Indiana Consumer Data Protection Act: What Hoosier Businesses Need to Know
A practical guide to Indiana's INCDPA for small businesses: thresholds, consumer rights, penalties, and compliance steps effective January 1, 2026.
Last updated: 2026-02-08
If your business collects personal data from Indiana residents, the Indiana Consumer Data Protection Act (INCDPA) introduces a new set of obligations you cannot afford to ignore. Signed into law as Senate Enrolled Act 5 in May 2023, the INCDPA takes effect on January 1, 2026. Indiana joins a growing wave of states -- including Virginia, Kentucky, and California -- that have passed comprehensive consumer privacy legislation.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on Indiana Senate Enrolled Act 5 (2023), codified at Ind. Code ch. 24-15, as of the date of publication.
For many small and mid-sized businesses, the challenge is not whether privacy laws exist -- it is figuring out which ones apply, what they require, and how to comply without drowning in legal complexity. This guide walks through the INCDPA in plain language: who it covers, what rights it gives consumers, what you need to do, and how enforcement works.
Does This Law Apply to Your Business?
The INCDPA applies to businesses that conduct business in Indiana or produce products or services targeted at Indiana residents and meet at least one of two thresholds:
- Control or process the personal data of 100,000 or more Indiana consumers during a calendar year.
- Control or process the personal data of at least 25,000 Indiana consumers and derive more than 50% of gross revenue from the sale of personal data.
A few important notes on these thresholds. First, "consumers" under the INCDPA means Indiana residents acting in an individual or household capacity. It does not include people acting in an employment or commercial (B2B) context. Second, the 100,000 threshold is about volume of data subjects, not transactions -- if 100,000 unique Indiana residents visit your website and you collect any personal data from them (including through cookies or analytics), you could meet this threshold.
Example: A mid-sized e-commerce company based in Ohio ships products to customers across the Midwest. It has 120,000 unique Indiana customers in its database. Even though the company is not based in Indiana, it meets the 100,000-consumer threshold and must comply with the INCDPA.
Example: A small data analytics firm processes the personal data of 30,000 Indiana consumers and earns 60% of its revenue from selling aggregated consumer profiles. It meets the second threshold (25,000+ consumers and 50%+ revenue from data sales) and is covered.
Who is exempt? The INCDPA exempts state and local government entities, nonprofits, higher education institutions, and entities or data governed by certain federal laws including HIPAA, the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), and the Family Educational Rights and Privacy Act (FERPA). Notably, employee data and B2B contact data are also excluded from the law's scope.
What Rights Do Consumers Have?
The INCDPA grants Indiana consumers a set of rights that closely mirrors the Virginia Consumer Data Protection Act (VCDPA). Here is what consumers can request from your business:
Right to Access. Consumers can ask whether your business is processing their personal data, and if so, request access to that data.
Right to Correction. Consumers can request that inaccurate personal data be corrected.
Right to Deletion. Consumers can request that their personal data be deleted.
Right to Data Portability. Consumers can request a copy of their personal data in a portable, readily usable format.
Right to Opt Out. Consumers can opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.
| Right | Granted? | Notes |
|---|---|---|
| Access | ✅ | Confirm processing and provide access to personal data |
| Correction | ✅ | Correct inaccurate personal data |
| Deletion | ✅ | Delete personal data provided by or obtained about the consumer |
| Data Portability | ✅ | Provide data in a portable, readily usable format |
| Opt-Out of Targeted Ads | ✅ | Consumer can opt out of targeted advertising |
| Opt-Out of Data Sales | ✅ | Consumer can opt out of sale of personal data |
| Opt-Out of Profiling | ✅ | Limited to decisions with legal or similarly significant effects |
| Right to Non-Discrimination | ✅ | Cannot discriminate against consumers exercising rights |
Businesses must respond to consumer requests within 45 days. This can be extended by an additional 45 days if reasonably necessary, provided the business notifies the consumer of the extension and the reason for it.
What Your Business Must Do
Compliance with the INCDPA requires several concrete steps, and the sooner you start, the better positioned you will be when enforcement begins.
Provide a clear privacy notice. Your privacy policy must disclose the categories of personal data you process, the purposes of processing, how consumers can exercise their rights, the categories of personal data shared with third parties, and the categories of those third parties. This is not just a generic privacy policy -- it must address the specific requirements of the INCDPA.
Implement data subject request processes. You need a reliable process for receiving, verifying, and responding to consumer rights requests. This includes access, correction, deletion, portability, and opt-out requests. The 45-day response window (with a potential 45-day extension) means you need systems that can locate, compile, and deliver personal data efficiently. For guidance on building this process, see our DSAR response guide.
Conduct data protection assessments. The INCDPA requires businesses to conduct and document data protection assessments for certain processing activities, including targeted advertising, the sale of personal data, processing of sensitive data, and profiling. These assessments must weigh the benefits of the processing against the potential risks to consumers.
Obtain consent for sensitive data. Sensitive data under the INCDPA includes racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data from known children, and precise geolocation data. You must obtain opt-in consent before processing sensitive data.
