Overview of the Law
The Indiana Consumer Data Protection Act (INCDPA), enacted as Senate Bill 5 and signed into law on 24 March 2022, officially took effect on 1 January 2026. Indiana joins a growing list of US states — including Virginia, Colorado, Connecticut, Texas, and Florida — that have enacted comprehensive consumer data privacy legislation modelled broadly on the European GDPR framework.
Critical timing: Indiana has built in a six-month enforcement grace period running from 1 April 2026 to 1 July 2026. This means that while the law is already in force, the Indiana Attorney General will not begin enforcing it until 1 July 2026. Organisations that are not yet compliant have a limited window to get there — but that window is closing.
For the official bill text, see: Indiana Senate Bill 5 — Indiana General Assembly
Key Provisions
The INCDPA establishes a framework of consumer rights and controller obligations that closely resembles similar laws in Virginia (CDPA), Colorado (CPA), and Connecticut (CTDPA).
Consumer Rights
Indiana residents have the following rights under the INCDPA:
| Right | Description |
|---|---|
| Access | Right to confirm whether a controller is processing their personal data and to access it |
| Correction | Right to correct inaccuracies in their personal data |
| Deletion | Right to delete personal data provided by or obtained about them |
| Portability | Right to obtain a portable copy of their personal data |
| Opt-out | Right to opt out of: (1) targeted advertising, (2) the sale of personal data, and (3) profiling for decisions with significant effects |
Controller Obligations
Organisations that qualify as “controllers” under INCDPA must:
- Respond to consumer requests within 45 days (extendable by 45 days in complex cases)
- Provide a clear and accessible privacy notice describing data categories, purposes, and consumer rights
- Establish a secure and reliable means for consumers to exercise their rights
- Conduct Data Protection Assessments for high-risk processing activities, including:
- Processing for targeted advertising
- Sale of personal data
- Processing for certain profiling activities
- Processing sensitive personal data
- Limit data collection to what is adequate, relevant, and reasonably necessary for stated purposes
- Implement reasonable data security measures appropriate to the volume and sensitivity of data
- Not discriminate against consumers for exercising their privacy rights
Sensitive Personal Data
The INCDPA applies heightened protections to “sensitive data,” which includes: racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation or gender identity, immigration status, genetic or biometric data, children’s data, and precise geolocation.
Consent is required before processing sensitive data.
Who Must Comply
The INCDPA applies to organisations that conduct business in Indiana or produce products or services targeted to Indiana residents, AND that, during a calendar year, either:
- Control or process personal data of at least 100,000 consumers, OR
- Control or process personal data of at least 25,000 consumers AND derive more than 50% of gross revenue from the sale of personal data
Exemptions: The INCDPA exempts a range of entities and data types, including:
- State and local government entities
- Financial institutions and data subject to the Gramm-Leach-Bliley Act (GLBA)
- HIPAA-covered entities and business associates (for HIPAA-covered data)
- Non-profit organisations
- Higher education institutions
- Data processed under FERPA, COPPA, the Fair Credit Reporting Act, and certain other federal frameworks
For multi-state guidance, see: IAPP US State Privacy Legislation Tracker and NCSL State Privacy Laws Summary
Effective Date & Enforcement Timeline
| Milestone | Date |
|---|---|
| INCDPA signed into law | 24 March 2022 |
| INCDPA effective date | 1 January 2026 |
| Enforcement grace period begins | 1 April 2026 |
| Enforcement grace period ends | 1 July 2026 |
| Indiana AG enforcement begins | 1 July 2026 |
The grace period is not a free pass — it is a cure period. During the grace period, organisations that receive notice of a violation have 30 days to cure the violation before the Attorney General may bring an action. After the grace period ends, the 30-day cure right expires and the AG may act immediately.
Enforcement is exclusively by the Indiana Attorney General. There is no private right of action under the INCDPA — Indiana consumers cannot sue companies directly under this law.
