Indiana Consumer Data Protection Act

On January 1, 2026 the Indiana Consumer Data Protection Act is due to come into effect.

The ICDPA is the seventh comprehensive privacy law in the United States.

The new law has taken inspiration from the laws of Colorado, Connecticut and Virginia when drafting their version.
We’ve laid out the key information you need to know.

Get in touch to find out more and learn how we can help you.

Who does it impact?

Entities that conduct business in the state or produce products or services targeted at Indiana residents and either:

  • Control or process the personal data of either 100,000 consumers
  • Derive 50% of their gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers


  • Government entities and third parties under contract to them
  • Financial institutions and entities subject to the Gramm-Leach-Bliley Act
  • Entities who are subject to and comply with the Health Information Technology for Economic and Clinical Health Act and/or HIPAA
  • Nonprofit organizations
  • Higher education institutions
  • Public utilities

Consumer Rights

Consumers have the right to confirm whether their data is being processed and access that data.

Any inaccuracies in the personal data they provided the controller.

Consumers can request all data they previously provided the controller, alongside any other data otherwise obtained about them, to be deleted by the controller.

The copy or representative summary of the personal data sent to the consumer must be in a portable and readily usable format that allows the consumer to share it with another controller.

The controller does not have to do this more than once within a 12-month period.

Consumers can opt out of the processing of their personal data for targeted advertising, profiling and selling of personal data.

If a consumer, or a parent on behalf of a user known to be a child, does not provide their consent, a controller cannot process their sensitive data.


If a covered entity does not address violations during the cure period (see below) then Indiana Attorney General will then be able to enforce injunctions and penalties of up to $7,500 for each violation.

cure period

When there is reasonable belief of a violation the attorney general can issue a civil investigation. This will be followed by written notice to identify any alleged violations. Businesses will then have a 30-day period to cure any violations and provide a written statement that the violations have been cured and no further violations of that nature will occur.

Find out more about how Value Privacy can help your business stay on top of privacy laws.

You can also get in touch with us with any queries you have

Don’t forget you can keep up with us here as well