Establish data processing agreements. If you use third-party processors (vendors, cloud services, analytics platforms), you must have contracts in place that govern how those processors handle personal data on your behalf. These agreements must include instructions for processing, confidentiality obligations, and data security requirements.
Limit data collection. The INCDPA includes data minimization requirements. You should collect only the personal data that is adequate, relevant, and reasonably necessary for the purposes you have disclosed to consumers.
How Is It Enforced?
The INCDPA is enforced exclusively by the Indiana Attorney General. There is no private right of action, meaning individual consumers cannot sue businesses directly for violations.
Before taking enforcement action, the Attorney General must provide written notice identifying the specific provisions alleged to have been violated. The business then has 30 days to cure the alleged violation. If the business cures the violation and provides a written statement that the violation has been cured and that no further violations will occur, the Attorney General may not pursue action on that specific issue.
However, this 30-day cure period has a sunset date: it expires on January 1, 2028. After that date, the Attorney General has discretion on whether to provide an opportunity to cure.
Penalties for violations can reach up to $7,500 per violation under Indiana's general consumer protection enforcement authority. The Attorney General can also seek injunctive relief and recover reasonable investigation and litigation costs.
While no enforcement actions have been taken yet (the law has not taken effect as of this writing), businesses should expect the Attorney General's office to follow the pattern established by other states: early enforcement will likely focus on businesses that fail to respond to consumer requests or lack a compliant privacy notice.
How This Compares to Other State Laws
The INCDPA is closely modeled on the Virginia Consumer Data Protection Act (VCDPA), which itself became a template for several other state privacy laws. Here is how Indiana stacks up against neighboring states and key benchmarks:
| Feature | Indiana (INCDPA) | Virginia (VCDPA) | Kentucky (KCDPA) |
|---|---|---|---|
| Effective Date | Jan 1, 2026 | Jan 1, 2023 | Jan 1, 2026 |
| Consumer Threshold | 100K consumers | 100K consumers | 100K consumers |
| Alt. Threshold | 25K + 50% revenue from data sales | 25K + 50% revenue from data sales | 25K + 50% revenue from data sales |
| Cure Period | 30 days (sunsets 2028) | 30 days (sunset 2025) | 30 days (sunsets 2026) |
| Private Right of Action | No | No | No |
| Opt-Out of Targeted Ads | Yes | Yes | Yes |
| Sensitive Data Consent | Opt-in required | Opt-in required | Opt-in required |
| Max Penalty | $7,500/violation | $7,500/violation | $7,500/violation |
If your business already complies with the VCDPA, you are well positioned for INCDPA compliance. The differences are minor -- primarily around the cure period sunset date and some small definitional variations. Kentucky's KCDPA, which also takes effect January 1, 2026, is similarly aligned. Businesses operating across Indiana, Kentucky, and Virginia can largely use a unified compliance program. For a broader view of how California's law compares, see our CCPA compliance guide.
Action Checklist for Small Businesses
Getting compliant does not require a legal team. It requires a systematic approach. Here is what to do:
-
Determine if the INCDPA applies to you. Count the number of Indiana consumers whose personal data you process annually. If it exceeds 100,000 (or 25,000 with 50%+ data sale revenue), you are covered.
-
Audit your data practices. Map what personal data you collect, where it comes from, where it goes, and why you collect it. You cannot comply with consumer requests if you do not know what data you hold.
-
Update your privacy notice. Ensure it includes all INCDPA-required disclosures: categories of data, purposes, third-party sharing, and instructions for exercising consumer rights.
-
Build a DSAR response process. Set up intake, verification, and fulfillment workflows that can meet the 45-day response deadline. See our DSAR workflow guide for a step-by-step framework.
-
Set up opt-out mechanisms. Provide clear, accessible methods for consumers to opt out of targeted advertising, data sales, and profiling.
-
Conduct data protection assessments. Document your assessments for targeted advertising, data sales, and sensitive data processing activities.
-
Review vendor contracts. Ensure all data processing agreements meet INCDPA requirements.
-
Train your team. Make sure employees who handle customer data or consumer inquiries know how to recognize and route privacy requests.
Key Dates
- May 1, 2023: INCDPA signed into law (Senate Enrolled Act 5).
- January 1, 2026: INCDPA takes effect. Full compliance required.
- January 1, 2028: 30-day cure period sunsets. Attorney General gains discretion on cure opportunities.
References
- Indiana Consumer Data Protection Act: Ind. Code ch. 24-15 (Senate Enrolled Act 5, 2023). Full text on Indiana General Assembly website
- Virginia Consumer Data Protection Act (VCDPA): Va. Code §§ 59.1-575 through 59.1-585.
- Kentucky Consumer Data Protection Act (KCDPA): KRS ch. 367.
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.
Need to handle consumer data requests under the INCDPA? Our DSAR Compliance Guide walks you through the entire process -- from intake and identity verification to response and documentation. Start building your compliance workflow today.