As noted in Part I of this summary, the State of Indiana recently passed its own version of a consumer data privacy/protection statute called the Indiana Consumer Data Protection Act (“ICDPA”). The new law becomes effective on January 1, 2026. See here for the text of the Act. In Part I, we summarized the rights granted to consumers under the ICDPA and what businesses are covered by the statute. In this part, we discuss what type of data is covered, what obligations are imposed on controllers and processors, and what is defined as the “sale of personal data.”

To What Data Does the ICDPA Apply?

The focus of the ICDPA is on consumer data that can be used to personally identify the consumer. Thus, the ICDPA does NOT apply to data that is disaggregated, publicly available, aggregated, or collected/retained in such a manner that prevents identification of an individual consumer. As with many of these statutes, the IDCPA distinguished personal data from “sensitive data.” The former is data like names and addresses, while the latter is data like social security numbers, race, genetic code, biometric data, geolocation information, etc. The ICDPA imposes higher obligations on the processing and sharing of sensitive data.

What Obligations are Imposed by the ICDPA?

The ICDPA imposes many obligations on controllers and processors of consumer data. As mentioned above, controllers are required to give notice to consumers and obtain consent. Controllers must also make channels available for consumers to exercise the rights listed above, to respond to such requests from consumers, and to respond within 45 days. Controllers must also clearly and prominently disclose that consumer data is being sold (and provide a clear path for opting out).

Other obligations include:

• To limit collection/processing of personal data to what is “adequate, relevant, and reasonably necessary in relation to disclosed purposes for which such data is processed”
• Have adequate state-of-the-art cybersecurity
• Process data without discrimination
• Process data without retaliating against consumers who exercise the rights granted by the statute.
• Have solid enforceable contractual agreements with affiliates whereby those entities are bound to comply with the ICDPA
• Conduct annual data protection impact assessments
• Have procedures that prevent the re-integration or re-identification of data that is disaggregated

What Does “Sale of Personal Data” Mean?

“Sale of personal data” has the same meaning as in similar statutes. “Sale” means the exchange of personal data for monetary consideration by a controller to a third party but does not include sharing with an affiliate or third party who does the processing on behalf of the controller. There is also an exception for the disclosure or transfer of personal data to a third party as part of an asset sale, merger, acquisition, or bankruptcy.

Contact the Consumer Data Privacy Attorneys at Revision Legal For more information, contact the experienced Consumer Data Privacy Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Data Protection Impact Assessments Under the ICDPA

The ICDPA’s requirement for annual data protection impact assessments (DPIAs) is among the most operationally demanding obligations in the statute. DPIAs are required for processing activities that present a heightened risk of harm, specifically: targeted advertising; the sale of personal data; profiling that creates a reasonably foreseeable risk of financial, physical, or reputational harm; and the processing of sensitive data. The Indiana Attorney General can request access to DPIAs during an investigation.

A well-structured DPIA should document: the specific processing activity being assessed; the categories of personal data involved; the business purpose and benefits of the processing; potential risks to consumers; the technical and organizational safeguards in place; and the controller’s conclusion regarding whether the benefits outweigh the risks. Unlike GDPR DPIAs — which must be shared with a supervisory authority in certain cases — ICDPA DPIAs are internal documents that must be produced upon regulatory request.

Enforcement: Attorney General, Cure Period, and Penalties

The ICDPA is enforced exclusively by the Indiana Attorney General. Consumers have no private right of action — consistent with most U.S. state privacy laws. Civil penalties can reach $7,500 per violation. The statute contemplates that each individual consumer whose rights are violated may constitute a separate violation, making the per-violation penalty potentially multiply in large-scale data breaches or systemic non-compliance.

Before initiating a civil action, the AG must provide written notice and a 30-day cure period — shorter than Tennessee’s 60-day window and requiring prompt action. A business that cures a violation and provides written notice to the AG within 30 days is protected from suit for that specific violation. The AG retains discretion to pursue future violations of the same provision.

Sensitive Data Processing: The Higher Opt-In Standard

The ICDPA’s treatment of sensitive data requires particular attention. For general personal data, controllers need only provide an opportunity to opt out of sale, targeted advertising, and profiling. For sensitive data — including genetic data, biometric data, specific health diagnoses, precise geolocation, data of known minors, and data revealing racial or ethnic origin — the ICDPA requires affirmative opt-in consent before processing. This is a materially higher standard requiring a different consent infrastructure.

Many organizations that process health, wellness, or fitness data have inadvertently processed sensitive data without adequate opt-in consent because they designed their consent flows for states with lower standards. A compliance gap analysis mapping the organization’s data inventory against the ICDPA’s sensitive data definitions is an essential first step before the ICDPA’s January 1, 2026 effective date.

Practical Steps for ICDPA Compliance Before January 1, 2026

• Complete a data inventory mapping all personal data collected, processed, and shared — categorizing data as general personal data or sensitive data under ICDPA definitions
• Audit consent mechanisms and update opt-in flows for sensitive data processing
• Review and update privacy notices to satisfy ICDPA disclosure requirements
• Establish consumer rights request procedures including identity verification, a 45-day response workflow, and an appeal process
• Audit data processing agreements with all vendors to ensure ICDPA-compliant contractual terms
• Conduct DPIAs for all targeted advertising, profiling, data sale, and sensitive data processing activities
• Establish a breach response program consistent with Indiana’s data breach notification requirements under Indiana Code § 24-4.9

Revision Legal’s privacy attorneys have helped businesses across industries prepare for the effective dates of new state privacy laws. Contact us at (855) 473-8474 to schedule an ICDPA readiness assessment.