Brief Summary of the Indiana Consumer Data Protection Act — Part II featured image

Brief Summary of the Indiana Consumer Data Protection Act — Part II

by John DiGiacomo

Partner

Internet Law

As noted in Part I of this summary, the State of Indiana recently passed its own version of a consumer data privacy/protection statute called the Indiana Consumer Data Protection Act (“ICDPA”). The new law becomes effective on January 1, 2026. See here for the text of the Act. In Part I, we summarized the rights granted to consumers under the ICDPA and what businesses are covered by the statute. In this part, we discuss what type of data is covered, what obligations are imposed on controllers and processors, and what is defined as the “sale of personal data.”

To What Data Does the ICDPA Apply?

The focus of the ICDPA is on consumer data that can be used to personally identify the consumer. Thus, the ICDPA does NOT apply to data that is disaggregated, publicly available, aggregated, or collected/retained in such a manner that prevents identification of an individual consumer. As with many of these statutes, the IDCPA distinguished personal data from “sensitive data.” The former is data like names and addresses, while the latter is data like social security numbers, race, genetic code, biometric data, geolocation information, etc. The ICDPA imposes higher obligations on the processing and sharing of sensitive data.

What Obligations are Imposed by the ICDPA?

The ICDPA imposes many obligations on controllers and processors of consumer data. As mentioned above, controllers are required to give notice to consumers and obtain consent. Controllers must also make channels available for consumers to exercise the rights listed above, to respond to such requests from consumers, and to respond within 45 days. Controllers must also clearly and prominently disclose that consumer data is being sold (and provide a clear path for opting out).

Other obligations include:

  • To limit collection/processing of personal data to what is “adequate, relevant, and reasonably necessary in relation to disclosed purposes for which such data is processed”
  • Have adequate state-of-the-art cybersecurity
  • Process data without discrimination
  • Process data without retaliating against consumers who exercise the rights granted by the statute.
  • Have solid enforceable contractual agreements with affiliates whereby those entities are bound to comply with the ICDPA
  • Conduct annual data protection impact assessments
  • Have procedures that prevent the re-integration or re-identification of data that is disaggregated

What Does “Sale of Personal Data” Mean?

“Sale of personal data” has the same meaning as in similar statutes. “Sale” means the exchange of personal data for monetary consideration by a controller to a third party but does not include sharing with an affiliate or third party who does the processing on behalf of the controller. There is also an exception for the disclosure or transfer of personal data to a third party as part of an asset sale, merger, acquisition, or bankruptcy.

Contact the Consumer Data Privacy Attorneys at Revision Legal For more information, contact the experienced Consumer Data Privacy Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

U.S. Trademarking: What is the Doctrine of Foreign Equivalence​?

U.S. Trademarking: What is the Doctrine of Foreign Equivalence​?

Trademark

Under U.S. trademark laws, there is a legal concept called the “Doctrine of Foreign Equivalence”(“DFE”). Essentially, the DFE prevents the registration of trademarks that violate U.S. trademark rules where foreign language words are used instead of English language words that have the same meaning. Thus, “blaue Milchviehbetriebe” and “fermes laitières bleues” are not registerable since […]

Read more about U.S. Trademarking: What is the Doctrine of Foreign Equivalence​?

Put Revision Legal on your side