HOO- HOO- HOO- HOOSIERS Brace For Indiana Consumer Data Protection Act

Indiana has joined the growing list of states with a comprehensive consumer privacy statute, codified at Indiana Code 24‑15 and effective January 1, 2026.

The law follows the "Virginia model," but introduces several nuances that will matter for organizations doing business in, or targeting residents of, Indiana.

What Entities Are Covered?

The statute does not capture every business that touches Indiana residents. It applies to entities that conduct business in Indiana or offer products or services to Indiana residents and, in a calendar year, either: (1) control or process personal data of at least 100,000 Indiana consumers, or (2) control or process personal data of at least 25,000 Indiana consumers and derive more than 50% of gross revenue from the sale of personal data.

There are broad exemptions. State and local government entities, including certain affiliated service companies, are carved out. In addition:

• financial institutions and data subject to the Gramm‑Leach‑Bliley Act,
• HIPAA‑regulated covered entities and business associates,
• nonprofits,
• institutions of higher education, and
• public utilities

are also exempt. For many organizations in these sectors, existing federal or sector‑specific regimes will continue to drive most privacy compliance obligations.

What Counts as "Personal" and "Sensitive" Data?

The law adopts a familiar definition of personal data. "Personal data" is information that is linked or reasonably linkable to an identified or identifiable individual, excluding de‑identified data, aggregate data, and publicly available information. Publicly available information includes data made available through government records or information a business reasonably believes has been lawfully made public through widely distributed media or by the consumer, subject to certain limitations.

The statute creates a distinct category of sensitive data, which typically warrants stronger controls. Sensitive data includes personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis by a health care provider, sexual orientation, and citizenship or immigration status. It also covers genetic or biometric data used to uniquely identify an individual, personal data collected from a known child, and precise geolocation data that locates an individual within a 1,750‑foot radius. Controllers must obtain consent before processing sensitive data and must handle children's data in accordance with the Children's Online Privacy Protection Act.

What Rights do Indiana Consumers Receive?

Indiana residents acting in a personal, family, or household capacity gain a suite of rights that will be familiar to organizations operating in other comprehensive privacy jurisdictions. Consumers have the right to confirm whether a controller is processing their personal data and to access that data, subject to defined limitations. They also may correct inaccuracies in personal data they previously provided, taking into account the nature of the data and the purposes of processing.

Consumers have a right to delete personal data provided by or obtained about them, including data the controller sourced from third parties. For this "third‑party" data, a controller may comply by retaining only a record of the deletion request and the minimum information required to ensure the data remains deleted, and by committing not to use that retained information for any other purpose. Consumers may further obtain either a copy of, or a representative summary of, the personal data they previously provided to the controller in a portable and, where technically practicable, readily usable format that allows them to transmit the data to another controller when processing is automated.

Importantly, Indiana consumers may opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects, such as decisions regarding credit, housing, employment, or access to essential services. Controllers must implement processes to authenticate requests, respond within 45 days (with a single 45‑day extension where reasonably necessary), and provide at least one response per consumer per twelve‑month period at no charge. If a controller denies a request, the consumer is entitled to an internal appeal, and any denial of that appeal must include a method to contact the Indiana Attorney General to submit a complaint.

What Does the Law Expect from Controllers and Processors?

The statute is as much about governance as it is about individual rights. Controllers must limit collection to personal data that is adequate, relevant, and reasonably necessary for the purposes disclosed to consumers. If a controller wishes to process personal data for purposes that are neither reasonably necessary for nor compatible with those disclosed purposes, it must obtain the consumer's consent.

Controllers are required to maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data. They may not process personal data in violation of state or federal anti‑discrimination laws and may not discriminate against consumers for exercising their rights, including by denying goods or services or providing a different level or quality solely because a consumer has exercised a statutory right. At the same time, the law permits bona fide loyalty, rewards, and similar programs and allows differentiated pricing or features when a consumer elects to receive targeted advertising or to permit the sale of personal data, provided these programs are transparent.

Transparency is a central requirement. Controllers must provide a "reasonably accessible, clear, and meaningful" privacy notice that identifies the categories of personal data processed, the purposes for processing, the means by which consumers can exercise their rights and appeal a decision, the categories of personal data shared with third parties, and the categories of those third parties. Where a controller sells personal data or uses it for targeted advertising, it must clearly and conspicuously disclose that activity and explain how consumers can opt out.

Processors, for their part, must adhere to the controller's instructions and assist the controller in meeting its obligations, including responding to consumer requests, maintaining security, and supporting breach notification obligations under Indiana's existing breach statute. Contracts between controllers and processors must set out processing instructions, the nature and purpose of processing, the type of data, the duration of processing, and each party's rights and obligations. These agreements must require confidentiality, address return or deletion of personal data at the end of services, provide information needed to demonstrate compliance, and allow for reasonable assessments or independent audits, with equivalent requirements flowing down to subcontractors.

What about DPIAs, De‑identified Data, and Enforcement?

Indiana aligns with other states in requiring formal documentation of certain higher‑risk processing through data protection impact assessments (DPIAs). The requirement applies to processing activities created or generated after December 31, 2025 and does not retroactively cover earlier processing. Controllers must conduct and document DPIAs for targeted advertising, sales of personal data, specified profiling that presents reasonably foreseeable risks (including unfair or deceptive treatment, unlawful disparate impact, or material injury), processing of sensitive data, and other processing that presents a heightened risk of harm to consumers.

DPIAs must weigh the benefits of processing to the controller, consumers, and the public against the risks to consumer rights, taking into account mitigation measures such as technical and organizational safeguards, the use of de‑identified data, consumer expectations, the context of processing, and the nature of the controller‑consumer relationship. A single DPIA may cover a set of similar processing operations, and an assessment prepared under another law may be used if its scope and effect are reasonably comparable. The Indiana Attorney General may request DPIAs relevant to an investigation by civil investigative demand, but these documents are confidential and exempt from public disclosure, which encourages candid analysis.

The statute also clarifies the treatment of de‑identified and pseudonymous data. Controllers must take reasonable measures to ensure de‑identified data cannot be associated with an individual, publicly commit not to attempt re‑identification, and contractually require recipients to follow the same constraints. At the same time, controllers and processors are not required to maintain data in an identifiable form solely to respond to consumer requests, and some rights and obligations are narrowed for pseudonymous data when robust technical and organizational controls are in place.

Enforcement authority resides exclusively with the Indiana Attorney General. Before initiating an enforcement action, the Attorney General must provide at least 30 days' notice of the alleged violation; if the organization cures the violation and provides a written statement that the violation has been cured and will not recur, the Attorney General may not proceed on that violation, and Indiana's cure period does not sunset. For uncured or repeated violations, the Attorney General may seek injunctive relief and civil penalties of up to $7,500 per violation, as well as recovery of reasonable investigative and litigation costs, including attorneys' fees. There is no private right of action, and the statute preempts local ordinances regulating the same subject matter, providing a single statewide framework.

For organizations already engaged in multi‑state privacy compliance, Indiana's law is another signal that comprehensive privacy obligations are becoming a standard feature of doing business in the United States. Reviewing data inventories for Indiana‑resident coverage, updating public notices and internal procedures, aligning vendor contracts with the controller‑processor requirements, and operationalizing DPIAs for targeted advertising, sales, profiling, and sensitive data will position businesses to be ready on January 1, 2026.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.