Indiana Consumer Data Protection Act

What you need to know about the INCDPA:

To Whom Does INCDPA Apply?

The TDPSA applies to for-profit entities that:

  1. Conduct business or provide products or services to residents of Indiana (consumers), and 
  2. Annually control or process the personal information of either:
    1. 100,000 unique residents excluding personal information solely used for completing payment transactions; or
    2. 25,000 unique residents and derives more than 50% of gross revenue from the sale of personal information.
To Whom and What Does INCDPA NOT Apply?

Exempt Entities: Exempt entities include:

  • Non-profits;
  • State government entities;
  • Higher education Institutions;
  • HIPAA-covered entities and business associates;
  • GLBA-covered entities; and
  • Public utilities as defined by the state or their affiliated service companies.

Exempt Data: INCDPA exempts a long list of personal information, including but not limited to:

  • HIPAA-covered data;
  • GLBA-covered data;
  • Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more;
  • Various forms of credit data regulated by the Fair Credit Reporting Act; and
  • Data covered by a wide variety of other federal laws including Family Educational Rights, Farm Credit Act, and Privacy Act, and Driver’s Privacy Protection Act.

Exempt Use Cases: INCDPA is not applicable in some circumstances, such as:

  • Processing PI in an employment or commercial (B2B) context;

In addition, the INCDPA specifies that its law should not be construed to restrict a business’s collection, use, or retention of PI for:

  • Conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
  • Product recalls;
  • Identifying and repairing technical errors that impair existing or intended functionality; and
  • Performing internal operations.

Key Components of INCDPA

What Constitutes Personal Information under INCDPA?

INCDPA covers “personal data,” also called personal information or PI, which Indiana defines as: “any information that is linked or reasonably linkable to an identified or identifiable individual.” Like many other states, there is an exception for de-identified and publicly available data.

What Constitutes Sensitive PI?

INCDPA’s definition of sensitive PI consists of:

  • Racial or ethnic origin;
  • Religious beliefs;
  • Mental or physical condition or diagnosis;
  • sexual orientation;
  • Citizenship or immigration status;
  • PI collected from a known child;
  • Precise geolocation data; and
  • Genetic or biometric data processed for identification purposes.
Any Other Categories of Data I Should Think About?

Where a controller processes de-identified or pseudonymous data, INCDPA requires it to take reasonable measures to ensure the data cannot be associated with an individual; publicly commit to maintaining such data without an attempt to re-identify it; and contractually obligate any recipients of the data to comply with INCDPA. Controllers must monitor processors for compliance with de-identification obligations in contracts.

Additionally, Indiana exempts pseudonymous data from access, correction, portability, and deletion rights requests where the controller can show it keeps information that would allow the data to be re-identified separate and subject to technical and organizational controls that prevent its use for re-identification.

Is consent needed to Process Sensitive Data?

In a word: YES!

Is Consent Needed for Any Other Processing?

Parental consent is required to process PI about a known child (under 13) in accordance with COPPA.

Consent is also required for secondary use of information that is not necessary or compatible with the purpose for collection and hasn’t been noticed to the consumer.

What Needs to Be Included in the Privacy Notice?

A privacy notice must include:

  • The categories of PI processed;
  • The purpose for processing PI;
  • The categories of third parties with which PI is shared;
  • The categories of PI that are shared with third parties;
  • Description of targeted advertising and selling activities including a procedure for opting out of the processing for these purposes; and
  • The methods for a consumer to exercise their rights (see below) and appeal a decision on their rights request.
What Constitutes “Sale” of PI?

INCDPA takes a narrow approach to defining “sale” as only the exchange of PI for monetary consideration.

There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PI to provide a product or service requested by the consumer, the disclosure of PI that had been intentionally made available to the public, and the disclosure of PI as part of a merger or bankruptcy. For more, see the statue.

 

How Will INCDPA Be Enforced?

Indiana Attorney General (AG) has sole enforcement authority. Under the INCDPA, the AG may bring an enforcement action after providing a 30-day notice and an opportunity for the business to cure the alleged violation(s); the cure period will end July 1, 2026. The AG may seek injunctive relief (the company must stop certain behaviors) and/or civil penalties, with fines up to $7,500 per violation plus attorney’s fees, investigative costs, and any other relief the court determines appropriate.

Data Privacy is Just Good Business