The Indiana Consumer Data Protection Act (ICDPA) (IC 24-15) has been signed by the State Governor and will take effect on Jan 1, 2026.

The US has five new state privacy laws this year. In the next few years, new laws will take effect in Iowa, Tennessee, and Indiana. Understanding how these laws work is essential for practically any business operating in the US.

This blog will break down the ICDPA’s main requirements.

Application

The ICDPA applies to any company targeting Indiana consumers that either:

• Annually controls or processes personal data about at least 100,000 Indiana residents, or
• Annually controls or processes personal data about at least 25,000 Indiana residents and derives over 50% of gross revenue from the sale of personal data.

Many exemptions apply, including (but not limited to):

• Public bodies.
• Financial institutions under the Gramm-Leach-Bliley Act.

The ICDPA also exempts the processing of certain types of personal data, including health information covered by the Health Insurance Portability and Accountability Act (HIPAA).

Definitions

Some key definitions in the ICDPA include:

• Personal data: Information that is “linked or reasonably linkable to an identified or identifiable individual”, excluding publicly available and “de-identified or aggregate” information.
• Processing: Any operation performed on personal data, including its “collection, use, storage, disclosure, analysis, deletion, or modification”.
• Controller: A person or organization that “determines the purpose and means of processing personal data”.
• Processor: A person or organization that processes personal data on behalf of a controller.

The ICDPA also defines “sensitive data”, which includes:

• Personal data revealing:
  • Racial or ethnic origin.
  • Religious beliefs.
  • Mental or physical health diagnosis.
  • Sexual orientation.
  • Citizenship or immigration status.
• Biometric or genetic data processed for the purpose of identifying a natural person.
• Personal data collected from a known child.
• Precise geolocation data.

Selling personal data, targeted advertising

Like several US state laws, the ICDPA regulates the “sale” of personal data, which means “the exchange of personal data for valuable monetary consideration by the controller to a third party”.

Some activities are explicitly not a “sale”, including the disclosure of personal data:

• To a processor.
• To a third party to provide a product or service requested by the consumer.
• To an affiliate of the controller.
• Where the consumer:
  • Intentionally made the personal data public via mass media, and
  • Did not restrict the disclosure to a restricted audience.
• As part of an acquisition, merger, or bankruptcy.

The ICDPA also regulates “targeted advertising”, defined as displaying an advertisement to a consumer when the following conditions are met:

• The advertisement is selected based on personal data.
• The personal data is obtained from the consumer’s activities over time and across nonaffiliated websites or online applications.
• The personal data is obtained to predict the consumer’s preferences or interests.

The definition excludes “first-party” ads based on personal data collected via the controller’s own properties, and contextual ads.

Consumer rights

The ICDPA provinces consumers with several rights over their personal data, including the right to:

• Confirm whether a controller is processing the consumer’s personal data.
• Access a copy of their personal data.
• Correct any inaccuracies in their personal data.
• Delete their personal data.
• Obtain a copy of their personal data in a portable, machine-readable format.
• Opt out of:
  • The sale of their personal data.
  • Targeted advertising.
  • Profiling “in furtherance of decisions that produce legal or similarly significant effects”.

Controllers have a 45-day deadline for responding to a consumer rights request and can obtain a 45-day extension available when reasonably necessary.

Consumers can make a request once per year, and controllers must not charge a fee unless the request is manifestly unfounded, technically infeasible, excessive, or repetitive.

Controllers must make “commercially reasonable efforts” to verify a consumer’s identity.

Consumers can appeal a controller’s response. The controller must reply to the appeal, providing a reason for its decision, within 60 days, and informing the consumer that they can complain to the Attorney-General if they remain unhappy.

Obligations on controllers

The ICDPA sets out numerous obligations on controllers, including:

• Limiting the collection of personal data to what is “adequate, relevant and reasonably necessary in relation to a specified purpose”.
• Not processing personal data for unnecessary or incompatible further purposes without consent.
• Establishing reasonable data security practices.
• Not discriminating against consumers that have excercised their rights.
• Only processing sensitive data with consent, and only processing children’s personal data in compliance with the Children’s Online Privacy Protection Act (COPPA).

Privacy notice

Controllers must maintain a “reasonably accessible, clear, and meaningful privacy notice“ that explains:

• The categories of personal data processed.
• The purpose for processing personal data.
• How consumers may exercise their consumer rights and appeal.
• The categories of personal data the controller shares with third parties, if any.
• The categories of third parties with whom the controller shares personal data, if any.
• Whether the controller sells personal data or engages in targeted advertising, and if so, an explanation of the right to opt out.

Obligations on processors

A controller may only engage a processor subject to a written agreement that contains:

• Instructions for the processing of personal data.
• The nature and purpose of the processing.
• The types of data
• The duration of the processing.
• The rights and obligations of the controller and processor.
• A section that requires the processor to:
  • Bind anyone processing personal data to a duty of confidentiality.
  • Delete or return all personal data to the controller as requested at the end of the contract, if allowed by law.
  • Provide the controller with any necessary information to demonstrate the processor’s ICDPA compliance.
  • Allow reasonable assessments (audits) by the controller, or arrange an independent audit and provide a report on request.
  • Only engage subcontractors under a written contract with the same terms as above.

Processors must also help controllers facilitate consumer rights requests.

Data Protection Impact Assessments

Controllers must conduct a Data Protection Impact Assessment before engaging in certain activities, including:

• Targeted advertising.
• Selling personal data.
• Certain profiling activities that could result in risk or harm.
• Processing sensitive data.
• Any other processing that presents “a heightened risk of harm to consumers”.

A Data Protection Impact Assessment must identify and weigh:

• The benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public, against
• The potential risks to the rights of the consumer, taking safeguards into account.

The Attorney General can demand access to a copy of a Data Protection Impact Assessment.