Indiana’s Consumer Data Protection Act

Indiana isn’t quite the Wild West, but it’s still home to notable outlaws. In 1866, the first moving train robbery in U.S. history was staged in the state of Indiana. Notorious gang members, John and Simeon Reno managed to stop a training chugging through the vast fields of Jackson County, absconding with $13,000—a veritable fortune in those days.

The Reno brothers inspired countless other bandits, as well as new strategies for protecting valuables being transported, including massive safes, special boxcars carrying armed guards, and horses that could run down outlaws. These measures ultimately made train robbery a less lucrative—and much riskier—undertaking.

Today, the landscape is dramatically different. Instead of protecting trains full of precious metals, we’re more concerned about safeguarding another valuable commodity: personal data. One of the newest consumer data protection measures on the horizon is the Indiana Consumer Data Protection Act (INCDPA).

Is your business privacy-ready?

Book a Free Consultation

What you need to know about INCDPA

Following a flurry of legislative activity in 2023, Indiana has become the latest state to pass consumer data protection regulations. The Indiana Consumer Data Protection Act (“INCDPA”) will take effect on January 1, 2026.

Compliance with INCDPA should be relatively straightforward for businesses that have already made efforts to comply with data protection laws in Virginia (the Virginia Consumer Data Protection Act or “VCDPA”), Utah (the Utah Consumer Privacy Act or “UCPA”), Iowa (the Iowa Consumer Data Protection Act or “ICDPA”), and Tennessee (the Tennessee Information Protection Act or “TIPA”).

Learn more about each state’s regulations with RCA’s state privacy law map.

Does the Law Apply to You?

Does your business:

Conduct business or target consumers in Indiana, and
process or control:

a. personal data about at least 100,000 Indiana consumers, or

b. personal data about at least 25,000 Indiana consumers and derives more than 50% of gross revenue from the sale of personal data,
Not fall under the classification of a governmental agency non-profit, institution of higher education, public utility, or an entity covered by HIPAA or the Gramm-Leach-Bliley Act

If you answered YES to these questions, INCDPA applies to you!

How to Prepare for INCDPA

Review whether you process sensitive personal data, including citizenship or immigration status, and precise geolocation data, and be sure you have appropriate consent.
Implement or update your process for receiving and responding to Individual Rights Requests (including appeals!).
Give the option of opting out of targeted advertising, the sale of personal data, and profiling.
Create or update Data Protection Assessments (or Privacy Impact Assessments, if completed for GDPR).
Ensure that your vendor contracts include appropriate privacy protections.

Partner with a third-party privacy expert to prepare your business for INCDPA compliance.

When Does INCDPA NOT Apply?

Exempt entities: INCDPA does not apply to governmental agencies, non-profits, institutions of higher education, public utilities, and others, including entities covered by the Gramm-Leach-Bliley Act or HIPAA.
Context: Like most other state privacy laws, with California being the notable exception, INCDPA does not apply to individuals acting in a commercial or employment context.
Exempt data: Data covered by HIPAA, the Common Rule, the Driver’s Privacy Protection Act, FERPA, the Fair Credit Reporting Act, the Farm Credit Act, and certain other laws are exempt.

Key Components of INCDPA

What Constitutes Sensitive Data?

Like many state privacy laws, Indiana’s expands the definition of sensitive data beyond the usual elements, such as:

Racial or ethnic origin
Religious beliefs
Sexual orientation
Genetic and biometric data that identifies an individual

INCDPA adds:

mental or physical health diagnosis by a healthcare provider
citizenship and immigration status
precise geolocation data
personal data collected from a known child under the age of 13

Remember, consent is needed to process sensitive data!

What Constitutes Sale of Personal Data?

The individual rights INCDPA provides align with the majority of other states’ laws. If INCDPA applies to your business, you must allow consumers to:

Confirm whether your business is processing any data and, if so, access it
Correct inaccuracies in personal data they provided
Delete personal data
Get a copy of certain personal data they provided (data portability)
Opt-out of the sale of personal data and processing for profiling and targeted advertising

In Indiana, businesses will have a period of 45 days after receipt to respond to Individual Rights Requests (unless the business has been unable to authenticate a request), with a 45-day extension in limited circumstances.

Responses to Individual Rights Requests must be provided free of charge at least once a year. If a business declines to take a requested action, it must notify the consumer in writing and provide instructions for appeal.

The appeal process must be conspicuously available to the consumer and similar to the process for submitting requests (as in Montana, Iowa, Tennessee, and more). Businesses must respond to appeals within 60 days of receipt and, if denying an appeal, must provide an online mechanism or other method for contacting the Indiana State Attorney General to submit a complaint.

Pseudonymous Data

Like Virginia, Montana, Iowa, Tennessee, and some other states, Indiana’s data protection law states that a business does not need to include pseudonymous data in its response to Individual Rights Requests.

While INCDPA definition of ‘pseudonymous data’ differs from the other laws, the effect is the same. Under INCDPA, ‘pseudonymous data’ is defined as:

“personal data that cannot be attributed to a specific individual because additional information that would allow the data to be attributed to a specific individual is: (1) kept separately; and (2) subject to appropriate technical and organizational measures; to ensure that the personal data is not attributed to an identified or identifiable individual.”

