The Indiana Consumer Data Protection Act (INCDPA), signed into law on May 1, 2023, makes Indiana the 7th U.S. state to pass a comprehensive privacy law. Taking effect January 1, 2026, the INCDPA gives consumers rights over their personal data and imposes obligations on businesses handling it. Modeled after Virginia’s law, it emphasizes transparency, data minimization, and consumer opt-out rights, and is enforced by the Indiana Attorney General.
What is the Indiana Consumer Data Protection Act (INCDPA)?
What is the Indiana Consumer Data Protection Act (INCDPA)?
What makes INCDPA unique?
The INCDPA is unique for its close alignment with Virginia’s privacy law, offering clear, business-friendly guidelines. It includes a right to opt out of targeted ads, data sales, and profiling, and is enforced solely by the Attorney General. It also features high applicability thresholds and strong data security mandates.
Consumer: A resident of Indiana acting in a personal context (not employment or commercial).
Personal data: Any information linked or reasonably linkable to an identified or identifiable individual, excluding de-identified or publicly available data.
Sensitive data: Includes data like racial/ethnic origin, religious beliefs, health conditions, sexual orientation, biometric/genetic data, and precise geolocation.
Controller: The person or entity that determines the purpose and means of processing personal data.
Processor: A person or entity that processes personal data on behalf of a controller.
Processing: Any operation performed on personal data (collection, use, storage, disclosure, etc.).
Sale of personal data: The exchange of personal data for monetary consideration by the controller to a third party.
Targeted advertising: Ads shown based on personal data obtained from a consumer’s activities across nonaffiliated websites or apps.
Who must comply with INCDPA?
The INCDPA applies to businesses that:
Conduct business in Indiana or target products or services to Indiana residents, and
Meet one or both of these thresholds during a calendar year:
Control or process the personal data of at least 100,000 consumers, or
Control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data
INCDPA exemptions
The Indiana data privacy law includes specific exemptions:
Entities: Government bodies, nonprofits, higher education, HIPAA-covered entities, and GLBA-regulated financial institutions.
These narrow the law’s focus to consumer-facing business activities.
Key provisions of INCDPA
The Indiana Consumer Data Protection Act (INCDPA) establishes comprehensive consumer data privacy protections.
1. Consumer Rights
Indiana residents are granted the right to:
Access personal data a controller holds about them.
Correct inaccuracies in their personal data.
Delete personal data provided by or collected about them.
Port their data in a usable, portable format.
Opt out of:
Targeted advertising
Sale of personal data
Profiling that produces legal or similarly significant effects
2. Controller obligations
Businesses that determine the purpose and means of data processing must:
Provide a privacy notice that clearly explains what data is collected, why it’s collected, how it’s used, and how consumers can exercise their rights.
Limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes.
Implement reasonable security measures to protect personal data.
Obtain consent before processing sensitive data, such as health, biometric, or precise geolocation information.
3. Processor requirements
Data processors (i.e., vendors working on behalf of controllers) must:
Follow controller instructions.
Help maintain security.
Assist with consumer rights requests.
Be bound by a data processing agreement that outlines responsibilities and limitations.
4. Appeals process
Controllers must:
Provide a method for consumers to appeal when their rights requests are denied
Respond to appeals within 60 days
Inform consumers about how to contact the Indiana Attorney General if they disagree with the outcome
5. Enforcement
Solely enforced by the Indiana Attorney General
No private right of action—individual consumers cannot sue under this law
Violators may face civil penalties of up to $7,500 per violation
A 30-day cure period is provided with no expiration (unlike other states where it sunsets)
Is INCDPA opt-in or opt-out?
The INCDPA is primarily opt-out.
Consumers have the right to opt out of:
Targeted advertising
Sale of personal data
Profiling that leads to significant decisions (e.g., financial, legal outcomes)
However, for sensitive data, the law requires opt-in consent before processing. This includes data like health information, race/ethnicity, religious beliefs, and precise geolocation.
Read further: Opt-in vs opt-out: what’s the difference?
