Introducing one of the latest US states with a data privacy law signed — drumroll, please — Indiana!
Indiana’s Consumer Data Protection Act, or Indiana CDPA, was signed into law on May 1, 2023.
The law resembles other state laws, like the Virginia Consumer Data Protection Act (VCDPA), but introduces a few new requirements that business owners should be aware of.
Ready to learn if the Indiana CDPA applies to your business and the steps you need to take to prepare for compliance?
Below, I’ve outlined everything businesses need to know about the Indiana CDPA.
- What Is the Indiana Consumer Data Protection Act (Indiana CDPA)?
- Indiana CDPA Key Terms and Definitions
- What Does the Indiana Consumer Data Protection Act Cover?
- Requirements of the Indiana Consumer Data Protection Act
- Indiana’s Law vs. Other State Data Privacy Laws: Similarities and Differences
- How Will Consumers Be Impacted by the Indiana CDPA?
- How Will Businesses Be Impacted by the Indiana CDPA?
- Who Must Comply With Indiana’s New Data Privacy Law?
- How Can Businesses Prepare for the Indiana CDPA?
- How Will the Indiana CDPA Be Enforced?
- Fines and Penalties under the Indiana Consumer Data Protection Act
- How Will Termly Help With Indiana CDPA Compliance?
- Are There Other Privacy Related Laws in Indiana?
What Is the Indiana Consumer Data Protection Act (Indiana CDPA)?
It describes the privacy rights these individuals have with regard to how various entities collect, process, and use their information.
It also describes the legal obligations and requirements entities must follow to process the information of Indiana residents and outlines the penalties for violating any portion of the law.
When Does the Indiana CDPA Go Into Effect?
The Indiana Consumer Data Protection Act enters into force on Jan. 1, 2026, giving businesses over two years to comply.
It establishes a new article in the Indiana Code, which contains the codification of all laws currently in effect in the state.
Indiana CDPA Key Terms and Definitions
There are several key terms outlined in Chapter 2 of the Indiana CDPA that you must understand to comply with this new law properly.
Below are important definitions exactly as they appear in the law:
Biometric data: Data that is generated by automatic measurements of an individual’s biological characteristics, such as fingerprint, a voiceprint, images of the retina or iris, or other unique biological patterns or characteristics.
- It does not include a physical or digital photograph, or data generated from a physical or digital photograph; a video or audio recording, or data generated from a video or audio recording; or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.
Consumer: An individual who is a resident of Indiana and is acting only for a personal, family, or household purpose.
- It does not include individuals acting in a commercial or employment context.
- Consent: A clear affirmative act that signifies a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.
- Data controller: A person that, alone or jointly with others, determines the purpose and means of processing personal data.
- Data processor: A person that processes personal data on behalf of a controller.
Personal data: Information that is linked or reasonably linkable to an identified or identifiable individual.
- It does not include de-identified data, aggregate data, or publicly available information.
- Pseudonymous data: Personal data that cannot be attributed to a specific individual because additional information that would allow the data to be attributed to a specific individual is kept separately and subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.
- Processing: With respect to personal data, means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
- Sensitive data: A category of personal data that includes any of the following: personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis made by a healthcare provider, sexual orientation, or citizenship or immigration states. Genetic or biometric data, personal data collected from a known child, and precise geolocation data.
What Does the Indiana Consumer Data Protection Act Cover?
The Indiana CDPA only covers residents of the state of Indiana acting for personal, family, or household purposes, as described in Section 8 (a) of Chapter 2 of the law.
It does not cover anyone in Indiana acting in a commercial or employment context.
This distinction is important, as the Indiana CDPA applies to businesses with operations in Indiana and those that produce products or services targeted at Indiana consumers or residents — regardless of their business location.
Requirements of the Indiana Consumer Data Protection Act
The Indiana CDPA outlines several requirements that businesses must comply with, which are covered in detail throughout this next section.
Keep in mind that the law sets out obligations both for data controllers and data processors so we will address their obligations separately.
