Senior Content Marketing Manager II
November 1, 2024•6 min read
The first thing you’ll need to do when working to address the Indiana Consumer Data Protection Act (ICDPA) is to determine whether your business falls under its scope. Not all organizations will be affected by this law, so don’t skip this step!
Indiana’s privacy law applies to businesses that:
There are a few exemptions, such as government agencies and entities governed by specific federal regulations like COPPA or HIPAA.
Businesses must honor several key consumer rights, including:
To facilitate these rights, organizations should establish easily accessible methods for consumers to exercise them and must respond to consumer requests within 45 days. Under the ICDPA businesses may extend this timeline an additional 45 days if necessary.
In the event that a business decides to deny a consumer’s request, they must also offer a way to appeal that decision.
Businesses are required to provide a clear, accessible, and straightforward privacy notice that outlines the details of their data collection and processing activities. This notice should include:
Importantly, businesses must also include opt-out methods for data sales, targeted advertising, and profiling to ensure consumers can control their information.
Organizations must implement reasonable security measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. They should also practice data minimization by collecting only personal data that is adequate, relevant, and reasonably necessary for the disclosed processing purposes.
Obtaining consumer opt-in consent is essential for processing sensitive data. Businesses should provide clear and accessible opt-out mechanisms for consumers wishing to decline data sales, targeted advertising, and profiling—empowering individuals to manage their privacy preferences.
It’s crucial for businesses to conduct and document data protection impact assessments (DPIAs) for high-risk process activities, including targeted advertising, personal data sales, profiling that presents foreseeable risks, and processing sensitive data.
In short, for any activities that may pose a heightened risk of harm to consumers. This proactive approach helps identify potential risks and ensures compliance with data protection standards.
Organizations must establish binding contracts with their data processors, outlining essential details such as:
These agreements are critical for ensuring that personal data is handled in accordance with applicable laws and regulations.
The Indiana Consumer Data Protection Act (INCDPA) has a notably longer implementation period compared to other state privacy laws. Although it was signed into law on May 1, 2023, it won’t take effect until January 1, 2026.
This timeline provides businesses with over two and a half years to prepare for compliance, which is significantly longer than the typical 12 to 18 months seen in other states.
The INCDPA explicitly mandates that businesses implement data retention and data minimization policies. While these concepts may be implied in other state laws, Indiana makes them formal requirements, emphasizing the importance of responsible data management.
The INCDPA defines "consumer" specifically as a resident of Indiana acting solely for personal, family, or household purposes. This definition is consistent with most state privacy laws but diverges from the broader definition used in the CCPA.
A unique aspect of the Indiana law is that it allows organizations responding to access requests to provide either a copy of the personal data requested by the consumer or a "representative summary" of that data. This flexibility is not commonly found in other state privacy regulations.
While the INCDPA defines "consent" similarly to other laws, it doesn’t require a mechanism for consumers to revoke their consent. This differs from the requirements established in states like California, Colorado, and Connecticut.
In contrast to laws in Utah, Virginia, and Iowa, the INCDPA does not specifically mandate that controllers or processors recognize universal opt-out mechanisms. This omission may impact how businesses manage consumer privacy preferences.
Overall, while the INCDPA shares similarities with privacy laws in other states, particularly those in Virginia, Colorado, and Connecticut, its unique features necessitate careful attention from businesses seeking to comply with various state regulations.
To prepare for compliance with the Indiana Consumer Data Protection Act, businesses can take several key steps:
Begin by determining if your organization meets the thresholds for compliance. This includes controlling or processing personal data of at least 100,000 Indiana residents or processing personal data of at least 25,000 residents while deriving over 50% of gross revenue from personal data sales.
Identify and categorize the personal data you collect, process, and store, ensuring you understand the types of data you handle and their sources. This includes recognizing any sensitive information that requires special considerations. Finally, map the data flows within your organization and to third parties, detailing how data moves through your systems and identifying any potential risks or compliance concerns with external partners.
Establish processes to handle consumer requests, which include access to personal data, correction of inaccurate data, deletion of personal data, and opting out of data sales, targeted advertising, and certain profiling. Implement a system to respond to these consumer requests within 45 days, and create an appeals process for any denied requests.
Implement mechanisms for obtaining consumer consent where required, and provide clear opt-out options for data sales, targeted advertising, and profiling. Ensure that these opt-out processes are easily accessible and user-friendly.
Develop a clear and accessible privacy notice that includes the categories of personal data processed, the purposes for processing, and how consumers can exercise their rights. Additionally, outline the categories of personal data shared with third parties and the types of third parties receiving that data.
Conduct DPIAs for high-risk processing activities such as targeted advertising, the sale of personal data, profiling with foreseeable risks, processing of sensitive data, and activities that pose a heightened risk of consumer harm.
Enter into data processing agreements (DPAs) with all processors, clearly specifying the instructions for processing, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.
By following this checklist, organizations can work towards compliance with the Indiana Consumer Data Protection Act. It's important to remember that the INCDPA goes into effect on January 1, 2026, so starting preparations well in advance is crucial to achieving full compliance by the effective date.
Transcend is the next-generation privacy platform. Encoding privacy at the code layer, we offer solutions for any privacy challenge your teams may be facing—including getting you ready for new legislation like Indiana's data privacy law.
From Consent Management to DSR Automation to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, Unstructured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.
Senior Content Marketing Manager II