Right on the heels of Iowa, Indiana became the seventh U.S. state to pass a comprehensive privacy law. The Indiana Consumer Data Protection Act, signed into law 1 May, follows in the footsteps of the Colorado, Connecticut and Virginia privacy laws with its rights and requirements. Indiana differentiated itself by providing covered entities with over two and a half years to come into compliance, as the law will go into effect 1 Jan. 2026. Given the substantial overlap between the Indiana law and three of the six state privacy laws, organizations that have implemented compliance processes aligning with these other states should not expect to implement a major compliance overhaul.
Scope
The Indiana law applies to entities that conduct business in the state or produce products or services targeted at Indiana residents. These entities must control or process the personal data of either 100,000 consumers, or 25,000 consumers while deriving over 50% of their gross revenue from the sale of personal data. Here, a "consumer" is a resident of Indiana acting only for personal, family or household purposes, similar to the definition of the term in all the state privacy laws except the California Consumer Privacy Act. The personal data in question applies to any information linked or reasonably linkable to an identified or identifiable individual, excluding deidentified, aggregate or publicly available data. The threshold for revenue derived from sales mirrors that of California, Iowa, Utah and Virginia's laws.
Exemptions
Those aligning their organization's privacy processes with the Indiana law will recognize the exempted entities and types of data. The Indiana law does not apply to data subject to the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, or data covered by existing federal laws like the Health Care Quality Improvement Act, the Patient Safety and Quality Improvement Act, the Fair Credit Reporting Act, the Driver's Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and employment data and human subjects research data covered by federal law or other standards.
Consistent with the six previously passed comprehensive state privacy laws, the law does not apply to government entities or third parties under contract with such entities acting on behalf of the entity and within the scope of the agreed upon contract. Exempt entities also include financial institutions and entities subject to the GLBA, entities subject to the Health Information Technology for Economic and Clinical Health Act and/or HIPAA, nonprofit organizations, higher education institutions or public utilities.
Consumer rights
It comes as no surprise that the Indiana law, as a reflection of the Virginia privacy law, provides the following set of rights for consumers: the right to access, the right to correct, the right to portability, the right to delete, the right to opt out of certain processing, the right to opt out of the sale of personal data and the right to opt in for sensitive data processing. The law does not provide a private right of action, something privacy professionals have not seen in a state privacy law since the limited private right of action in California.
Right to access. Consumers can confirm whether a controller is processing their personal data and request access to that data. Uniquely, the Indiana law allows covered entities responding to an access request to provide either a copy of the personal data provided by the consumer or a "representative summary" of that data.
Right to correct. Consumers can request covered entities correct inaccuracies in the personal data they provided to the controller, depending on the nature of the data and purposes of its processing. This is also slightly distinct from other states, where this right generally applies to any data in a controller's possession.
Right to data portability. The copy or representative summary of the personal data sent to the consumer must be in a portable and readily usable format that allows the consumer to share it with another controller. Similar to the frequency limitation in the other states, a controller under this law is not required to send a copy or representative summary of a consumer's personal data more than once per 12-month period.
Right to delete. Consumers can request to delete the personal data they provided to the controller and/or data otherwise obtained about the consumer by the controller.
Right to opt out. Consumers can opt out of the processing of their personal data for targeted advertising, profiling and selling of personal data. This aligns with similar provisions in the Colorado, Connecticut, Virginia and Utah laws. Like all other U.S. state privacy laws, with the exception of Utah, Indiana's law includes a partial right not to be subject to fully automated decision making, something the newly passed Iowa law also provides through its definition of "processing," which includes data that undergoes an operation through manual or automated means.
Opting out of the sale of personal data applies to personal data exchanged for monetary consideration by a controller to a third party, mirroring the Virginia Consumer Data Protection Act. This does not include the disclosure of personal data:
- To a processor.
- To a third party providing services requested by the consumer or parent of a child.
- To an affiliate of the controller.
- The consumer intentionally made available publicly or did not restrict the audience for.
- To a third party as a part of a merger, acquisition or other transaction involving a controller's assets.
This right also does not apply to pseudonymous data, defined as personal data that cannot be attributed to a specific individual because additional information is kept separately and is subject to appropriate technical and organizational controls to ensure the data cannot be linked to an identifiable person. That being said, a controller that discloses pseudonymous or deidentified data is required to exercise reasonable oversight and compliance measures.
Right to opt in. If a consumer, or a parent on behalf of a user known to be a child, does not provide their consent, a controller cannot process their sensitive data. Regardless, the sensitive data must be processed in accordance with the Children's Online Privacy Protection Act.
The right to opt in for sensitive data processing recently became less of an afterthought, as seen in its prevalence in proposed bills. Just this calendar year, the right was included in bills from Hawaii, Maryland, Massachusetts, Minnesota, Montana, New Hampshire, New Jersey, New York, Oregon, Pennsylvania, Rhode Island, Tennessee, Texas and West Virginia. It is currently offered in Colorado, Connecticut, Virginia and now Indiana.