Obligations on Data Controllers Processing Data
Under the Indiana CDPA, data controllers have the following responsibilities, as outlined in Chapter 4 of the law:
- As a controller, you must limit the collection of personal information to what is “adequate, relevant, and reasonably necessary” for the purposes for which you process the data as disclosed to the consumer.
- You shall not process personal information for purposes that are neither reasonably necessary nor compatible with the disclosed purposes unless you obtain consent from consumers.
- You must establish, implement, and maintain reasonable technical, administrative, and physical data security practices to appropriately protect the data’s integrity and confidentiality based on the volume and nature of the data collected.
- You cannot process personal data in violation of state or federal laws prohibiting unlawful discrimination against consumers.
- You cannot process sensitive personal information without obtaining consent.
- Any contracts or provisions that waive or limit consumers’ rights in any way as outlined by the Indiana CDPA are void and unenforceable.
As mentioned above, controllers can process information for purposes that are not “reasonably necessary” or “compatible with the disclosed purposes” if they obtain consumer consent.
Under the Indiana CDPA, the way you request consent must meet certain conditions.
For consent to be considered legally obtained under this law, the user must take a clear and affirmative action.
For example, you could ask them to click an unmarked checkbox or select a clearly labeled ‘Agree’ button.
Consent under this law must also be freely given, specific, informed, and unambiguous.
In other words, the user must know exactly what they’re agreeing to and cannot be forced or coerced into opting in to consent.
Contractual Obligations Between Controllers and Processors
Those provisions include requiring all of the following of the processor:
- Guarantee that each individual involved in processing personal data is subject to a duty of confidentiality concerning the data.
- Delete the personal data or return it all at the controller’s direction, unless required by law to keep the personal data.
- Make all information in the processor’s possession available to the controller to demonstrate their compliance with the Indiana CDPA upon reasonable request of the controller.
- Cooperate with and allow for reasonable assessments by the controller’s designed assessor or allow an independent assessor to perform the assessment procedure.
- Require subcontractors of the processor to sign a written contract following the same obligations outlined by the Indiana CDPA.
Data Protection Impact Assessments
The Indiana CDPA requires entities to perform Data Protection Impact Assessments (DPIAs) to perform certain data processing activities, as described in Chapter 6 of the law.
Data controllers must perform and document DPIAs for any of the following processing activities:
- Processing personal data for targeted advertising
- Selling personal data
- Processing personal data for the purpose of profiling if it presents a reasonably foreseeable risk to the individual
- Processing sensitive personal information
- Any processing activities that present a heightened risk of harm to consumers
The DPIA must weigh the risks and benefits that may flow directly or indirectly from the data processing and its impact on the controller, the consumer, other stakeholders, and the public.
Businesses should also consider any safeguards or security measures that are in place.
Entities can use a single DPIA to account for multiple data processing activities to comply with this portion of the law, and it may be the same DPIA used to comply with other data privacy laws that provide a comparable level of scope and protection.
The DPIA guidelines apply to all processing activities after Dec. 31, 2025, and doesn’t retroactively apply to any data generated before Jan. 1, 2026.
Data Concerning Known Children
If your business collects personal information from known children and falls under the Indiana CDPA, you may only do so if you also adhere to the federal Children’s Online Privacy Protection Act (COPPA).
According to the Indiana CDPA, “child” means anyone less than 13 years of age.
Indiana’s data privacy law considers any information about known children to fall into the category of sensitive personal data.
You must provide a way for legal guardians to act on behalf of their children and follow through on their data privacy rights granted by this law.
Obligations That Data Processors Must Comply With
The Indiana Consumer Data Protection Act specifically requires data processors to assist data controllers in fulfilling their duties in order to:
- Enable the data controller to satisfy its obligation to respond to data subject requests.
- Enable the data controller to fulfill its obligations related to ensuring the security of personal data, conducting DPIAs, and notifying parties about data breaches.
