Indiana’s privacy regulation (ICDPA), signed into law in May 2023, intends to safeguard consumer privacy. The law aims to secure consumers with control over their personal data and make data handling policies of data controllers transparent.
Effective date: January 1, 2026
Official text: ICDPA (SB5)
What is the Indiana Consumer Data Protection Act (ICDPA)?
These days, individuals are bombarded with privacy concerns, and a law like ICDPA protects their interests by endowing them with rights and convenient methods to exercise them.
ICDPA is the privacy law of Indiana that promotes data transparency and protects the consumer’s personal data. Similar to most US privacy laws, data controllers like businesses must provide privacy notices, promptly respond to consumer requests, limit the collection and use of personal data, etc under the law. It also grants rights to consumers and prescribes fines for violations.
The Attorney General of Indiana is the exclusive enforcement agency of the law.
Who does the Indiana CDPA apply to?
The first step to privacy law compliance is to identify whether the law applies to you. Let us take a moment to review the specific requirements to determine the applicability of ICDPA.
ICDPA applies to for-profit businesses in or outside Indiana that target Indiana residents and in a year meet any of these two requirements:
- Controls or processes the personal data of 100,000 or more consumers. OR
- Controls or processes the personal data of 25,000 or more consumers and procures 50% of its annual revenue from the sale of personal data.
A consumer is an Indiana resident who acts in a personal, family, or household context but not in an employment/commercial context.
Who does ICDPA not apply to?
The law accommodates exemptions for the following entities:
- State and its agencies
- Third parties acting on behalf of these entities under a contract.
- Entities covered by the Gramm-Leach-Bliley Act and HIPAA
- Non-profit entities
- Higher education institutions
- Public utilities or their affiliates
In addition, ICDPA also exempts certain data like protected health information under HIPAA, information used to protect data subjects, research or patient-identifying purposes, etc. It also exempts personal data covered under some laws like the Fair Credit Reporting Act and Driver’s Privacy Protection Act.
What is personal data under the Indiana CDPA?
Any information that is capable of identifying an individual is personal data. This includes but is not limited to contact information, email addresses, residence addresses, and online identifiers like cookies and IP addresses. Consumers expect privacy and reasonable control over their personal data.
ICDPA defines personal data as “information that is linked or reasonably linkable to an identified or identifiable individual”.
However, it does not include de-identified data, publicly available information, and aggregate data.
De-identified data cannot identify the individual to whom the personal data relates. Here is a simple example,
Type of data | Name | Time spend | Pages visited |
Personal data | James | 30 minutes | Home, product, card, payment |
De-identified data | User A | 30 minutes | Home, product, card, payment |
Aggregate data links information to a group of individuals rather than an individual. For example, 200 users purchased product A on Monday instead of the names and IP addresses of those who purchased it.
There are two ways in which personal data becomes publicly available information. They are as follows:
- If made available through public records.
- If published in mass media by the consumer himself or by someone to whom the consumer conveyed it, but not meant for a specific audience.
What is sensitive data under the Indiana CDPA?
Sensitive data is prone to cause severe harm or damage if compromised. Therefore, it is pertinent to have an accurate definition and an additional level of safeguard for this type of data. Let us figure out what sensitive data means under ICDPA.
The following data would be treated as sensitive data:
Personal data that reveals any of the following:
- Racial/ethnic origin
- Religious beliefs
- Mental/physical health diagnosis
- Sexual orientation
- Citizenship status
- Immigration status
- Genetic/biometric data used to identify an individual.
- Personal data collected from a child who is known to be below 13 years of age.
- Precise geolocation.
What are the duties of businesses under the Indiana Consumer Data Protection Act (ICDPA)?
Data privacy is a team effort that involves people from multiple fields such as law, engineering, and cybersecurity. To strengthen the need for privacy-risk-proof handling of personal data, ICDPA imposes the following obligations upon businesses.
Data minimization
Limit the collection of personal data to what is reasonably necessary for the specific purpose for which it will be used. Even though personal data may contribute to the performance and efficiency of a product, it might also be a liability when it comes to privacy compliance. Therefore collect what is necessary, adequate, and relevant.
Purpose limitation
Contrain the use of personal data to the purpose for which it was collected. If you want to use the data for other purposes, obtain further consent from the consumer.
Security safeguards
A well-planned implementation of security practices at the technical, administrative, and physical levels immensely contributes to privacy compliance. The adopted safety measures should be proportional to the data collected and maintained by the organization. It shouldn’t be a namesake attribute, but rather a meticulously crafted one.
Practice non-discrimination
The act requires businesses to not discriminate among consumers based on the exercise of consumer rights. This means you cannot increase the price, reduce the quality, or deny the products, etc.
However, it is not an act of discrimination to offer products/services at a lower price, different quality, level, selection of goods, or even for free if it is due to the participation in loyalty, club, or discount programs.
Consent
Do not process sensitive data without obtaining consent from users. In the case of children’s sensitive data, obtain verifiable parental consent and adhere to COPPA regulations.
Consent is valid if it is a freely given, informed, and unambiguous assent to the processing of personal data.
