toggle accessibility mode
Indiana Consumer Data Protection Act

Brief Summary of the Indiana Consumer Data Protection Act: Part I

By John DiGiacomo

The state of Indiana recently passed its own version of a consumer data privacy/protection statute called the Indiana Consumer Data Protection Act (“ICDPA”). The new law becomes effective on January 1, 2026. The ICDPA has many of the same aspects as other similar laws passed in states like California, Texas, Utah, Colorado, Connecticut, etc. As with the newer versions of these laws, the ICDPA adds a focus on targeted advertising. If your company or business is currently in compliance with other U.S. consumer data privacy/protection statutes, it should not be difficult to be in compliance with the ICDPA. That is because the Indiana Consumer Data Protection Act’s regulatory regime is the same as similar laws. In brief, the regulatory regime involves:

  • A focus on consumer data collection and processing by “processors” (a person/entity “that processes personal data on behalf of a controller”) and “controllers” (a person/entity “that, alone or jointly with others, determines the purpose and means of processing personal data”)
  • Giving consumers various rights
  • Requiring that consumers be given notice of their rights including the right to know what data is being processed
  • Requiring that consent be obtained from consumers

Note that, on its surface, the ICDPA may seem to depart from an earlier focus of these statutes on data collection. However, the definition of “processing” includes data collection. So, when the ICDPA gives a consumer the right to opt out of “processing,” that also includes the right to opt out of having their data “collected.”The ICDPA provides no private right of action and is to be enforced by administrative action by the Indiana Attorney General. Here is a brief summary of the ICDPA.

What Consumer Rights are Granted?

Under the ICDPA, consumers have the following rights:

  • To confirm whether or not a controller is processing the consumer’s personal data and to access such personal data (see below)
  • To correct inaccuracies in the consumer’s personal data
  • To delete personal data provided by or obtained about the consumer
  • Once in a 12-month period, the right to obtain either: (A) a copy of; or (B) a representative summary of the consumer’s personal data that the consumer previously provided to the controller — this information provided must be in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data or summary to another controller without hindrance
  • To opt out of the processing of the consumer’s personal data for purposes of (i) targeted advertising; (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer

What Businesses are Covered by the ICDPA?

Unlike other similar statutes, there is no monetary threshold to the applicability of the ICDPA. Rather, the thresholds relate to doing business in Indiana and to the number of Indiana consumers whose data is collected/processed. More specifically, the ICDPA applies to:

  • Any entity doing business in Indiana or which produces products or services that are targeted to the residents of Indiana AND;
  • Any entity that controls or processes consumer data of at least 100,000 Indiana residents OR does so for 25,000+ Indiana residents AND derives over 50% of its gross revenue from the sale of personal data

Other aspects of the ICDPA will be covered in Part II of this summary.

Contact the Consumer Data Privacy Attorneys at Revision Legal For more information, contact the experienced Consumer Data Privacy Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Put Revision Legal on your side