Indiana’s Law vs. Other State Data Privacy Laws: Similarities and Differences
Indiana’s data privacy law is one of several U.S. state laws recently passed to protect consumer privacy rights. Those include the:
- California Consumer Protection Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
- Colorado Privacy Act (CPA) — currently in force
- Connecticut Data Privacy Act (CTDPA) — currently in force
- Florida Digital Bill of Rights (FDBR) — effective July 1, 2024
- Iowa Consumer Data Protection Act (Iowa CDPA) — effective January 1, 2025
- Montana Consumer Data Privacy Act (MCDPA) — effective October 1, 2024
- Oregon Data Privacy Act (ODPA) — effective July 1, 2024
- Tennessee Information Protection Act (TIPA) — effective July 1, 2024
- Texas Data Privacy and Security Act (TDPSA) — effective July 1, 2024
- Utah Consumer Privacy Act (UCPA) — effective December 31, 2023
- Virginia Consumer Data Protection Act (VCDPA) — currently in force
While the laws share some similarities, they also present many significant differences for businesses to recognize and understand, especially when attaining legal compliance.
To make it easier on you, below is a table comparing the current U.S. state laws in force, or scheduled to enter into action over the next few years.
How Will Consumers Be Impacted by the Indiana CDPA?
The Indiana CDPA impacts Indiana consumers by granting them new rights over how entities collect, process, and use their personal information.
Specifically, Chapter 3 of the law explains that they have the right to:
- Confirm if a controller is processing their personal data
- Correct inaccuracies in their personal data
- Request to have their personal data deleted
- Obtain a copy of or a representative summary of their personal data
- Opt out of the processing of their data for targeted advertising, the sale of their data, or profiling
Consumers also have the right to appeal a controller’s decision based on their original requests.
Who Does the Indiana CDPA Protect?
The Indiana CDPA applies to the personal information of any resident of Indiana acting in a personal or household context.
However, the Indiana CDPA excludes certain categories of personal data from its scope.
These include, but are not limited to:
- Protected health information falling under the scope of HIPAA
- Personal data processed in accordance with the COPPA
How Will Businesses Be Impacted by the Indiana CDPA?
The Indiana CDPA impacts businesses in several ways. On top of the required DPIAs, contracts with third-party processors, and consent obligations previously covered, it also affects privacy and cookie policies.
The following sections cover exactly how this new law impacts these policies.
Under Section 3 of the Indiana CDPA, entities must present consumers with a “reasonably accessible, clear, and meaningful privacy notice.”
It must include all of the following details:
- The categories of personal data you collect
- Your purpose for processing personal data
- How consumers can exercise their rights, and how they can appeal the controller’s decision regarding their request
- The categories of data you share with third parties, if any
- The categories of third parties you share data with, if any
Your policy must also explain how a consumer can opt out of both types of data processing.
You must also describe one or more secure and reliable ways for consumers to submit requests to act on their data privacy rights.
The law states that you must take all of the following into account:
- The ways your consumers normally interact with your company
- The need for secure and reliable communication
- The ability for the controller to authenticate the identity of the consumer submitting the request
Under this law, consumers have the right to opt out of having their personal information used for either of those purposes. They also have the right to opt out of having their sensitive personal data processed.
Who Must Comply With Indiana’s New Data Privacy Law?
Your business must comply with the Indiana privacy law if you conduct business in Indiana or produce products or services targeted to Indiana residents and, during a calendar year, meet either of the following conditions:
- Controls or processes the personal data of at least 100,000 Indiana residents
- Controls or processes the personal data of at least 25,000 Indiana residents and derives more than 50% of their gross annual revenue from the sale of personal data.
The legal scope of Indiana’s Consumer Data Protection Act is explained in Section 1 of the law.
Who Is Exempt From the Indiana Cdpa?
The following entities are exempt from the Indiana CDPA:
- The Indiana state government or any third parties under contract acting on behalf of the state government.
- Financial institutions and affiliates subject to the federal Gramm Leach Bliley Act (GBLA).
- Covered entities or businesses governed by the United States Department of Health and Human Services and the Health Insurance Portability and Accountability Act (HIPAA).
