising and sale, sensitive data consent, and assessments for high-risk processing. The main operational points for multi-state teams are Indiana’s 100,000-consumer threshold, the alternative 25,000-consumer-plus-50%-data-sale-revenue threshold, and the statutory 30-day cure process.
What Managers Need to Do Now
With the enforcement grace period ending on 1 July 2026, organisations subject to INCDPA must move quickly to achieve compliance.
HR Teams
- Review employee data practices. Confirm whether your organisation processes Indiana consumer data (note: in most state laws, B2B and employee data is partially or fully excluded — verify scope under INCDPA).
- Update privacy notices and policies. Ensure your employee-facing privacy notices, where applicable, reflect INCDPA rights and your organisation’s data practices.
- Implement consumer rights request procedures. Even if HR data is excluded from the law’s scope, establish internal workflows to handle consumer requests within the 45-day window.
- Train relevant staff. Ensure that employees who handle personal data understand the INCDPA consumer rights framework and know how to escalate requests.
Senior Leadership
- Conduct a threshold assessment. Confirm whether your organisation meets the INCDPA’s applicability thresholds. Engage legal counsel to assess Indiana-nexus risks.
- Commission Data Protection Assessments. High-risk processing activities — including targeted advertising, data sales, and sensitive data processing — require documented DPAs before processing continues.
- Review your data inventory. A complete understanding of what data you collect, from whom, how, and why is the foundation of INCDPA compliance.
- Engage your privacy counsel. The interaction between INCDPA and other state laws (particularly if you operate in Virginia, Colorado, Connecticut, Texas, or California) may create overlapping obligations that require coordinated legal advice.
- Assess enforcement exposure. With no private right of action, enforcement risk is concentrated in AG actions — but AG investigations can be resource-intensive and reputationally damaging.
Marketing
- Audit targeted advertising practices. Targeted advertising is one of the INCDPA’s primary regulated activities. Confirm that your online advertising practices are disclosed in your privacy notice and that an opt-out mechanism is available to Indiana consumers.
- Review data sale activities. If your organisation sells personal data (including in the broad sense used in state privacy laws — sharing for cross-context behavioural advertising may qualify), ensure this is disclosed and that an opt-out is available.
- Update consent mechanisms. If your organisation processes sensitive data (including precise geolocation) for marketing purposes, confirm that opt-in consent has been obtained.
- Review your cookie and tracking technology disclosures. Many tracking technologies used in marketing may implicate INCDPA’s definition of “sale” or “targeted advertising” — ensure your privacy notices and consent flows are accurate.
Resources & Further Reading
- Indiana Senate Bill 5 (INCDPA) — Official text
- IAPP US State Privacy Legislation Tracker — comprehensive comparison tool
- NCSL: State Laws Related to Digital Privacy
- Indiana Attorney General — Consumer Protection
Strengthen Your Team’s Knowledge
Are your teams prepared for the wave of US state privacy laws now in force? Our US State Privacy Laws Training for Compliance Teams covers Indiana, Virginia, Colorado, Connecticut, Texas, and California — with practical modules tailored for HR, marketing, and senior leadership. Also explore our Data Protection Impact Assessment Masterclass for hands-on guidance on completing compliant assessments.
