November 21, 2025
By: David A. Bowen and Stacy Walton Long
The Indiana Consumer Data Protection Act (INCDPA), effective January 1, 2026, introduces new requirements for businesses that handle personal data of Indiana residents. If your company operates in Indiana or targets Indiana consumers, now is the time to ensure compliance with the INCDPA.
What is the INCDPA?
The INCDPA is Indiana’s first comprehensive data privacy law, modeled after similar privacy laws enacted in other states. It grants Indiana consumers significant rights to Indiana residents regarding their personal data and imposes obligations on businesses that control or process that data.
Who Must Comply?
The INCDPA applies to entities that conduct business in Indiana or produce products or services targeted to Indiana residents, and that, during a calendar year, either:
- Control or process personal data of at least 100,000 Indiana consumers annually; or
- Control or process data of at least 25,000 Indiana consumers and derive over 50% of gross revenue from selling personal data.
Who is Exempt?
- The state and its agencies, political subdivisions of the state, and third parties acting on behalf of these entities under a contract.
- Any financial institutions and affiliates, or data, subject to the Gramm-Leach-Bliley Act (GLBA).
- Any covered entity or business associate governed by HIPAA.
- Non-profit organizations.
- Higher education institutions.
- Public utilities or their affiliates.
INCDPA also exempts certain data such as protected health information under HIPAA, data subject to GLBA, information used to protect data subjects, research or patient-identifying purposes. Importantly, unlike California’s privacy law, the INCDPA does not apply to employment-related or business-to-business data. It also exempts personal data covered under laws such as the Fair Credit Reporting Act and Driver’s Privacy Protection Act. However, even if upon first review an entity believes they are exempt, or only dealing with exempt data, they should carefully review their structure and the data they hold to ensure that INCDPA does not apply to certain parts of their business that may not be exempt.
Key Consumer Rights
Indiana consumers will have rights to:
- Confirm and Access – to confirm whether a controller is processing the consumer’s personal data and to access such data.
- Correction – to correct inaccuracies in personal data, considering the nature of the data and purposes of processing.
- Deletion – to delete personal data provided by or obtained about the consumer.
- Data Portability – to obtain a copy of their data in a portable format.
- Opt out – to opt out of processing for purposes of targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.
Business Obligations
Businesses that determine the purposes and means of data processing (controllers) shall:
- Provide clear privacy notices.
- Limit data collection to what is necessary.
- Process personal data only for necessary, disclosed purposes or with consumer consent.
- Maintain reasonable data security practices.
- Respond to consumer requests within 45 days.
- Conduct data protection assessments for high-risk processing activities.
- Not unlawfully discriminate or penalize consumers for exercising rights.
- Obtain consent before processing sensitive data.
- Clearly disclose targeted advertising or sale and offer an opt-out mechanism.
- Enter binding contracts with processors detailing processing instructions, confidentiality, data handling, and audit rights.
- If holding de-identified data, prevent its re-identification, publicly commit not to re-identify it, and contractually obligate recipients to do the same.
Businesses that process personal data on behalf of controllers (processors) shall:
- Follow the controller’s instructions and assist with consumer requests, security, breach notifications, and data protection assessments.
- Ensure confidentiality and only engage subcontractors with contractual flow-down obligations and controller authorization.
- Make information available to demonstrate compliance and allow for reasonable assessments or audits.
Enforcement and Penalties
The Indiana Attorney General will enforce the INCDPA. Violations can result in an injunction and/or civil penalties up to $7,500 per violation. The Attorney General must give a 30-day notice of violation and opportunity to cure before acting. If the violation is cured, no action can be taken. There is no private right of action, meaning consumers cannot sue directly under the law.
What Should Businesses Do Now?
- Confirm whether the INCDPA applies by evaluating the volume of consumer data you handle, and the proportion of your revenue derived from data sales.
- Audit your data practices to understand what personal data you collect and why.
- Update privacy and compliance policies to reflect INCDPA requirements.
- Implement systems to handle consumer data requests.
- Train staff on compliance procedures.
Please contact David A. Bowen and Stacy Walton Long to help determine the applicability of the INCDPA to your business, and if so, how to ensure compliance.
Disclaimer: The contents of this article should not be construed as legal advice or a legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult with counsel concerning your situation and specific legal questions you may have.