- Nonprofit organizations.
- Institutions of Higher Education.
- Public utility or service companies.
How Can Businesses Prepare for the Indiana CDPA?
To prepare for the Indiana Consumer Data Protection Act, businesses should generate — or update — their privacy policies to meet all new state law requirements.
You should also use a Consent Management Platform that provides consumers with a consent banner so they can act on their right to opt out of targeted advertising and the sale of their personal data.
Depending on what type of data you process and how you use it, you may also need to perform Data Protection Impact Assessments (DPIA).
If you work with any third-party processors, you must both sign adequate contracts, or Data Processing Agreements (DPAs), that meet all requirements expressed by the Indiana CDPA.
Finally, as another means for users to act on their consumer rights, you should provide users with a Data Subject Access Request or DSAR form on your website or mobile app.
How Will the Indiana CDPA Be Enforced?
The Indiana Attorney General has the exclusive right to enforce the Indiana CDPA, as explained in Chapter 10 of the law.
The attorney general will give controllers or processors a 30-day written notice identifying which portions of the Indiana CDPA the entity violated. They then have 30 days to cure the violation and provide the attorney general with a written notice stating that:
- The offense has been cured
- Actions have been taken to ensure no future violations occur
But if the controller or processor continues the alleged violation following the cure period or fails to provide an express written statement to the attorney general, they face financial penalties.
Fines and Penalties under the Indiana Consumer Data Protection Act
Controllers or processors who fail to resolve the alleged violation during the 30-day cure period are subject to financial penalties of up to $7,500 per violation.
Furthermore, they can also seek to impose an injunction to restrain the violations of the law.
The attorney general can also recover reasonable expenses insured through the investigation and preparations of the case, including attorney fees.
How Will Termly Help With Indiana CDPA Compliance?
As your business prepares for the Indiana CDPA, you can rely on Termly’s resources to help make the compliance process more manageable.
It’s incredibly user-friendly and asks simple questions about your business and its data collection practices.
Below, you can see a screenshot of what it looks like:
Additionally, we have a Consent Management Platform (CMP) that provides you with a configurable consent banner.
You can set it up to meet the opt-out requirements for things like targeted advertisements as described by laws like the Indiana CDPA.
You can see a preview of what it looks like below:
Our legal team and data privacy experts vet our policy generators and tools. Plus, we make updates to our offerings to keep up-to-date with new, changing, and current data privacy laws.
When we say we take the hassles out of your legal compliance, it’s not just a marketing ploy — we really do mean it!
Are There Other Privacy Related Laws in Indiana?
The Indiana Consumer Data Protection Act, which started as Senate Bill 5, is the first data privacy law passed in the state.
However, the Indiana Code and the state’s constitution do include provisions regarding data breaches and other privacy-related rights.
For example, the Constitution of the State of Indiana includes language that guarantees the right for people to be “secure in their persons, houses, papers, and effects, against unreasonable search and seizure”.
The Indiana Code describes the legal requirements regarding data breaches in Article 4.9.
It requires any person or entity with a computerized data set that includes personal information to notify the affected Indiana residents about a breach or any other unauthorized acquisition.
You’ve reached the end of our run-down of the Indian Consumer Data Protection Act. Indiana’s new data privacy law shares many similarities with other privacy laws in the U.S.
Complying with the law could be relatively seamless, especially if you already meet the standards required by laws like the VCDPA, the CCPA, and others.
Either way, businesses impacted by the Indiana CDPA should plan to:
- Add opt-out options to consent banners regarding the sale of personal data, targeted advertising, and/or the collection of sensitive data.
- Perform DPIAs for specific data processing activities.
- Use compliant contracts with any third-party data processors.
- Provide consumers with clear mechanisms for submitting requests to follow through on their new data privacy rights.
Remember, you don’t have to approach these data privacy laws alone.
With Termly in your toolbox, we can help make compliance with regulations like the upcoming Indiana CDPA a breeze.