Contractual relationship
The personal data you collect may also be accessed by processors or third parties for specific purposes. Therefore, their irresponsible handling can cause a trust cliff in addition to legal repercussions.
Having a contractual relationship would act as a precautionary measure against it. Decide on the rights and obligations of each party, the data types processed, the nature of the processing, and other specifications in the contract.
Response plan
Respond to consumer requests within a reasonable time. The act prescribes a maximum 45-day response period. It can be extended to another 45 days if necessary considering many factors like the number of requests received. Businesses must decide on an appeal within 60 days. If it is denied, that should also be notified within the said period.
Opt-out mechanisms
Provide convenient mechanisms to opt out of targeted advertising, sale of personal data, and profiling.
Manage cookie consent
without any hassle
Add a cookie opt-out banner and manage cookie consent to comply with Indiana privacy act
Try for free14-day free trialCancel anytime
Data protection impact assessment
Regularly conduct impact assessments of high-risk activities like targeted advertising, sale of personal data, profiling, and processing of sensitive data. The assessments must be documented and kept confidential.
Privacy notice
Businesses must provide information to consumers to ensure data transparency. Data transparency is an aggregate of both visibility and authority. Therefore, your privacy notice should include data practices, consumer rights, methods to exercise them, etc. The subsequent section deals with a detailed description of privacy notice requirements.
What are the privacy notice requirements under the Indiana CDPA?
The purpose of a privacy notice is to provide information to consumers about how their personal data would be used and what they can do about it. This will assist consumers in determining whether to engage with your organization. Therefore, your privacy notices should be easily understandable and accessible.
Under ICDPA, the following information should be included in a privacy notice:
- Categories of personal data collected.
- Purposes for which it is used.
- Process of exercising consumer rights and appeals.
- Categories of personal data shared with third parties, if any.
- Categories of third parties with whom the personal data is shared, if any.
- Whether the personal data will be sold to third parties or used for targeted advertising, if yes, the method to opt out of it should also be provided.
- One or more convenient methods to submit consumer requests.
What are the rights of the consumers under the Indiana CDPA?
ICDPA grants consumer rights to individuals, thereby giving them certain authority over their personal data. Businesses are required to ensure that they provide convenient methods to exercise their rights. This can be facilitated by forms, toll-free numbers, or a dedicated email address. But first, let us take a look at the rights of consumers.
Right to confirm and access
Consumers have the right to confirm whether their personal data is being processed by businesses. If it is being processed, they can also submit a request to access it.
Right to correct
Consumers can correct any inaccuracies in the personal data maintained by businesses if it is provided by the consumer.
Right to delete
The law grants consumers the right to delete their personal data collected and maintained by businesses. They can delete the data regardless of its source.
Right to obtain
This right is an extension of the right to access. Consumers can obtain once a year, a copy or a representative summary of the personal data kept by businesses. This must be provided to them in a portable and readable format to an extent feasible and practicable.
Right to opt-out
If businesses engage in the sale of personal data or use it for targeted advertising or profiling, reasonable efforts must be taken to inform the consumer of it. And, if they desire, consumers can choose to opt out of it.
Enforcement and penalty for violations under Indiana CDPA
The enforcement provisions of ICDPA are similar to that of CCPA. The Attorney General has the sole authority to initiate legal action against those at fault. He may seek an injunction and a civil penalty of up to $7500 per violation. This means the fine amount increases with the number of violations/individuals affected.
Businesses will get a 30-day cure period before legal action. If the violation is solved and promptly notified to the enforcement agency within this period, the parties at fault can evade litigation and fines. Since the cure period is not subjected to a sunset provision, as of now, it is permanent.
Unlike CCPA, there is no private right of action under ICDPA.
10 steps to the Indiana ICDPA compliance
- Data minimization and purpose limitation.
- Provide a privacy notice to consumers.
- Conduct data protection impact assessments.
- Provide methods to opt out of targeted advertising, sale of personal data, and profiling.
- Do not process personal data without the consent of the consumer.
- Have a contractual relationship with processors and third parties.
- Do not retaliate against consumers for exercising their rights.
- Implement proportionate security measures.
- Have one or more convenient methods for the consumers to submit consumer requests.
- Respond to consumer requests promptly.
CCPA vs Indiana ICDPA [Infographic]
FAQ on Indiana ICDPA
Indiana Consumer Data Protection Act (SB 5) aims to protect consumers’ privacy and regulates the collection and processing of personal data. The act is expected to come into effect on Jan 1, 2026.
Businesses will get a 30-day cure period within which they must cure the violation to avoid legal action by the Attorney General of Indiana.
Yes. Even though ICDPA does not have provisions for breach notifications, businesses are bound by Indiana’s breach notification law. It requires businesses to promptly notify the affected consumers and the Attorney General of a breach. If not, violators may have to face penalties of up to $150,000 per deceptive act.
The Indiana governor signed its data privacy law on May 1, 2023, and is expected to be effective from Jan 1, 2026. The law grants rights to consumers and also imposes duties upon businesses. The penalties for violations may be up to $7500 per violation.