Partner
The state of Indiana recently passed its own version of a consumer data privacy/protection statute called the Indiana Consumer Data Protection Act (“ICDPA”). The new law becomes effective on January 1, 2026. The ICDPA has many of the same aspects as other similar laws passed in states like California, Texas, Utah, Colorado, Connecticut, etc. As with the newer versions of these laws, the ICDPA adds a focus on targeted advertising. If your company or business is currently in compliance with other U.S. consumer data privacy/protection statutes, it should not be difficult to be in compliance with the ICDPA. That is because the Indiana Consumer Data Protection Act’s regulatory regime is the same as similar laws. In brief, the regulatory regime involves:
Note that, on its surface, the ICDPA may seem to depart from an earlier focus of these statutes on data collection. However, the definition of “processing” includes data collection. So, when the ICDPA gives a consumer the right to opt out of “processing,” that also includes the right to opt out of having their data “collected.”The ICDPA provides no private right of action and is to be enforced by administrative action by the Indiana Attorney General. Here is a brief summary of the ICDPA.
What Consumer Rights are Granted?
Under the ICDPA, consumers have the following rights:
What Businesses are Covered by the ICDPA?
Unlike other similar statutes, there is no monetary threshold to the applicability of the ICDPA. Rather, the thresholds relate to doing business in Indiana and to the number of Indiana consumers whose data is collected/processed. More specifically, the ICDPA applies to:
Other aspects of the ICDPA will be covered in Part II of this summary.
Contact the Consumer Data Privacy Attorneys at Revision Legal For more information, contact the experienced Consumer Data Privacy Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
Like other modern U.S. state privacy statutes, the ICDPA distinguishes between “controllers” — businesses that determine the purposes and means of processing personal data — and “processors” — entities that process data on behalf of controllers. This distinction matters because it determines which party bears primary legal responsibility for compliance. A cloud software vendor that processes your customer data on your behalf is a processor; your business is the controller. The ICDPA requires that data processing relationships between controllers and processors be documented in a written contract called a Data Processing Agreement (DPA).
The ICDPA’s DPA requirements are substantive: the contract must set out the instructions for processing, the nature and purpose of processing, the type of personal data involved, the duration of processing, and the rights and obligations of both parties. Critically, processors must only process personal data in accordance with the controller’s documented instructions, must maintain appropriate security measures, and must assist the controller in meeting its statutory obligations to consumers — including honoring consumer requests to access, correct, delete, or port their data. Businesses that have not updated their vendor contracts to include ICDPA-compliant DPA provisions should do so before January 1, 2026.
The ICDPA draws a distinction between general personal data and “sensitive data,” which receives heightened protection. Under the ICDPA, sensitive data includes:
Controllers that process sensitive data must obtain the consumer’s consent before doing so. This is an opt-in requirement — unlike the opt-out framework that applies to general personal data processing for most purposes. Consent under the ICDPA must be “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement.” Pre-checked boxes, consent buried in terms of service, or consent obtained as a condition of service do not qualify as valid consent for sensitive data under this standard.
The ICDPA requires controllers to conduct and document a Data Protection Assessment (DPA) for each processing activity that presents heightened risk. Activities requiring a DPA include processing sensitive data, targeted advertising, the sale of personal data, profiling that poses a reasonably foreseeable risk of harm, and any other processing that presents a heightened risk of harm to consumers. The DPA is an internal risk-benefit analysis, not a public document. However, the Indiana Attorney General can require a controller to produce its DPAs as part of an enforcement investigation.
A well-constructed DPA demonstrates that the controller has genuinely evaluated the privacy risks of the processing activity and determined that those risks are outweighed by the legitimate business benefits. It also documents the safeguards the controller has implemented to mitigate those risks. Businesses that conduct DPAs in good faith — and document their reasoning — are better positioned to defend against enforcement actions than those that treat the DPA as a box-checking exercise.
As noted, the ICDPA does not create a private right of action — consumers cannot sue controllers directly for violations of the Act. Enforcement authority rests exclusively with the Indiana Attorney General. Before bringing a civil action, the AG must provide the controller with written notice identifying the specific violation and allowing 30 days to cure the alleged violation. If the controller cures the violation within the cure period and provides the AG with a written statement attesting to the cure and committing to future compliance, no enforcement action can be brought for that violation.
However, the cure right is not unlimited. If the controller continues to violate the Act after providing an attestation of cure, the AG can bring a civil action without providing another cure opportunity. Civil penalties under the ICDPA can reach up to $7,500 per violation. Given that each consumer whose rights are violated may constitute a separate violation, penalties can accumulate rapidly for widespread non-compliance — particularly for businesses that collect or process data from large numbers of Indiana residents.
The ICDPA takes effect January 1, 2026, and businesses that collect or process data from Indiana residents need to begin their compliance review now. Achieving compliance requires auditing your data collection practices, updating your privacy policy and consumer-facing notices, revising vendor contracts to include compliant DPA terms, implementing mechanisms for honoring consumer rights requests, and conducting Data Protection Assessments for high-risk processing activities. The consumer data privacy attorneys at Revision Legal advise businesses on compliance with state data privacy laws across the country. Contact us through the form on this page or call (855) 473-8474.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?