Practices
Industries
November 21, 2025
By: David A. Bowen and Stacy Walton Long
The Indiana Consumer Data Protection Act (INCDPA), effective January 1, 2026, introduces new requirements for businesses that handle personal data of Indiana residents. If your company operates in Indiana or targets Indiana consumers, now is the time to ensure compliance with the INCDPA.
What is the INCDPA?
The INCDPA is Indiana’s first comprehensive data privacy law, modeled after similar privacy laws enacted in other states. It grants Indiana consumers significant rights to Indiana residents regarding their personal data and imposes obligations on businesses that control or process that data.
Who Must Comply?
The INCDPA applies to entities that conduct business in Indiana or produce products or services targeted to Indiana residents, and that, during a calendar year, either:
- Control or process personal data of at least 100,000 Indiana consumers annually; or
- Control or process data of at least 25,000 Indiana consumers and derive over 50% of gross revenue from selling personal data.
Who is Exempt?
- The state and its agencies, political subdivisions of the state, and third parties acting on behalf of these entities under a contract.
- Any financial institutions and affiliates, or data, subject to the Gramm-Leach-Bliley Act (GLBA).
- Any covered entity or business associate governed by HIPAA.
- Non-profit organizations.
- Higher education institutions.
- Public utilities or their affiliates.
INCDPA also exempts certain data such as protected health information under HIPAA, data subject to GLBA, information used to protect data subjects, research or patient-identifying purposes. Importantly, unlike California’s privacy law, the INCDPA does not apply to employment-related or business-to-business data. It also exempts personal data covered under laws such as the Fair Credit Reporting Act and Driver’s Privacy Protection Act. However, even if upon first review an entity believes they are exempt, or only dealing with exempt data, they should carefully review their structure and the data they hold to ensure that INCDPA does not apply to certain parts of their business that may not be exempt.
Key Consumer Rights
Indiana consumers will have rights to:
- Confirm and Access – to confirm whether a controller is processing the consumer’s personal data and to access such data.
- Correction – to correct inaccuracies in personal data, considering the nature of the data and purposes of processing.
- Deletion – to delete personal data provided by or obtained about the consumer.
- Data Portability – to obtain a copy of their data in a portable format.
- Opt out – to opt out of processing for purposes of targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.
Business Obligations
Businesses that determine the purposes and means of data processing (controllers) shall:
- Provide clear privacy notices.
- Limit data collection to what is necessary.
- Process personal data only for necessary, disclosed purposes or with consumer consent.
- Maintain reasonable data security practices.
- Respond to consumer requests within 45 days.
- Conduct data protection assessments for high-risk processing activities.
- Not unlawfully discriminate or penalize consumers for exercising rights.
- Obtain consent before processing sensitive data.
- Clearly disclose targeted advertising or sale and offer an opt-out mechanism.
- Enter binding contracts with processors detailing processing instructions, confidentiality, data handling, and audit rights.
- If holding de-identified data, prevent its re-identification, publicly commit not to re-identify it, and contractually obligate recipients to do the same.
Businesses that process personal data on behalf of controllers (processors) shall:
- Follow the controller’s instructions and assist with consumer requests, security, breach notifications, and data protection assessments.
- Ensure confidentiality and only engage subcontractors with contractual flow-down obligations and controller authorization.
- Make information available to demonstrate compliance and allow for reasonable assessments or audits.
Enforcement and Penalties
The Indiana Attorney General will enforce the INCDPA. Violations can result in an injunction and/or civil penalties up to $7,500 per violation. The Attorney General must give a 30-day notice of violation and opportunity to cure before acting. If the violation is cured, no action can be taken. There is no private right of action, meaning consumers cannot sue directly under the law.
What Should Businesses Do Now?
- Confirm whether the INCDPA applies by evaluating the volume of consumer data you handle, and the proportion of your revenue derived from data sales.
- Audit your data practices to understand what personal data you collect and why.
- Update privacy and compliance policies to reflect INCDPA requirements.
- Implement systems to handle consumer data requests.
- Train staff on compliance procedures.
Please contact David A. Bowen and Stacy Walton Long to help determine the applicability of the INCDPA to your business, and if so, how to ensure compliance.
Disclaimer: The contents of this article should not be construed as legal advice or a legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult with counsel concerning your situation and specific legal questions you may have.