Comparison with Other State Laws
| Feature | Indiana (INCDPA) | Virginia (CDPA) | Colorado (CPA) | Connecticut (CTDPA) |
|---|---|---|---|---|
| Effective date | 1 Jan 2026 | 1 Jan 2023 | 1 Jul 2023 | 1 Jul 2023 |
| Threshold (consumers) | 100,000 OR 25,000 + 50% revenue | 100,000 OR 25,000 + 50% revenue | 100,000 OR 25,000 + 25% revenue | 100,000 OR 25,000 + 25% revenue |
| Private right of action | No | No | No | No |
| Enforcement body | State AG | State AG | State AG | State AG |
| Data Protection Assessments | Required (high-risk) | Required (high-risk) | Required (high-risk) | Required (high-risk) |
| Opt-out of targeted ads | Yes | Yes | Yes | Yes |
| Sensitive data consent | Required | Required | Required | Required |
| Cure period | 30 days (during grace period) | 30 days | 60 days | 60 days |
While Indiana’s framework closely mirrors Virginia’s CDPA, organisations with multi-state operations should note the differences in thresholds, cure periods, and specific category definitions across state laws.
What Managers Need to Do Now
With the enforcement grace period ending on 1 July 2026, organisations subject to INCDPA must move quickly to achieve compliance.
HR Teams
- Review employee data practices. Confirm whether your organisation processes Indiana consumer data (note: in most state laws, B2B and employee data is partially or fully excluded — verify scope under INCDPA).
- Update privacy notices and policies. Ensure your employee-facing privacy notices, where applicable, reflect INCDPA rights and your organisation’s data practices.
- Implement consumer rights request procedures. Even if HR data is excluded from the law’s scope, establish internal workflows to handle consumer requests within the 45-day window.
- Train relevant staff. Ensure that employees who handle personal data understand the INCDPA consumer rights framework and know how to escalate requests.
Senior Leadership
- Conduct a threshold assessment. Confirm whether your organisation meets the INCDPA’s applicability thresholds. Engage legal counsel to assess Indiana-nexus risks.
- Commission Data Protection Assessments. High-risk processing activities — including targeted advertising, data sales, and sensitive data processing — require documented DPAs before processing continues.
- Review your data inventory. A complete understanding of what data you collect, from whom, how, and why is the foundation of INCDPA compliance.
- Engage your privacy counsel. The interaction between INCDPA and other state laws (particularly if you operate in Virginia, Colorado, Connecticut, Texas, or California) may create overlapping obligations that require coordinated legal advice.
- Assess enforcement exposure. With no private right of action, enforcement risk is concentrated in AG actions — but AG investigations can be resource-intensive and reputationally damaging.
Marketing
- Audit targeted advertising practices. Targeted advertising is one of the INCDPA’s primary regulated activities. Confirm that your online advertising practices are disclosed in your privacy notice and that an opt-out mechanism is available to Indiana consumers.
- Review data sale activities. If your organisation sells personal data (including in the broad sense used in state privacy laws — sharing for cross-context behavioural advertising may qualify), ensure this is disclosed and that an opt-out is available.
- Update consent mechanisms. If your organisation processes sensitive data (including precise geolocation) for marketing purposes, confirm that opt-in consent has been obtained.
- Review your cookie and tracking technology disclosures. Many tracking technologies used in marketing may implicate INCDPA’s definition of “sale” or “targeted advertising” — ensure your privacy notices and consent flows are accurate.
Resources & Further Reading
- Indiana Senate Bill 5 (INCDPA) — Official text
- IAPP US State Privacy Legislation Tracker — comprehensive comparison tool
- NCSL: State Laws Related to Digital Privacy
- Indiana Attorney General — Consumer Protection
Strengthen Your Team’s Knowledge
Are your teams prepared for the wave of US state privacy laws now in force? Our US State Privacy Laws Training for Compliance Teams covers Indiana, Virginia, Colorado, Connecticut, Texas, and California — with practical modules tailored for HR, marketing, and senior leadership. Also explore our Data Protection Impact Assessment Masterclass for hands-on guidance on completing compliant assessments.
