Indiana Consumer Data Protection Act

    Overview

    The Indiana Consumer Data Protection Act  is a comprehensive law aimed at regulating how businesses handle personal data of Indiana residents. Effective January 1, 2026, it introduces requirements for companies to manage data responsibly, protect consumer rights are respected, and provide transparency in data handling practices.

     

    Regulation Summary

    Timeline
    • March 2023: passed in the Indiana legislature.
    • May 1, 2023: Signed into law.
    • January 1, 2026: effective date.
    What Businesses Are Affected
    • Applies to businesses operating in Indiana or targeting Indiana residents.
    • Businesses that meet one of the following criteria:
      • Process data of 100,000+ consumers annually.
      • Process data of 25,000+ consumers and derive more than 50% of revenue from data sales.
    Exemptions
    • Government entities, nonprofits, and financial institutions.
    • Data regulated by HIPAA, GLBA, FERPA, and COPPA.
    • Employment and household data.
    Responsibilities for Businesses
    • Data Security: Implement appropriate administrative, technical, and physical safeguards.
    • Transparency: Provide clear and accessible privacy notices.
    • Purpose Limitation: Avoid processing data for undisclosed purposes without consumer consent.
    • Non-discrimination: Prohibit unfair treatment of consumers exercising their rights.
    Specific Responsibilities for Website Owners
    • Opt-Out Mechanism: Provide opt-out options for data sales, targeted advertising, and profiling.
    • Privacy Notices: Display detailed disclosures about data collection and usage.
    • Data Access Requests: Respond to consumer requests within 45 days.
    Additional Requirements
    • Sensitive Data: Consent required for processing sensitive data (e.g., health data, biometric data).
    • Data Protection Assessments: Required for high-risk processing activities, such as targeted advertising and profiling.
    Data Subject Rights
    • Access: Request access to personal data.
    • Correction: Request corrections to inaccurate data.
    • Deletion: Request deletion of personal data.
    • Portability: Obtain data in a machine-readable format.
    • Opt-Out: Refuse data sales and profiling decisions.
    Enforcement
    • Enforced by the Indiana Attorney General.
    • Cure period: 30 days to address violations after notice.
    • Civil penalties of up to $7,500 per violation.
    • No private right of action (individual lawsuits not allowed).
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596