"Sensitive data" is defined as personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data processed to identify a specific individual, personal data collected from a known child and, identical to Iowa's law, precise geolocation data within a radius of 1,750 feet.
Consumers, or parents of a known child, can invoke the above rights by submitting a request to the controller. Like in California, Colorado, Iowa, Virginia and Utah, there is an explicit requirement to verify opt-out requests. A controller must respond no later than 45 days after receipt of the request. The controller may take an additional 45-day grace period when reasonably necessary, like in the case of complex systems from which it is difficult to access or delete data, as long as the controller informs the consumer of the extension and the reason for it.
Obligations
Under the Indiana law, covered entities can expect certain obligations previously seen in the law's predecessors.
Purpose limitation. Controllers are required to limit personal data collection to what is adequate, relevant and reasonably necessary for the purposes of processing, and must obtain consumer consent for any processing outside of the previous disclosed purposes.
Data security. Controllers must have reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data, a cybersecurity provision seen in the previously passed state privacy laws.
Consent requirements. The Indiana law defines "consent" as a clear affirmative act that indicates a consumer freely gave their specific, informed and unambiguous agreement to a covered entity to process their personal data. Here, the "clear affirmative act" is a physical or electronic written statement or other affirmative action. Notably, there is no requirement to offer a method to allow consumers to revoke their consent as exists in California, Colorado and Connecticut.
Nondiscrimination. Controllers cannot process personal data in a way that violates antidiscrimination laws. Additionally, controllers are barred from discriminating against, denying goods and services to, and charging difference prices for goods and services to consumers for exercising their consumer rights. Echoing the usual carveout of the nondiscrimination clause in the other state privacy laws, the Indiana law allows controllers to provide a different price or discount for purposes of loyalty, rewards, or club programs.
Transparency. Controllers must provide consumers with an accessible, clear and meaningful privacy notice. The notice should include the categories of personal data processed, the purpose for processing personal data, the categories of personal data the controller shares with third parties and the categories of third parties the controller shares consumers' personal data with. The notice must also include an explanation of how consumers may exercise their rights. Controllers must also clearly and conspicuously disclose their use or sale of personal data to third parties for targeted advertising and provide a method to opt out of this use or sale. To assist controllers in fulfilling this obligation, the office of the attorney general may include a list of resources for controllers, like sample privacy notices and disclosures, on its website.
Assessments. Similar to the requirements in California, Colorado, Connecticut and Virginia, controllers must conduct data protection impact assessments for the following activities:
- Processing personal data for targeted advertising purposes.
- Selling personal data.
- Processing personal data for profiling purposes if that profiling creates a foreseeable risk of unfair or deceptive treatment or impact on consumers, financial, physical, or reputational injury, a violation of consumer privacy, or other substantial injury to consumers.
- Processing sensitive data.
- Processing any personal data in a way that heightens the risk of harm to consumers.
Privacy pros in applicable organizations should note these assessments apply to processing activities that occur after 31 December 2025.
Data processing contracts. Controllers must provide processors with a binding data processing contract that details instructions for processing personal data, the nature and purpose of the processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. Processors are also expected to assist the controller in meeting security, transparency, deletion, retention, reporting and assessment duties. The attorney general has the ability, under this law, to request a data protection impact assessment from a controller pursuant to a civil investigative demand.
Similar to Utah, Virginia and, most recently, Iowa, Indiana does not explicitly require organizations to recognize universal opt-out mechanisms. The law does, however, have a carve out for riverboat casinos. The Indiana law does not apply in the specific case of licensed riverboats that use facial recognition technology, as approved by the Indiana gaming commission. This aligns with the other provisions addressing privacy carveouts for security and legal issues in the section.
Enforcement
The office of the attorney general can issue a civil investigative demand to investigate suspected violations of this law upon a reasonable belief that an entity violated it. The attorney general must first provide the controller or processor with a written notice identifying the specific violations with a 30-day period to both cure the alleged violations and provide a written statement that the violations have been cured and no further violations of that nature will occur. If the covered entity does not address the violations during the cure period or breaches the written statement, the attorney general can then enforce violations by issuing an injunction and/or seeking a civil penalty of up to USD 7,500 for each violation. The above right to cure within 30 days does not sunset, similar to the cure provision in Utah and Virginia's laws.
Conclusion
While originally modeled on the EU General Data Protection Regulation and the CCPA, the Indiana law evolved into one much more akin to the Virginia law after a joint effort from the state's legislative and business communities. Covered entities under this law will not only have a long lead time to the date for compliance in 2026 but will likely have little extra work in terms of implementing new compliance measures if they are already on track to comply with the Virginia law. With the addition of Indiana's comprehensive state privacy law, and with Tennessee and Montana on track to join the ranks soon, the steady march of privacy across the U.S. continues.