The Indiana Consumer Data Protection Act (INCDPA) will take effect in 2026

The Indiana Consumer Data Protection Act (INCDPA): What businesses need to know now

The data privacy landscape in the USA continues to be a challenge for many companies. Unlike in the EU, there is no single federal law that comprehensively regulates consumer rights. Instead, a patchwork of state-level regulations is emerging that businesses must navigate. The Indiana Consumer Data Protection Act (INCDPA) is another important piece of this mosaic.

The INCDPA was signed into law on May 1, 2023, and will come into effect on January 1, 2026, following a generous two-and-a-half-year preparation period. This makes Indiana the seventh US state to enact a comprehensive data privacy law without overarching federal guidelines.

For businesses already familiar with other US data privacy laws, the INCDPA offers a familiar framework. It bears strong resemblances to the Virginia Consumer Data Privacy Act (VCDPA) and is also comparable to the Connecticut Data Privacy Act (CTDPA) and the Colorado Privacy Act (CPA) in terms of consumer rights and business obligations.

Nevertheless, the specific requirements of the INCDPA should not be underestimated. The law introduces important new obligations for organizations that process the personal data of Indiana residents. In this article, you will learn everything you need to know to prepare in a timely manner. You can view the official text of the law here.

What is the Indiana Consumer Data Protection Act (INCDPA)?

At its core, the Indiana Consumer Data Protection Act (INCDPA), often referred to as the Indiana CDPA, is a comprehensive data privacy law aimed at protecting the personal data of Indiana residents and consumers.

The law defines clear data protection responsibilities for all companies that conduct business in Indiana or specifically offer their products and services to the state's residents. Therefore, if your company targets the Indiana market, this law directly affects you.

Similar to most state-level US data privacy laws, the INCDPA establishes fundamental duties for so-called "data controllers." The most important obligations for companies include:

• Providing clear privacy notices: You must be transparent about what data you collect and how you use it.

• Responding to consumer requests in a timely manner: The law grants consumers specific rights, and you must respond to their requests within the specified deadlines.

• Principle of data minimization: The collection and use of personal data must be limited to what is strictly necessary.

Furthermore, the law explicitly establishes consumer rights regarding their data and provides for significant fines for violations to ensure compliance.

Who does the Indiana Consumer Data Privacy Act (INCDPA) apply to?

Who is affected by the INCDPA? 

One of the most pressing questions for businesses is: Are we affected by the INCDPA? The applicability of the law depends on specific thresholds.

As a rule, the Indiana Consumer Data Privacy Act applies to data controllers (companies) that conduct business in Indiana or specifically offer their products and services to Indiana residents and, within a calendar year, meet one of the following conditions:

• They control or process the personal data of at least 100,000 Indiana residents. This is the primary threshold, which mainly affects companies with a larger reach in the state.

OR

• They control or process the personal data of at least 25,000 Indiana residents AND derive more than 50% of their gross revenue from the sale of personal data. This second threshold specifically targets companies whose business model is heavily based on the trade of data, so-called data brokers.

It is crucial to understand that these figures refer exclusively to residents of Indiana. Therefore, if your company has many customers nationwide but only a small number of them reside in Indiana, you might not fall under the act – unless your business model meets the second condition through the sale of personal data. A thorough examination of your customer data is therefore essential.

Consumer Rights under the Indiana Consumer Data Protection Act

Consent and Opt-Out: The Dual System of the INCDPA

Indiana's data privacy law (INCDPA), similar to the laws in Virginia or Colorado, primarily follows an "opt-out" approach. This means that for the general collection and processing of personal data, explicit consumer consent is not initially required.

However, the crucial exception to this rule involves sensitive personal data. Here, the law reverses the principle and requires prior, explicit consent (opt-in) before such data can be processed.

For businesses, this means that while you can process general data on an opt-out basis, you must ensure you have established a clear process for obtaining consent for sensitive information. Consumers must also be clearly informed of their right to object (opt-out). A unique feature of the INCDPA is that it does not explicitly require companies to recognize universal opt-out mechanisms (such as Global Privacy Control, GPC). The law also contains very specific exceptions, for instance, for the use of facial recognition technology in riverboat casinos, which is regulated separately.

What rights do consumers have under the INCDPA?

