The Indiana Consumer Data Protection Act: How Businesses Can Prepare

At a glance: The Indiana Consumer Data Protection Act

• Set to go into effect on January 1, 2026, the Indiana Consumer Data Protection Act (ICDPA) aims to enhance consumer privacy by establishing clear guidelines for how businesses can collect, process, and retain personal data from Indiana residents.
• This guide covers who is subject to the ICDPA, compliance requirements for businesses, and how the law compares to other state privacy regulations.
• You’ll find a complete ICDPA compliance checklist at the end.

Who's subject to Indiana's Privacy Law?

The first thing you’ll need to do when working to address the Indiana Consumer Data Protection Act (ICDPA) is to determine whether your business falls under its scope. Not all organizations will be affected by this law, so don’t skip this step!

Indiana’s privacy law applies to businesses that:

• Conduct business in Indiana or produce products or services targeted at Indiana residents AND
• Control or process personal data of at least 100,000 Indiana residents OR
• Control or process personal data of at least 25,000 Indiana residents and derive over 50% of gross revenue from the sale of personal data.

There are a few exemptions, such as government agencies and entities governed by specific federal regulations like COPPA or HIPAA.

Compliance requirements under the Indiana Consumer Data Protection Act (ICDPA)

Fulfilling consumer privacy rights

Businesses must honor several key consumer rights, including:

• The right to access personal data
• The right to confirm data processing
• The right to correct inaccurate data
• The right to delete personal data, and
• The right to opt out of personal data sales, targeted advertising, and profiling

To facilitate these rights, organizations should establish easily accessible methods for consumers to exercise them and must respond to consumer requests within 45 days. Under the ICDPA businesses may extend this timeline an additional 45 days if necessary.

In the event that a business decides to deny a consumer’s request, they must also offer a way to appeal that decision.

Offer clear and accessible privacy notices

Businesses are required to provide a clear, accessible, and straightforward privacy notice that outlines the details of their data collection and processing activities. This notice should include:

• The categories of personal data processed
• The purposes for processing that data
• Instructions on how consumers can exercise their rights
• The categories of personal data shared with third parties
• The types of third parties receiving the data

Importantly, businesses must also include opt-out methods for data sales, targeted advertising, and profiling to ensure consumers can control their information.

Implement data protection measures

Organizations must implement reasonable security measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. They should also practice data minimization by collecting only personal data that is adequate, relevant, and reasonably necessary for the disclosed processing purposes.

Obtain consent and offer opt-out mechanisms

Obtaining consumer opt-in consent is essential for processing sensitive data. Businesses should provide clear and accessible opt-out mechanisms for consumers wishing to decline data sales, targeted advertising, and profiling—empowering individuals to manage their privacy preferences.

Conduct data protection impact assessments (DPIAs)

It’s crucial for businesses to conduct and document data protection impact assessments (DPIAs) for high-risk process activities, including targeted advertising, personal data sales, profiling that presents foreseeable risks, and processing sensitive data.

In short, for any activities that may pose a heightened risk of harm to consumers. This proactive approach helps identify potential risks and ensures compliance with data protection standards.

Establish data processing agreements

Organizations must establish binding contracts with their data processors, outlining essential details such as:

• Processing instructions
• The nature and purpose of processing
• Types of data subject to processing
• Duration of processing
• The rights and obligations of both parties

These agreements are critical for ensuring that personal data is handled in accordance with applicable laws and regulations.

How Indiana’s Privacy Law compares with other state laws

Compliance timeline

The Indiana Consumer Data Protection Act (INCDPA) has a notably longer implementation period compared to other state privacy laws. Although it was signed into law on May 1, 2023, it won’t take effect until January 1, 2026.

This timeline provides businesses with over two and a half years to prepare for compliance, which is significantly longer than the typical 12 to 18 months seen in other states.

Data retention and minimization policies

The INCDPA explicitly mandates that businesses implement data retention and data minimization policies. While these concepts may be implied in other state laws, Indiana makes them formal requirements, emphasizing the importance of responsible data management.

Definition of consumer

The INCDPA defines "consumer" specifically as a resident of Indiana acting solely for personal, family, or household purposes. This definition is consistent with most state privacy laws but diverges from the broader definition used in the CCPA.

Access request response

A unique aspect of the Indiana law is that it allows organizations responding to access requests to provide either a copy of the personal data requested by the consumer or a "representative summary" of that data. This flexibility is not commonly found in other state privacy regulations.

Consent requirements

While the INCDPA defines "consent" similarly to other laws, it doesn’t require a mechanism for consumers to revoke their consent. This differs from the requirements established in states like California, Colorado, and Connecticut.

Universal opt-out mechanisms

In contrast to laws in Utah, Virginia, and Iowa, the INCDPA does not specifically mandate that controllers or processors recognize universal opt-out mechanisms. This omission may impact how businesses manage consumer privacy preferences.

Overall, while the INCDPA shares similarities with privacy laws in other states, particularly those in Virginia, Colorado, and Connecticut, its unique features necessitate careful attention from businesses seeking to comply with various state regulations.

Indiana Consumer Data Protection Act compliance checklist

To prepare for compliance with the Indiana Consumer Data Protection Act, businesses can take several key steps:

1. Determine applicability

Begin by determining if your organization meets the thresholds for compliance. This includes controlling or processing personal data of at least 100,000 Indiana residents or processing personal data of at least 25,000 residents while deriving over 50% of gross revenue from personal data sales.

2. Conduct a data inventory

Identify and categorize the personal data you collect, process, and store, ensuring you understand the types of data you handle and their sources. This includes recognizing any sensitive information that requires special considerations. Finally, map the data flows within your organization and to third parties, detailing how data moves through your systems and identifying any potential risks or compliance concerns with external partners.

3. Implement consumer rights mechanisms

Establish processes to handle consumer requests, which include access to personal data, correction of inaccurate data, deletion of personal data, and opting out of data sales, targeted advertising, and certain profiling. Implement a system to respond to these consumer requests within 45 days, and create an appeals process for any denied requests.

4. Implement consent and opt-out mechanisms

Implement mechanisms for obtaining consumer consent where required, and provide clear opt-out options for data sales, targeted advertising, and profiling. Ensure that these opt-out processes are easily accessible and user-friendly.

5. Develop clear privacy notices

Develop a clear and accessible privacy notice that includes the categories of personal data processed, the purposes for processing, and how consumers can exercise their rights. Additionally, outline the categories of personal data shared with third parties and the types of third parties receiving that data.

6. Conduct data protection impact assessments

Conduct DPIAs for high-risk processing activities such as targeted advertising, the sale of personal data, profiling with foreseeable risks, processing of sensitive data, and activities that pose a heightened risk of consumer harm.

7. Formalize data processor relationships

Enter into data processing agreements (DPAs) with all processors, clearly specifying the instructions for processing, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.

By following this checklist, organizations can work towards compliance with the Indiana Consumer Data Protection Act. It's important to remember that the INCDPA goes into effect on January 1, 2026, so starting preparations well in advance is crucial to achieving full compliance by the effective date.

About Transcend

Transcend is the next-generation privacy platform. Encoding privacy at the code layer, we offer solutions for any privacy challenge your teams may be facing—including getting you ready for new legislation like Indiana's data privacy law.

From Consent Management to DSR Automation to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, Unstructured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.