# Indiana Consumer Privacy Law (INCDPA)[^about]

The Indiana Consumer Data Protection Act, effective January 1, 2026, gives Indiana consumers rights over their personal data and imposes notice, contracting, and consent duties on controllers above defined thresholds — it is enforced exclusively by the Attorney General with a permanent 30-day cure period and provides no private right of action, and its entity-level exemptions are unusually broad.

## Does the Indiana Consumer Data Protection Act apply to your business? {#does-incdpa-apply}

**Short answer.** It turns on Indiana consumer volume, not total revenue. The INCDPA applies to persons that do business in Indiana or target its residents and that, in a calendar year, control or process the personal data of at least 100,000 Indiana consumers, or at least 25,000 Indiana consumers while deriving over 50% of gross revenue from selling personal data [^stat-1-1-apply]. On top of the thresholds, whole categories of organizations are carved out at the entity level [^stat-1-1-exempt].

Indiana's law took effect on January 1, 2026, and closely follows the structure many other states adopted, so this note reads much like Virginia, Colorado, Connecticut, and Texas. Like those, it sets no dollar revenue floor. What sets Indiana apart is the breadth of its entity-level exemptions: the statute exempts not only state agencies and GLBA-regulated financial institutions, but also any nonprofit organization, any institution of higher education, any HIPAA covered entity or business associate, and public utilities and their affiliated service companies. A consumer is an Indiana resident acting only for a personal, family, or household purpose, not an employee or business contact — so most employee and B2B-contact data falls outside the law as well.

## What must your Indiana privacy policy contain? {#privacy-policy-contents}

**Short answer.** A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed and the purpose for processing, among the statute's required disclosures [^stat-4-3-notice].

Section 24-15-4-3 is the content checklist for an Indiana privacy policy. In full it requires five elements: the categories of personal data processed, the purpose for processing, how consumers exercise their rights (including how to appeal a controller's decision), the categories of personal data shared with third parties, and the categories of those third parties. Indiana also requires data minimization (collection limited to what is adequate, relevant, and reasonably necessary) and, where a controller sells personal data or processes it for targeted advertising, a clear and conspicuous disclosure of that activity and how to opt out. The notice the policy presents should match the data practices the controller actually carries out.

## What must your contracts with processors say? {#vendor-contracts}

**Short answer.** A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — so a data processing agreement is a statutory requirement, not a best practice [^stat-5-2-contract].

Section 24-15-5-2 then specifies the required terms: processing instructions, the nature and purpose of processing, the type of data and duration, a duty of confidentiality, deletion or return of data at the controller's direction, the information needed to demonstrate compliance, cooperation with reasonable assessments, and a requirement to bind subcontractors by written contract to the same obligations. A compliant template data processing agreement tracks each of these.

## Do you need consent to process sensitive data? {#sensitive-data}

**Short answer.** Yes. A controller may not process a consumer's sensitive data without first obtaining consent, and for a known child it must instead follow the federal Children's Online Privacy Protection Act [^stat-4-1-consent]. Sensitive data includes data revealing race or ethnicity, religious beliefs, a health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data used to identify a person; data from a known child; and precise geolocation [^stat-2-28-sensitive].

This is the opt-in model shared by Virginia, Colorado, and Texas — the opposite of a notice-and-opt-out approach. Indiana does not, however, require honoring a universal opt-out preference signal, so an Indiana-only program can rely on its own opt-out mechanisms — though a multi-state template generally has to support universal signals to stay compliant elsewhere. A known child is an individual under 13, tracking the COPPA standard the statute incorporates.

## Can a consumer sue your business under the INCDPA? {#consumer-lawsuit}

**Short answer.** No. The Attorney General has exclusive authority to enforce the INCDPA, and the statute expressly provides no private right of action for consumers [^stat-10-1-enforce] [^stat-10-4-no-pra]. Before suing, the Attorney General must give 30 days' written notice of the specific alleged violations and a chance to cure [^stat-10-3-cure].

Indiana's 30-day cure period has no sunset date — it remains a permanent, built-in off-ramp, unlike states that let an early cure window expire. A controller that cures within the window and certifies in writing that the violation is fixed and will not recur avoids the action; an uncured violation exposes it to civil penalties of up to $7,500 per violation. The practical posture is still to build the notice, consent, and contracting controls up front, but a covered business that receives a notice has a genuine window to fix the issue.



[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-06. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Indiana. This article synthesizes Indiana primary law and is not legal advice from a Indiana-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.

[^stat-1-1-apply]: **Ind. Code § 24-15-1-1** — "This article applies to a person that conducts business in Indiana or produces products or services that are targeted to residents of Indiana and that during a calendar year: (1) controls or processes personal data of at least one hundred thousand (100,000) consumers who are Indiana residents; or (2) controls or processes personal data of at least twenty-five thousand (25,000) consumers who are Indiana residents and derives more than fifty percent (50%) of gross revenue from the sale of personal data." *Ind. Code § 24-15-1-1(a).* <https://iga.in.gov/ic/2024/Title_24/Article_15.pdf>

[^stat-1-1-exempt]: **Ind. Code § 24-15-1-1** — "(4) Any nonprofit organization. (5) Any institution of higher education." *Ind. Code § 24-15-1-1(b).* <https://iga.in.gov/ic/2024/Title_24/Article_15.pdf>

[^stat-4-3-notice]: **Ind. Code § 24-15-4-3** — "A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: (1) the categories of personal data processed by the controller; (2) the purpose for processing personal data;" *Ind. Code § 24-15-4-3.* <https://iga.in.gov/ic/2024/Title_24/Article_15.pdf>

[^stat-5-2-contract]: **Ind. Code § 24-15-5-2** — "A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller." *Ind. Code § 24-15-5-2(a).* <https://iga.in.gov/ic/2024/Title_24/Article_15.pdf>

[^stat-4-1-consent]: **Ind. Code § 24-15-4-1** — "A controller shall not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children's Online Privacy Protection Act (15 U.S.C. 6501 et seq.)." *Ind. Code § 24-15-4-1(5).* <https://iga.in.gov/ic/2024/Title_24/Article_15.pdf>

[^stat-2-28-sensitive]: **Ind. Code § 24-15-2-28** — "means a category of personal data that includes any of the following: (1) Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis made by a health care provider, sexual orientation, or citizenship or immigration status. (2) Genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual. (3) Personal data collected from a known child. (4) Precise geolocation data." *Ind. Code § 24-15-2-28.* <https://iga.in.gov/ic/2024/Title_24/Article_15.pdf>

[^stat-10-1-enforce]: **Ind. Code § 24-15-10-1** — "The attorney general has exclusive authority to enforce the provisions of this article." *Ind. Code § 24-15-10-1.* <https://iga.in.gov/ic/2024/Title_24/Article_15.pdf>

[^stat-10-4-no-pra]: **Ind. Code § 24-15-10-4** — "Nothing in this article shall be construed as providing the basis for a private right of action for violations of this article or any other law." *Ind. Code § 24-15-10-4.* <https://iga.in.gov/ic/2024/Title_24/Article_15.pdf>

[^stat-10-3-cure]: **Ind. Code § 24-15-10-3** — "Before initiating an action under section 2 of this chapter, the attorney general shall provide a controller or processor thirty (30) days written notice identifying the specific provisions of this article that the attorney general alleges have been or are being violated." *Ind. Code § 24-15-10-3(a).* <https://iga.in.gov/ic/2024/Title_24/Article_15.pdf>