What Is the Indiana Consumer Data Protection Act?
Indiana enacted the Consumer Data Protection Act on 1st May 2023, when Governor Eric Holcomb signed Senate Bill 5 into law. Indiana became the seventh US state to pass comprehensive data privacy legislation. The law takes effect on 1st January 2026, giving businesses more than two years to prepare their compliance programmes.
If your organisation processes personal data of Indiana residents—whether you’re based in Indiana, elsewhere in the US, or internationally—this law may apply to you. The Indiana Attorney General has historically taken an aggressive approach to data protection enforcement, making early preparation essential.
Who Must Comply?
The Indiana Consumer Data Protection Act applies to businesses that conduct business in Indiana or produce products or services targeted to Indiana residents and meet specific data processing thresholds.
You must comply if you process personal data of 100,000 or more Indiana consumers during a calendar year, or if you process personal data of 25,000 or more Indiana consumers and derive more than 50% of gross revenue from selling personal data.
The law doesn’t apply to non-profit organisations, government agencies, financial institutions covered by the Gramm-Leach-Bliley Act, covered entities and business associates under HIPAA, higher education institutions, or information covered by certain federal privacy laws. Most small businesses won’t meet these thresholds unless they specifically sell personal data as part of their business model.
Consumer Rights Under the Act
Indiana residents have five key rights regarding their personal data: the right to confirm whether you’re processing their data and access that data (unless it would reveal trade secrets), the right to request corrections to inaccurate information, the right to request deletion of personal data they’ve provided or you’ve obtained about them, the right to obtain their data in a portable, readily usable format that allows transmission to another business without hindrance, and the right to opt out of targeted advertising, the sale of their personal data, and profiling used for solely automated decisions that produce legal or similarly significant effects.
What Are Your Obligations?
If the Indiana Consumer Data Protection Act applies to your organisation, you must implement several key requirements.
You must maintain a reasonably accessible, clear, and meaningful privacy notice that includes the categories of personal data you collect, the purposes for which you use the data, how consumers can exercise their rights, the categories of personal data you share and with whom, and how to appeal decisions regarding consumer rights requests.
You must respond to consumer requests within 45 days, with the option to extend by another 45 days if necessary. You must inform consumers of any extension and explain why it’s needed.
You must establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of personal data you process.
For high-risk processing activities—including targeted advertising, sale of personal data, profiling that produces legal or similarly significant effects, and processing sensitive data—you must conduct and document data protection assessments. These assessments evaluate the benefits of processing against potential privacy risks and the safeguards you’ve implemented to mitigate those risks.
You must limit your collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes. Collecting data “just in case” violates this principle.
You must obtain consumer consent before processing sensitive data, unless a specific exemption applies. Sensitive data includes racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data of children under 13, and precise geolocation data.
Training Your Team
Whilst the Indiana Consumer Data Protection Act doesn’t explicitly mandate employee training, implementing a data protection programme without training your staff is impractical and risky. Consider training as an essential part of compliance.
Your training programme should cover what personal data your organisation collects and why, how to recognise and respond to consumer rights requests, data security best practices, the importance of data minimisation, how to handle sensitive data, and your organisation’s specific privacy policies and procedures.
Regular refresher training helps ensure your team stays current with evolving data practices and any changes to your privacy programme. Customer service teams need training on handling requests promptly and correctly. Marketing teams must understand targeted advertising restrictions. IT teams require training on technical security requirements and implementing consumer rights.
Enforcement and Penalties
The Indiana Attorney General has exclusive authority to enforce the Indiana Consumer Data Protection Act. There is no private right of action, meaning individual consumers cannot sue you directly for violations.
Before taking legal action, the Attorney General must provide you with 30 days’ written notice identifying the specific violations and give you the opportunity to cure the violations within that period. The Attorney General can only proceed with enforcement if you fail to cure the violations.
This right to cure provision is permanent—it doesn’t expire. This means you’ll always have an opportunity to fix violations before facing penalties.
If violations aren’t cured, the Attorney General may seek civil penalties of up to $7,500 per violation. Each affected consumer can count as a separate violation, so penalties can accumulate quickly for widespread issues. The Attorney General may also seek injunctive relief to stop ongoing violations.
The Indiana Attorney General’s office has historically been active in consumer protection enforcement, particularly regarding data breach notification requirements. Based on this track record, businesses should expect the Attorney General to take data privacy enforcement seriously once the Act takes effect.
Preparing for Compliance
To prepare for the Indiana Consumer Data Protection Act’s effective date, start by assessing whether the law applies to you. Calculate how many Indiana consumers’ data you process annually.
Review and update your privacy notice to ensure it meets all requirements. Your notice must be clear, accessible, and written in plain language. It should explain what data you collect, why you collect it, how you use it, whom you share it with, and how consumers exercise their rights.
Implement processes for handling consumer requests. You need systems to verify consumer identities, locate relevant data across your systems, fulfil requests within 45 days, document your responses, and handle appeals if you deny requests.
Conduct data protection assessments for high-risk processing activities. Document the benefits of processing, potential privacy risks, and safeguards you’ve implemented. Retain these assessments for at least three years after the processing ceases.
Review your data collection practices to ensure you’re only collecting data that’s necessary for your disclosed purposes. Identify opportunities to minimise data collection and eliminate unnecessary data processing.
Update your data security measures to ensure they’re appropriate for the sensitivity and volume of data you process. Implement both technical safeguards (encryption, access controls, secure storage) and organisational measures (policies, procedures, training programmes).
Review vendor contracts to ensure data processors have appropriate contractual obligations. Your contracts should specify the processing instructions, the nature and purpose of processing, the type of data, the duration of processing, and each party’s rights and obligations.
Train your staff on the new requirements and their roles in compliance. Don’t wait until December 2025—building a privacy-aware culture takes time.
Where to Get Help
For detailed compliance advice specific to your business, consult a privacy lawyer familiar with US state privacy laws. If you operate internationally, seek guidance on how the Indiana Consumer Data Protection Act interacts with laws in your jurisdiction. Privacy consultants can conduct gap assessments to identify what you need to change before January 2026.
Understanding the Indiana Consumer Data Protection Act is the first step towards compliance. Measured Collective offers privacy compliance training that covers principles applicable to US state privacy laws. Whilst the Indiana law has specific requirements, many privacy principles are universal. Building a strong foundation in data protection practices will help you comply with Indiana’s law and prepare for privacy regulations in other jurisdictions.
The key is to start early. With the law taking effect on 1st January 2026, now is the time to assess your obligations and begin implementation. Don’t wait until the last minute—building a compliant privacy programme takes time, and getting it right from the start is far easier than fixing problems after enforcement begins.
The permanent cure period provides some protection, but relying on it is poor practice. Proactive compliance demonstrates respect for consumer privacy and builds trust with your customers.
Official Sources:
- Indiana General Assembly SB 5:
- Indiana Attorney General Consumer Protection Division
- White & Case Legal Analysis
