The Indiana Consumer Data Protection Act took effect on January 1 2026. The Indiana Attorney General has signaled an intention to actively enforce the law while providing businesses reasonable opportunity to cure violations.
How INCDPA Enforcement Works
The Indiana Attorney General has exclusive enforcement authority under the INCDPA. Consumers cannot bring private lawsuits for violations.
The law includes a 30-day cure period that does not expire. This permanent cure period is rare among state privacy laws. If a business resolves a violation and notifies the Attorney General within 30 days, it can avoid litigation and fines.
Penalties can reach up to $7,500 per violation. The Attorney General can also seek injunctive relief.
Enforcement Status
As of January 2026, the INCDPA has just taken effect. No enforcement actions or fines have been announced yet.
The Attorney General has released a Consumer Data Protection Bill of Rights to educate consumers about their new rights and how to file complaints.
Enforcement Approach
Attorney General Todd Rokita has outlined the office’s enforcement approach:
Consumer complaints. The AG will rely significantly on consumer complaints submitted through the online portal on the Attorney General’s website.
Staff reviews. In addition to complaints, AG staff will independently review company practices for potential violations.
Privacy notice focus. The AG has emphasized enforcement of requirements for “simple-to-understand” privacy notices.
Recommendations to lawmakers. The AG expects to make recommendations during the 2026 legislative session based on early enforcement experience.
Expected Focus Areas
Based on the Attorney General’s statements and the INCDPA’s structure:
Privacy notice clarity. The AG has specifically mentioned privacy notice requirements as an enforcement priority. Notices must be easy to understand.
Sensitive data consent. Indiana requires consent before processing sensitive data. Processing health, biometric, or children’s data without consent creates enforcement risk.
Consumer request handling. Businesses must respond to consumer requests within 45 days. Systematic failures to respond may attract attention.
Data security. Indiana’s breach notification law (separate from INCDPA) requires prompt notification of breaches, with penalties up to $150,000 per deceptive act. Security practices may receive attention alongside INCDPA compliance.
Permanent Cure Period
Indiana’s permanent 30-day cure period provides ongoing protection:
- Businesses receive notice of alleged violations
- 30 days to remedy the issue
- Written confirmation that violations are cured and will not recur
- If cured within 30 days, no fines or litigation
This structure encourages compliance over penalties but does not prevent enforcement against businesses that fail to cure.
What This Means for Your Organization
Indiana’s enforcement approach balances consumer protection with business flexibility. The permanent cure period provides meaningful protection for good-faith compliance efforts.
Businesses should:
- Ensure privacy notices are clear and easy to understand
- Implement consent mechanisms for sensitive data processing
- Establish processes to respond to consumer requests within 45 days
- Monitor the AG’s website for complaint patterns and guidance
- Prepare to address any cure notices promptly
The combination of consumer complaints and staff reviews means businesses should not assume violations will go unnoticed.
