Across the U.S., state-level momentum for comprehensive privacy bills is at an all-time high. Following in the footsteps of the likes of California, Oregon and Virginia, among numerous others, Indiana has joined the growing list introducing comprehensive consumer data rights and protections, via the Indiana Consumer Data Protection Act.
In a similar way to the General Data Protection Regulation (GDPR) in Europe, the new Indiana law is to enhance transparency and accountability regarding the collection, use, and sharing of personal data. Most of its provisions are like those introduced in other U.S. states in recent years.
However, the Indiana Consumer Data Privacy Act stands out for several distinct features, one of which is its definition of the sale of data. Under the new Indiana law, the sale of data is narrowly defined as the exchange of personal data for monetary compensation from a controller to a third party.
This approach aligns with legislation in Virginia, Utah, and Iowa. In contrast, data privacy laws in California, Connecticut, and Colorado define the sale of personal data more broadly to encompass valuable considerations beyond monetary transactions.
Who does the Indiana Consumer Data Privacy Act apply to?
The INCDPA applies to various entities involved in the collection and processing of personal data within the state of Indiana. Specifically, the law applies to:
- Businesses operating in Indiana: Any business that conducts operations within the state of Indiana is subject to the INCDPA if it collects or processes personal data.
- Businesses collecting data from Indiana residents: Even if a business is not physically located in Indiana, it must comply with the INCDPA if it collects personal data from residents of Indiana.
- Entities meeting thresholds: Indiana’s privacy law does not rely solely on a revenue threshold, unlike California’s law. The INCDPA states that controllers must comply with the regulation even if their annual gross revenues don’t reach a specific threshold, provided the data of a certain number of consumers is processed.
- Entities must comply if: they control or process personal data of at least 100,000 consumers; or control or process personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.
- Specific activities involving personal data: The INCDPA applies to entities engaged in specific activities involving the processing of personal data, such as selling personal data or processing sensitive personal information.
Who is exempt from the INCDPA?
The new Indiana laws do not apply to:
- A body, authority, board, bureau, commission, district or agency of the state or any political subdivision of the state, including a third party under contract with an entity described above, when acting on behalf of the entity. This clause does exempt data held or created by third parties outside of the scope of the contract with the entity.
- Any financial institutions and affiliates, or data subject to the Gramm-Leach-Bliley Act (GLBA);
- Any covered entity or business associate governed by the privacy, security, and breach notification rules under HIPAA;
- Any non-profit organization;
- Any institution of higher education;
- Any public utility or service company affiliated with a public utility.
Key provisions of the INCDPA
The Indiana Consumer Data Privacy Act includes several key provisions aimed at safeguarding the privacy rights of individuals and regulating the handling of personal data by businesses, including
Consumer rights: The INCDPA grants consumers certain rights over their personal data. These rights may include the right to access their personal data held by businesses, the right to request correction of inaccurate data, the right to request deletion of their data under certain circumstances, and the right to opt out of the sale of their personal data.
Transparency requirements: Businesses subject to the INCDPA are often required to provide consumers with clear and understandable information about their data processing practices. This may include disclosing the types of personal data collected, the purposes for which the data is processed, and the categories of third parties with whom the data is shared.
Data security obligations: The INCDPA typically imposes obligations on businesses to implement reasonable security measures to protect the personal data they collect and process from unauthorized access, disclosure, alteration, or destruction. This may include measures such as encryption, access controls, and regular security assessments.
Data breach notification: In the event of a data breach involving personal data, businesses subject to the INCDPA may be required to notify affected individuals and, in some cases, relevant regulatory authorities within a specified time frame. The notification must include information about the nature of the breach, the types of data affected, and any steps individuals can take to protect themselves.
Consent requirements: The INCDPA may include provisions requiring businesses to obtain consumers’ consent before collecting, processing, or disclosing their personal data, especially for sensitive categories of data. Consent must typically be freely given, specific, informed, and unambiguous.
Non-discrimination: The INCDPA may prohibit businesses from discriminating against consumers who exercise their rights under the law. This means that businesses cannot deny goods or services, charge different prices, or provide a different level of service based on a consumer’s exercise of their privacy rights.
Compliance with the Indiana Consumer Data Protection Act
To comply with the new Indiana laws, entities should:
- Collect personal data that is adequate, relevant, and reasonably necessary for the disclosed purposes of processing.
Implement appropriate data security measures based on the volume and nature of the personal data. - Comply with anti-discrimination laws when processing personal data.
- Establish binding contracts with processors, detailing the nature and purpose of processing, instructions, and the rights and obligations of both parties.
- Obtain consumer opt-in consent for processing sensitive data and handling sensitive data of known children in compliance with the Children’s Online Privacy Protection Act (COPPA).
- Provide clear and accessible privacy notices, disclosing data categories, processing purposes, consumer rights, data sharing with third parties, and opt-out options if personal data is sold or used for targeted advertising.
- Conduct data protection impact assessments for specific data processing activities involving personal data.
A Data Protection Impact Assessment (DPIA) is required under the Indiana Data Privacy Act when processing personal data for targeted advertising, for the sale of personal data, for personal data processing for profiling with foreseeable risks, for the processing of sensitive personal data, and personal data processing activities with a heightened risk of harm to consumers.
Penalties for non-compliance with INCDPA
The INCDPA provides controllers with 30 days to resolve alleged violations. The attorney general (AG) has the authority to pursue injunctive relief and impose civil penalties of up to $7,500 per violation.
However, before taking action, the attorney general must first give the controller or processor a 30-day notice to resolve the violation. During these 30 days, the controller or processor must provide the AG with a written statement confirming the resolution of the violations and assuring that they will not recur.
What are key Indiana Consumer Data Protection Act dates?
The Indiana privacy law was passed in May 2023. It goes into effect in January 2026.
TrustArc U.S. State Data Privacy Resources
TrustArc is committed to helping organizations understand and manage their compliance obligations for all existing and emerging U.S. state privacy laws.
Cookie Consent Manager
Manage essential processes to achieve cookie compliance with state and international privacy laws.
Learn more
Nymity Research
Stay up to date on hundreds of global privacy laws, regulations, and standards.
Start today