One of the most common uses of pseudonymous data is in the clinical trial context, where each trial participant is assigned a random ID and their actual identity is only known to medical staff (the sponsor/manufacturing company, labs, and other supporting entities only can see the random ID).

Other types of organizations may want to consider taking this approach, especially those that already assign identifiers through, for example:

Loyalty or participation rewards programs such as frequent flier/renter/buyer/guest numbers
Membership IDs (like insurance companies, libraries, and fitness centers)
Player ID (for online and mobile games)

Data Protection Assessments aka Privacy Impact Assessments

Like data protection laws in Virginia, Connecticut, Montana, and Tennessee, INCDPA requires that regulated businesses conduct Data Protection or Privacy Impact Assessments.

The circumstances under which businesses must complete these impact assessments align with those of the VCPDA, CTDPA, MCDPA, and TIPA. Like its predecessors, INCDPA also allows impact assessments conducted for compliance with other state laws to satisfy its requirements—as long as they have a “reasonably comparable scope and effect.”

INCDPA requires impact assessments for activities created or generated after December 31, 2025, that present a heightened risk of harm, including:

Processing for targeted advertising
Selling personal data
Processing sensitive data
Processing for the purposes of profiling if it presents a ‘reasonably foreseeable risk’ of
○ Unfair or deceptive treatment or unlawful disparate impact on consumers;
○ Financial, physical, or reputational injury to consumers;
○ Physical or other intrusion on the solitude or seclusion, or private affairs or
concerns, which would be offensive to a reasonable person; or
○ Other substantial injury

Vendor Contracts
Like Iowa, Montana, Tennessee, and many other state laws, INCDPA requires that a contract be in place that dictates what vendors must do with respect to processing personal data.

Contracts must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.” In addition, the contract must require that the processor:

Ensure it binds each person that processes personal data to a duty of confidentiality
Delete or return all personal data when it has completed the services, unless retention of the personal data is required by law
Make available all information necessary to demonstrate the processor's compliance with its obligations
Make itself available for audits by the controller or arrange for an independent auditor to review its policies and practices, and provide a report of the assessment to the controller
Pass along the same obligations to any subcontractor in a written contract

Business Friendly Exceptions to Data Collection

INCDPA, like data protection laws in Colorado, Connecticut, Montana, Iowa, and Tennessee, specifies that it should not be construed as restricting a business’s collection, use, or retention of personal data for:

Conducting internal research for development, improvement, and repair of products, services, and technology (R&D)
Product recalls
Identifying and repairing technical errors that impair existing or intended functionality
Performing internal operations

How Will the ICDPA Be Enforced?

As with most state data privacy regulations, in Indiana, the state Attorney General has the sole enforcement authority.

In Indiana, the Attorney General may bring an enforcement action after providing 30 days’ notice and an opportunity for the business to cure the alleged violation(s).

Actions can be brought that seek injunctive relief (the company has to immediately stop certain behaviors) and/or civil penalties of up to $7,500 per violation.

Data Privacy is Just Good Business

The U.S. data privacy landscape may have been a bit like the Wild West so far (or the Wild Midwest), but new regulations are bringing greater structure and guidance to companies looking to protect some of their most valuable assets: personal data and consumer trust.

At Red Clover Advisors, we understand the challenges and responsibilities inherent in ensuring privacy is a priority. We work with our diverse client base to develop actionable, business-friendly privacy strategies to help businesses achieve privacy compliance as a consumer-friendly privacy leader.

Book a Free Consultation

Indiana’s Consumer Data Protection Act

What you need to know about INCDPA

Does your business:

Conduct business or target consumers in Indiana, and

process or control:

a. personal data about at least 100,000 Indiana consumers, or

b. personal data about at least 25,000 Indiana consumers and derives more than 50% of gross revenue from the sale of personal data,

Not fall under the classification of a governmental agency non-profit, institution of higher education, public utility, or an entity covered by HIPAA or the Gramm-Leach-Bliley Act

If you answered YES to these questions, INCDPA applies to you!

Review whether you process sensitive personal data, including citizenship or immigration status, and precise geolocation data, and be sure you have appropriate consent.

Implement or update your process for receiving and responding to Individual Rights Requests (including appeals!).

Give the option of opting out of targeted advertising, the sale of personal data, and profiling.

Create or update Data Protection Assessments (or Privacy Impact Assessments, if completed for GDPR).

Ensure that your vendor contracts include appropriate privacy protections.

Partner with a third-party privacy expert to prepare your business for INCDPA compliance.

Exempt entities: INCDPA does not apply to governmental agencies, non-profits, institutions of higher education, public utilities, and others, including entities covered by the Gramm-Leach-Bliley Act or HIPAA.

Context: Like most other state privacy laws, with California being the notable exception, INCDPA does not apply to individuals acting in a commercial or employment context.

Exempt data: Data covered by HIPAA, the Common Rule, the Driver’s Privacy Protection Act, FERPA, the Fair Credit Reporting Act, the Farm Credit Act, and certain other laws are exempt.

Key Components of INCDPA

What Constitutes Sensitive Data?

What Constitutes Sale of Personal Data?

Pseudonymous Data

Data Protection Assessments aka Privacy Impact Assessments

Business Friendly Exceptions to Data Collection

How Will the ICDPA Be Enforced?

Data Privacy is Just Good Business

About

Services

Resources

Legal

Follow Us

Subscribe to our newsletter