Brief Summary of the Indiana Consumer Data Protection Act: Part I featured image

Brief Summary of the Indiana Consumer Data Protection Act: Part I

by John DiGiacomo

Partner

Internet Law

The state of Indiana recently passed its own version of a consumer data privacy/protection statute called the Indiana Consumer Data Protection Act (“ICDPA”). The new law becomes effective on January 1, 2026. The ICDPA has many of the same aspects as other similar laws passed in states like California, Texas, Utah, Colorado, Connecticut, etc. As with the newer versions of these laws, the ICDPA adds a focus on targeted advertising. If your company or business is currently in compliance with other U.S. consumer data privacy/protection statutes, it should not be difficult to be in compliance with the ICDPA. That is because the Indiana Consumer Data Protection Act’s regulatory regime is the same as similar laws. In brief, the regulatory regime involves:

  • A focus on consumer data collection and processing by “processors” (a person/entity “that processes personal data on behalf of a controller”) and “controllers” (a person/entity “that, alone or jointly with others, determines the purpose and means of processing personal data”)
  • Giving consumers various rights
  • Requiring that consumers be given notice of their rights including the right to know what data is being processed
  • Requiring that consent be obtained from consumers

Note that, on its surface, the ICDPA may seem to depart from an earlier focus of these statutes on data collection. However, the definition of “processing” includes data collection. So, when the ICDPA gives a consumer the right to opt out of “processing,” that also includes the right to opt out of having their data “collected.”The ICDPA provides no private right of action and is to be enforced by administrative action by the Indiana Attorney General. Here is a brief summary of the ICDPA.

What Consumer Rights are Granted?

Under the ICDPA, consumers have the following rights:

  • To confirm whether or not a controller is processing the consumer’s personal data and to access such personal data (see below)
  • To correct inaccuracies in the consumer’s personal data
  • To delete personal data provided by or obtained about the consumer
  • Once in a 12-month period, the right to obtain either: (A) a copy of; or (B) a representative summary of the consumer’s personal data that the consumer previously provided to the controller — this information provided must be in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data or summary to another controller without hindrance
  • To opt out of the processing of the consumer’s personal data for purposes of (i) targeted advertising; (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer

What Businesses are Covered by the ICDPA?

Unlike other similar statutes, there is no monetary threshold to the applicability of the ICDPA. Rather, the thresholds relate to doing business in Indiana and to the number of Indiana consumers whose data is collected/processed. More specifically, the ICDPA applies to:

  • Any entity doing business in Indiana or which produces products or services that are targeted to the residents of Indiana AND;
  • Any entity that controls or processes consumer data of at least 100,000 Indiana residents OR does so for 25,000+ Indiana residents AND derives over 50% of its gross revenue from the sale of personal data

Other aspects of the ICDPA will be covered in Part II of this summary.

Contact the Consumer Data Privacy Attorneys at Revision Legal For more information, contact the experienced Consumer Data Privacy Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side