Partner
As noted in Part I of this summary, the State of Indiana recently passed its own version of a consumer data privacy/protection statute called the Indiana Consumer Data Protection Act (“ICDPA”). The new law becomes effective on January 1, 2026. See here for the text of the Act. In Part I, we summarized the rights granted to consumers under the ICDPA and what businesses are covered by the statute. In this part, we discuss what type of data is covered, what obligations are imposed on controllers and processors, and what is defined as the “sale of personal data.”
To What Data Does the ICDPA Apply?
The focus of the ICDPA is on consumer data that can be used to personally identify the consumer. Thus, the ICDPA does NOT apply to data that is disaggregated, publicly available, aggregated, or collected/retained in such a manner that prevents identification of an individual consumer. As with many of these statutes, the IDCPA distinguished personal data from “sensitive data.” The former is data like names and addresses, while the latter is data like social security numbers, race, genetic code, biometric data, geolocation information, etc. The ICDPA imposes higher obligations on the processing and sharing of sensitive data.
What Obligations are Imposed by the ICDPA?
The ICDPA imposes many obligations on controllers and processors of consumer data. As mentioned above, controllers are required to give notice to consumers and obtain consent. Controllers must also make channels available for consumers to exercise the rights listed above, to respond to such requests from consumers, and to respond within 45 days. Controllers must also clearly and prominently disclose that consumer data is being sold (and provide a clear path for opting out).
Other obligations include:
What Does “Sale of Personal Data” Mean?
“Sale of personal data” has the same meaning as in similar statutes. “Sale” means the exchange of personal data for monetary consideration by a controller to a third party but does not include sharing with an affiliate or third party who does the processing on behalf of the controller. There is also an exception for the disclosure or transfer of personal data to a third party as part of an asset sale, merger, acquisition, or bankruptcy.
Contact the Consumer Data Privacy Attorneys at Revision Legal For more information, contact the experienced Consumer Data Privacy Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]
Read more about Take it Down Act: Ban on “Revenge Porn” Goes National
Receiving a Notice of Suspension from Amazon — or any online sales platform like Walmart — can be devastating. But you have options and, in some cases, you can have the decision reversed and be “up and running” within 24 hours. The best option is to consult with an Amazon Suspension Appeal attorney like the […]
Read more about Amazon Suspension Appeals: What to Do and Not to Do
Under U.S. trademark laws, there is a legal concept called the “Doctrine of Foreign Equivalence”(“DFE”). Essentially, the DFE prevents the registration of trademarks that violate U.S. trademark rules where foreign language words are used instead of English language words that have the same meaning. Thus, “blaue Milchviehbetriebe” and “fermes laitières bleues” are not registerable since […]
Read more about U.S. Trademarking: What is the Doctrine of Foreign Equivalence?