Privacy & Information Security Law Blog

Indiana’s comprehensive consumer privacy law, the Indiana Consumer Data Protection Act (“ICDPA”), is set to take effect on January 1, 2026. Although the ICDPA shares many features with other comprehensive state privacy laws, several aspects set it apart as a more business-friendly law, including:

• Permanent Right to Cure: The ICDPA has a mandatory 30-day cure period that does not expire on a particular date, which is rare among state privacy laws.
• Higher Applicability Threshold: The ICDPA applies to for-profit businesses that conduct business in Indiana or produce goods or services targeted to residents of Indiana and that during a calendar year: (1) control or process the personal data of at least 100,000 or more Indiana residents; or (2) control or process the personal data of at least 25,000 Indiana residents and derive more than 50% of gross revenue from the sale of personal data. The law’s high applicability thresholds exclude many mid-sized businesses.
• Broad Entity and Data Exemptions: The ICDPA broadly exempts entities and data subject to federal privacy law (including HIPAA, GLB, FCRA, FERPA, DPPA, FCA), while certain state privacy laws exempt only data (and not entities) subject to those laws (g., California, Connecticut, Minnesota, Montana and Oregon).
• Limited Sensitive Data Definition: Unlike other state privacy laws, the ICDPA has a more limited definition of “sensitive” data, which is defined to include race, ethnicity, religion, mental or physical health diagnosis made by a health care provider (which is narrower than other state privacy laws’ definition of health data), sexual orientation, citizenship or immigration status, genetic data, biometric data, precise geolocation data, and personal data collected from a known child under the age of 13.
• No Novel Consumer Rights: Unlike other state privacy laws, the ICDPA does not address dark patterns or automated decision-making, nor does it impose specific requirements for health data or the personal data of minors over the age of 13.
• No Rulemaking Authority: The ICDPA does not explicitly empower the Attorney General to issue promulgating regulations.

In advance of the law’s effective date, the Indiana Attorney General’s Office has published a Consumer Bill of Rights. While designed for consumers, the Bill of Rights also provides a practical compliance guide for businesses subject to the law. It sets forth the ICDPA’s applicability thresholds and scope, and summarizes key compliance obligations for controllers, including with respect to responding to consumer rights requests, transparency requirements, purpose limitation restrictions, data minimization requirements, and rules governing the processing of sensitive data.