A central pillar of the INCDPA is the granting of specific consumer rights. These data subject rights are now standard in most modern data privacy laws and form the basis for handling requests (known as DSARs). The law enables Indiana residents to assert the following rights with data controllers:

• Right of access: Consumers can request confirmation as to whether a company is processing their personal data and can access that data.

• Right to correct: They can request the correction of inaccurate data they have previously provided to the company.

• Right to delete: Consumers have the right to request the deletion of their personal data that a company has collected about them.

• Right to opt-out: They can object to the use of their data for targeted advertising, the sale of personal data, or its use for certain types of profiling.

Who is exempt from the INCDPA? An overview of important exemptions

Not every organization operating in Indiana automatically falls under the scope of the INCDPA. The law defines a series of entity-level exemptions that release certain types of organizations from its obligations. This is often the case when these are already regulated by other industry-specific federal laws.

Therefore, before you begin implementing compliance measures, it is crucial to determine if your company might be exempt. The most important exemptions from Indiana's data privacy law include:

• State and government: State agencies, authorities, and all municipal organizations, as well as third parties acting on their behalf.

• Financial institutions: Banks and other financial service providers that are already subject to the strict requirements of the federal Gramm-Leach-Bliley Act (GLBA).

• Healthcare: Organizations and entities subject to the U.S. federal law protecting health data, the Health Insurance Portability and Accountability Act (HIPAA).

• Non-profit organizations: Non-profits are explicitly exempt from the scope of the INCDPA.

• Higher education: Institutions of higher education.

• Public utility companies: Certain public utilities are also not covered by the law.

For all other companies, it is essential to carefully analyze whether they are affected. If none of these exemptions apply, you should use the remaining time until the deadline on January 1, 2026, to adapt your data privacy processes to the requirements of the INCDPA.

The Core Obligations for Businesses: These Are the INCDPA's Requirements

The Indiana data privacy law establishes a series of clearly defined obligations for data controllers. These requirements form the heart of INCDPA compliance. Many of these principles will be familiar to companies that already work with other data privacy laws like the GDPR or the laws of other US states. Nevertheless, a detailed review of the specifics is essential.

Here is an overview of the central requirements of the INCDPA:

• Principle of Data Minimization: Only collect personal data that is "adequate, relevant, and reasonably necessary" for the purpose you have specified.

• Robust Data Security: Implement administrative, technical, and physical security measures that correspond to the volume and nature of the data being processed to protect it from unauthorized access.

• Prohibition of Discrimination: The processing of personal data must not violate existing anti-discrimination laws.

• Clear Privacy Notice: Provide a transparent, understandable, and easily accessible privacy notice. This must provide detailed information about the categories of data processed, the purposes, consumer rights, and the sharing of data with third parties. A notice of the right to opt-out is mandatory if data is sold or used for targeted advertising.

• Consent for Sensitive Data: Obtain explicit opt-in consent before processing sensitive data. The protection of children's data must be in accordance with the federal Children's Online Privacy Protection Act (COPPA).

• Data Protection Impact Assessment (DPIA): Conduct a DPIA for processing activities that pose an increased risk to consumers. This includes, for example, the sale of data, the processing of sensitive data, or targeted advertising.

• Data Processing Agreements (DPAs): Enter into legally binding contracts with all data processors (service providers) that process data on your behalf. These must contain clear instructions and the rights and obligations of both parties.

The proactive implementation of these duties is the key to being compliant by the January 1, 2026, deadline and to earning the trust of consumers in Indiana.

How does the INCDPA differ from the GDPR?

For companies that are already GDPR-compliant, preparing for the INCDPA is simpler, but there are crucial differences:

INCDPA Compliance: How Companies Can Best Prepare

The Indiana Consumer Data Protection Act (INCDPA), much like its Virginia counterpart (VCDPA), is often described as "business-friendly." A key reason for this is the long preparation period: with an effective date of January 1, 2026, the legislature has given companies a generous timeframe to ensure the necessary INCDPA compliance.

This extended deadline presents a strategic opportunity for data controllers. It provides ample time to establish formal policies and robust procedures for data collection and processing. Companies should use this phase now to:

• Familiarize themselves with the regulations: Understand the specific requirements of the INCDPA and how they impact your business model.

• Conduct risk assessments: Carry out a Data Protection Impact Assessment (DPIA) for all high-risk processing activities.

• Implement processes for data subject requests (DSARs): Create a clear and efficient framework to respond promptly to consumer inquiries, such as requests for access or deletion.