As noted in Part I of this summary, the State of Indiana recently passed its own version of a consumer data privacy/protection statute called the Indiana Consumer Data Protection Act (“ICDPA”). The new law becomes effective on January 1, 2026. See here for the text of the Act. In Part I, we summarized the rights granted to consumers under the ICDPA and what businesses are covered by the statute. In this part, we discuss what type of data is covered, what obligations are imposed on controllers and processors, and what is defined as the “sale of personal data.”

To What Data Does the ICDPA Apply?

The focus of the ICDPA is on consumer data that can be used to personally identify the consumer. Thus, the ICDPA does NOT apply to data that is disaggregated, publicly available, aggregated, or collected/retained in such a manner that prevents identification of an individual consumer. As with many of these statutes, the IDCPA distinguished personal data from “sensitive data.” The former is data like names and addresses, while the latter is data like social security numbers, race, genetic code, biometric data, geolocation information, etc. The ICDPA imposes higher obligations on the processing and sharing of sensitive data.

What Obligations are Imposed by the ICDPA?

The ICDPA imposes many obligations on controllers and processors of consumer data. As mentioned above, controllers are required to give notice to consumers and obtain consent. Controllers must also make channels available for consumers to exercise the rights listed above, to respond to such requests from consumers, and to respond within 45 days. Controllers must also clearly and prominently disclose that consumer data is being sold (and provide a clear path for opting out).

Other obligations include:

• To limit collection/processing of personal data to what is “adequate, relevant, and reasonably necessary in relation to disclosed purposes for which such data is processed”
• Have adequate state-of-the-art cybersecurity
• Process data without discrimination
• Process data without retaliating against consumers who exercise the rights granted by the statute.
• Have solid enforceable contractual agreements with affiliates whereby those entities are bound to comply with the ICDPA
• Conduct annual data protection impact assessments
• Have procedures that prevent the re-integration or re-identification of data that is disaggregated

What Does “Sale of Personal Data” Mean?

“Sale of personal data” has the same meaning as in similar statutes. “Sale” means the exchange of personal data for monetary consideration by a controller to a third party but does not include sharing with an affiliate or third party who does the processing on behalf of the controller. There is also an exception for the disclosure or transfer of personal data to a third party as part of an asset sale, merger, acquisition, or bankruptcy.

Contact the Consumer Data Privacy Attorneys at Revision Legal For more information, contact the experienced Consumer Data Privacy Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.