Indiana’s Consumer Data Protection Act
Following a flurry of legislative activity in 2023, Indiana has become the latest state to pass consumer data protection regulations. The Indiana Consumer Data Protection Act (“INCDPA”) will take effect on January 1, 2026.
Compliance with INCDPA should be relatively straightforward for businesses that have already made efforts to comply with data protection laws in Virginia (the Virginia Consumer Data Protection Act or “VCDPA”), Utah (the Utah Consumer Privacy Act or “UCPA”), Iowa (the Iowa Consumer Data Protection Act or “ICDPA”), and Tennessee (the Tennessee Information Protection Act or “TIPA”).
What You Need to Know About Indiana’s Privacy Law
Does your business:
- Conduct business or target consumers in Indiana, and
- process or control:
a. personal data about at least 100,000 Indiana consumers, or
b. personal data about at least 25,000 Indiana consumers and derives more than 50% of gross revenue from the sale of personal data,
- Not fall under the classification of a governmental agency non-profit, institution of higher education, public utility, or an entity covered by HIPAA or the Gramm-Leach-Bliley Act
If you answered YES to these questions, INCDPA applies to you!
- Review whether you process sensitive personal data, including citizenship or immigration status, and precise geolocation data, and be sure you have appropriate consent.
- Implement or update your process for receiving and responding to Individual Rights Requests (including appeals!).
- Give the option of opting out of targeted advertising, the sale of personal data, and profiling.
- Create or update Data Protection Assessments (or Privacy Impact Assessments, if completed for GDPR).
- Ensure that your vendor contracts include appropriate privacy protections.
- Exempt entities: INCDPA does not apply to governmental agencies, non-profits, institutions of higher education, public utilities, and others, including entities covered by the Gramm-Leach-Bliley Act or HIPAA.
- Context: Like most other state privacy laws, with California being the notable exception, INCDPA does not apply to individuals acting in a commercial or employment context.
- Exempt data: Data covered by HIPAA, the Common Rule, the Driver’s Privacy Protection Act, FERPA, the Fair Credit Reporting Act, the Farm Credit Act, and certain other laws are exempt.
Key Components of INCDPA
Like many state privacy laws, Indiana’s expands the definition of sensitive data beyond the usual elements, such as:
- Racial or ethnic origin
- Religious beliefs
- Sexual orientation
- Genetic and biometric data that identifies an individual
INCDPA adds:
- mental or physical health diagnosis by a healthcare provider
- citizenship and immigration status
- precise geolocation data
- personal data collected from a known child under the age of 13
Remember, consent is needed to process sensitive data!
As with most state data privacy regulations, in Indiana, the state Attorney General has the sole enforcement authority.
In Indiana, the Attorney General may bring an enforcement action after providing 30 days’ notice and an opportunity for the business to cure the alleged violation(s).
Actions can be brought that seek injunctive relief (the company has to immediately stop certain behaviors) and/or civil penalties of up to $7,500 per violation.
What Constitutes Sale of Personal Data?
The individual rights INCDPA provides align with the majority of other states’ laws. If INCDPA applies to your business, you must allow consumers to:
- Confirm whether your business is processing any data and, if so, access it
- Correct inaccuracies in personal data they provided
- Delete personal data
- Get a copy of certain personal data they provided (data portability)
- Opt-out of the sale of personal data and processing for profiling and targeted advertising
In Indiana, businesses will have a period of 45 days after receipt to respond to Individual Rights Requests (unless the business has been unable to authenticate a request), with a 45-day extension in limited circumstances.
Responses to Individual Rights Requests must be provided free of charge at least once a year. If a business declines to take a requested action, it must notify the consumer in writing and provide instructions for appeal.
The appeal process must be conspicuously available to the consumer and similar to the process for submitting requests (as in Montana, Iowa, Tennessee, and more). Businesses must respond to appeals within 60 days of receipt and, if denying an appeal, must provide an online mechanism or other method for contacting the Indiana State Attorney General to submit a complaint.
Pseudonymous Data
Like Virginia, Montana, Iowa, Tennessee, and some other states, Indiana’s data protection law states that a business does not need to include pseudonymous data in its response to Individual Rights Requests.
While INCDPA definition of ‘pseudonymous data’ differs from the other laws, the effect is the same. Under INCDPA, ‘pseudonymous data’ is defined as:
“personal data that cannot be attributed to a specific individual because additional information that would allow the data to be attributed to a specific individual is: (1) kept separately; and (2) subject to appropriate technical and organizational measures; to ensure that the personal data is not attributed to an identified or identifiable individual.”
One of the most common uses of pseudonymous data is in the clinical trial context, where each trial participant is assigned a random ID and their actual identity is only known to medical staff (the sponsor/manufacturing company, labs, and other supporting entities only can see the random ID).
Other types of organizations may want to consider taking this approach, especially those that already assign identifiers through, for example:
- Loyalty or participation rewards programs such as frequent flier/renter/buyer/guest numbers
- Membership IDs (like insurance companies, libraries, and fitness centers)
- Player ID (for online and mobile games)
Data Protection Assessments aka Privacy Impact Assessments
Like data protection laws in Virginia, Connecticut, Montana, and Tennessee, INCDPA requires that regulated businesses conduct Data Protection or Privacy Impact Assessments.
The circumstances under which businesses must complete these impact assessments align with those of the VCPDA, CTDPA, MCDPA, and TIPA. Like its predecessors, INCDPA also allows impact assessments conducted for compliance with other state laws to satisfy its requirements—as long as they have a “reasonably comparable scope and effect.”
INCDPA requires impact assessments for activities created or generated after December 31, 2025, that present a heightened risk of harm, including:
- Processing for targeted advertising
- Selling personal data
- Processing sensitive data
- Processing for the purposes of profiling if it presents a ‘reasonably foreseeable risk’ of
○ Unfair or deceptive treatment or unlawful disparate impact on consumers;
○ Financial, physical, or reputational injury to consumers;
○ Physical or other intrusion on the solitude or seclusion, or private affairs or concerns, which would be offensive to a reasonable person; or
○ Other substantial injury
Vendor Contracts
Like Iowa, Montana, Tennessee, and many other state laws, INCDPA requires that a contract be in place that dictates what vendors must do with respect to processing personal data.
Contracts must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.” In addition, the contract must require that the processor:
- Ensure it binds each person that processes personal data to a duty of confidentiality
- Delete or return all personal data when it has completed the services, unless retention of the personal data is required by law
- Make available all information necessary to demonstrate the processor’s compliance with its obligations
- Make itself available for audits by the controller or arrange for an independent auditor to review its policies and practices, and provide a report of the assessment to the controller
- Pass along the same obligations to any subcontractor in a written contract
Business Friendly Exceptions to Data Collection
INCDPA, like data protection laws in Colorado, Connecticut, Montana, Iowa, and Tennessee, specifies that it should not be construed as restricting a business’s collection, use, or retention of personal data for:
- Conducting internal research for development, improvement, and repair of products, services, and technology (R&D)
- Product recalls
- Identifying and repairing technical errors that impair existing or intended functionality
- Performing internal operations
Data Privacy is Just Good Business
Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.
You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.