On this pageDoes the Indiana Consumer Data Protection Act apply to your business?
State Law Practice Note

Indiana Consumer Privacy Law (INCDPA)

The Indiana Consumer Data Protection Act, effective January 1, 2026, gives Indiana consumers rights over their personal data and imposes notice, contracting, and consent duties on controllers above defined thresholds — it is enforced exclusively by the Attorney General with a permanent 30-day cure period and provides no private right of action, and its entity-level exemptions are unusually broad.

Lawyer Harvard Law '18 (J.D.) MIT '13 (S.B.) Former Ropes & Gray (6 yrs) Admitted in NY Last reviewed
More details about this document
Editor
, OpenAgreements editor
Feedback
Report a correction
Errata
View reported errata
License
CC BY 4.0
Authorities relied on
Primary lawInd. Code § 24-15-1-1

Does the Indiana Consumer Data Protection Act apply to your business?

It turns on Indiana consumer volume, not total revenue. The INCDPA applies to persons that do business in Indiana or target its residents and that, in a calendar year, control or process the personal data of at least 100,000 Indiana consumers, or at least 25,000 Indiana consumers while deriving over 50% of gross revenue from selling personal data . On top of the thresholds, whole categories of organizations are carved out at the entity level .

Indiana's law took effect on January 1, 2026, and closely follows the structure many other states adopted, so this note reads much like Virginia, Colorado, Connecticut, and Texas. Like those, it sets no dollar revenue floor. What sets Indiana apart is the breadth of its entity-level exemptions: the statute exempts not only state agencies and GLBA-regulated financial institutions, but also any nonprofit organization, any institution of higher education, any HIPAA covered entity or business associate, and public utilities and their affiliated service companies. A consumer is an Indiana resident acting only for a personal, family, or household purpose, not an employee or business contact — so most employee and B2B-contact data falls outside the law as well.

Sources for this answer

Primary law

A.1 Ind. Code § 24-15-1-1PDF

The INCDPA applies to persons doing business in Indiana or targeting its residents that control or process the data of at least 100,000 Indiana consumers, or 25,000+ while deriving over 50% of gross revenue from selling personal data.

This article applies to a person that conducts business in Indiana or produces products or services that are targeted to residents of Indiana and that during a calendar year: (1) controls or processes personal data of at least one hundred thousand (100,000) consumers who are Indiana residents; or (2) controls or processes personal data of at least twenty-five thousand (25,000) consumers who are Indiana residents and derives more than fifty percent (50%) of gross revenue from the sale of personal data.

See Ind. Code § 24-15-1-1(a).

Primary law

A.2 Ind. Code § 24-15-1-1PDF

The INCDPA exempts whole categories of organizations at the entity level, including nonprofit organizations and institutions of higher education.

(4) Any nonprofit organization. (5) Any institution of higher education.

See Ind. Code § 24-15-1-1(b).

What must your Indiana privacy policy contain?

A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed and the purpose for processing, among the statute's required disclosures .

Section 24-15-4-3 is the content checklist for an Indiana privacy policy. In full it requires five elements: the categories of personal data processed, the purpose for processing, how consumers exercise their rights (including how to appeal a controller's decision), the categories of personal data shared with third parties, and the categories of those third parties. Indiana also requires data minimization (collection limited to what is adequate, relevant, and reasonably necessary) and, where a controller sells personal data or processes it for targeted advertising, a clear and conspicuous disclosure of that activity and how to opt out. The notice the policy presents should match the data practices the controller actually carries out.

Sources for this answer

Primary law

B.1 Ind. Code § 24-15-4-3PDF

A controller must provide a reasonably accessible, clear, and meaningful privacy notice listing the categories of personal data processed and the purpose for processing, among other required disclosures.

A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: (1) the categories of personal data processed by the controller; (2) the purpose for processing personal data;

See Ind. Code § 24-15-4-3.

What must your contracts with processors say?

A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — so a data processing agreement is a statutory requirement, not a best practice .

Section 24-15-5-2 then specifies the required terms: processing instructions, the nature and purpose of processing, the type of data and duration, a duty of confidentiality, deletion or return of data at the controller's direction, the information needed to demonstrate compliance, cooperation with reasonable assessments, and a requirement to bind subcontractors by written contract to the same obligations. A compliant template data processing agreement tracks each of these.

Sources for this answer

Primary law

C.1 Ind. Code § 24-15-5-2PDF

A contract between a controller and a processor must govern the processor's data processing procedures performed on behalf of the controller.

A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller.

See Ind. Code § 24-15-5-2(a).

Do you need consent to process sensitive data?

Yes. A controller may not process a consumer's sensitive data without first obtaining consent, and for a known child it must instead follow the federal Children's Online Privacy Protection Act . Sensitive data includes data revealing race or ethnicity, religious beliefs, a health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data used to identify a person; data from a known child; and precise geolocation .

This is the opt-in model shared by Virginia, Colorado, and Texas — the opposite of a notice-and-opt-out approach. Indiana does not, however, require honoring a universal opt-out preference signal, so an Indiana-only program can rely on its own opt-out mechanisms — though a multi-state template generally has to support universal signals to stay compliant elsewhere. A known child is an individual under 13, tracking the COPPA standard the statute incorporates.

Sources for this answer

Primary law

D.2 Ind. Code § 24-15-2-28PDF

Sensitive data includes data revealing racial or ethnic origin, religious beliefs, a health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data used to identify a person; data from a known child; and precise geolocation.

means a category of personal data that includes any of the following: (1) Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis made by a health care provider, sexual orientation, or citizenship or immigration status. (2) Genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual. (3) Personal data collected from a known child. (4) Precise geolocation data.

See Ind. Code § 24-15-2-28.

Can a consumer sue your business under the INCDPA?

No. The Attorney General has exclusive authority to enforce the INCDPA, and the statute expressly provides no private right of action for consumers . Before suing, the Attorney General must give 30 days' written notice of the specific alleged violations and a chance to cure .

Indiana's 30-day cure period has no sunset date — it remains a permanent, built-in off-ramp, unlike states that let an early cure window expire. A controller that cures within the window and certifies in writing that the violation is fixed and will not recur avoids the action; an uncured violation exposes it to civil penalties of up to $7,500 per violation. The practical posture is still to build the notice, consent, and contracting controls up front, but a covered business that receives a notice has a genuine window to fix the issue.

Sources for this answer

Primary law

E.1 Ind. Code § 24-15-10-1PDF

The Attorney General has exclusive authority to enforce the INCDPA.

The attorney general has exclusive authority to enforce the provisions of this article.

See Ind. Code § 24-15-10-1.

Primary law

E.2 Ind. Code § 24-15-10-4PDF

The INCDPA provides no private right of action for consumers.

Nothing in this article shall be construed as providing the basis for a private right of action for violations of this article or any other law.

See Ind. Code § 24-15-10-4.

Primary law

E.3 Ind. Code § 24-15-10-3PDF

Before bringing an action, the Attorney General must give the controller or processor 30 days' written notice identifying the specific provisions allegedly violated.

Before initiating an action under section 2 of this chapter, the attorney general shall provide a controller or processor thirty (30) days written notice identifying the specific provisions of this article that the attorney general alleges have been or are being violated.

See Ind. Code § 24-15-10-3(a).

OpenAgreements is a free legal reference project maintained by UseJunior. See our methodology for how we research and verify the content.
This research preview is not legal advice. Page text is intended for reuse under CC BY 4.0; source excerpts and linked materials belong to their respective owners.
PrivacyTermsDisclaimer