Partner
As noted in Part I of this summary, the State of Indiana recently passed its own version of a consumer data privacy/protection statute called the Indiana Consumer Data Protection Act (“ICDPA”). The new law becomes effective on January 1, 2026. See here for the text of the Act. In Part I, we summarized the rights granted to consumers under the ICDPA and what businesses are covered by the statute. In this part, we discuss what type of data is covered, what obligations are imposed on controllers and processors, and what is defined as the “sale of personal data.”
To What Data Does the ICDPA Apply?
The focus of the ICDPA is on consumer data that can be used to personally identify the consumer. Thus, the ICDPA does NOT apply to data that is disaggregated, publicly available, aggregated, or collected/retained in such a manner that prevents identification of an individual consumer. As with many of these statutes, the IDCPA distinguished personal data from “sensitive data.” The former is data like names and addresses, while the latter is data like social security numbers, race, genetic code, biometric data, geolocation information, etc. The ICDPA imposes higher obligations on the processing and sharing of sensitive data.
What Obligations are Imposed by the ICDPA?
The ICDPA imposes many obligations on controllers and processors of consumer data. As mentioned above, controllers are required to give notice to consumers and obtain consent. Controllers must also make channels available for consumers to exercise the rights listed above, to respond to such requests from consumers, and to respond within 45 days. Controllers must also clearly and prominently disclose that consumer data is being sold (and provide a clear path for opting out).
Other obligations include:
What Does “Sale of Personal Data” Mean?
“Sale of personal data” has the same meaning as in similar statutes. “Sale” means the exchange of personal data for monetary consideration by a controller to a third party but does not include sharing with an affiliate or third party who does the processing on behalf of the controller. There is also an exception for the disclosure or transfer of personal data to a third party as part of an asset sale, merger, acquisition, or bankruptcy.
Contact the Consumer Data Privacy Attorneys at Revision Legal For more information, contact the experienced Consumer Data Privacy Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
The answer is legally complicated since the Food and Drug Administration (“FDA”) has defined the term “healthy” to apply to foods, not dietary supplements. On the other hand, in some circumstances, certain types of oils — like olive oil — are now eligible to use the “healthy” label. Thus, if your supplement is an oil […]
Read more about Can You Claim Your Dietary Supplements are “Healthy” on the Packaging?
If nurtured properly, trademarks can continue to function indefinitely, bringing continued and increasing value to the owners. There are, however, ways that trademarks can be “lost.” As an example, a trademark can be abandoned through lack of use or can be lost to the general public through the process of genericide. That happens when the […]
Read more about Avoiding “Naked” Trademark Licensing With Superior Licensing Agreements
Social media influencing has become a big business. As such, influencers need experienced internet lawyers to help with their contracts and other legal needs. In early October 2025, there was a bit of a stir on the internet concerning claims that the Government of Israel, through its Ministry of Foreign Affairs, was paying social media […]
Read more about $7,000 Per Post? How Much Do Influencers Get Paid?