The price of non-compliance
The price of non-compliance with this Indiana privacy regulation includes:
Civil penalties of up to $7,500 per violation, enforced by the Indiana Attorney General.
A 30-day cure period gives businesses a chance to fix violations before penalties are imposed.
There is no private right of action, meaning individuals cannot sue under this law—only the AG can enforce it.
Non-compliance can also damage consumer trust and brand reputation.
The impact of INCDPA on businesses
The Indiana Consumer Data Protection Act (INCDPA) introduces a new privacy compliance framework that affects how businesses handle personal data. It requires companies to be more transparent, secure, and responsive to consumer rights—especially those that process large volumes of data or rely heavily on data-driven services.
What are the INCDPA requirements for businesses?
To comply with INCDPA, businesses must ensure the following:
1. Honor consumer rights
Businesses must enable Indiana residents to exercise rights including:
Access to their personal data
Correction of inaccuracies
Deletion of data
Data portability
Opting out of targeted advertising, data sales, and profiling
2. Obtain consent for sensitive data
Before processing sensitive personal data (e.g., health, race, religion, precise geolocation), businesses must obtain opt-in consent.
3. Provide clear privacy notices
Businesses must publish accessible and transparent privacy policies that describe:
What data is collected
How it's used
Consumer rights
How to exercise those rights
4. Maintain reasonable data security
They must implement appropriate technical, administrative, and physical safeguards to protect personal data from unauthorized access or breaches.
5. Limit data collection
Data must be collected only for specified, legitimate purposes and kept no longer than necessary.
6. Establish an appeals process
If a consumer request is denied, businesses must provide a clear appeals process and respond within 60 days.
7. Manage third-party processors
Businesses must enter into data processing agreements with vendors to ensure they handle personal data according to INCDPA requirements.
8. Be prepared for enforcement
Non-compliance may result in civil penalties of up to $7,500 per violation, enforced by the Indiana Attorney General. A 30-day cure period is provided before formal enforcement begins.
The impact of INCDPA on consumers
The Indiana Consumer Data Protection Act gives consumers greater control and transparency over how their personal data is used.
Understanding Indiana consumer rights
The INCDPA aims to protect individuals in an increasingly data-driven world by granting new rights and holding businesses accountable for responsible data handling.
1. Greater control over personal data
Consumers can now:
Access the personal data businesses hold about them
Correct inaccuracies
Request deletion
Receive a portable copy of their data
Opt out of targeted ads, data sales, and profiling
2. Protection of sensitive data
Businesses must obtain opt-in consent before collecting or processing sensitive data such as health information, race/ethnicity, religious beliefs, or precise geolocation.
3. Improved transparency
Companies must provide clear privacy notices that explain what data is collected, why, and how it will be used—making it easier for consumers to make informed choices.
4. Enhanced data security
The law requires businesses to adopt reasonable data protection measures, helping reduce the risk of data breaches and misuse.
5. Right to appeal
If a business denies a consumer’s data request, consumers have the right to appeal the decision and, if unresolved, escalate the matter to the Indiana Attorney General.
How INCDPA compares to other U.S. data privacy laws
The Indiana Consumer Data Protection Act shares many features with other U.S. state privacy laws but includes a few distinctions that make it more business-friendly and consistent.
INCDPA vs other state privacy laws
State
Scope
Effective Date
Key Features
Penalties for Non-Compliance
Indiana (INCDPA)
Indiana residents
January 1, 2026
Consumer rights, opt-out of targeted advertising, consent for sensitive data
Up to $7,500 per violation
Rhode Island (RIDTPPA)
Rhode Island residents
January 1, 2026
Consumer rights to access, delete, and opt out of targeted advertising and data sales
Up to $10,000 per violation
Kentucky (KCDPA)
Kentucky residents
January 1, 2026
Consumer rights, opt-out of targeted advertising and data sales, data protection assessments
Up to $7,500 per violation
Connecticut (CTDPA)
Connecticut residents
July 1, 2023
Opt-out for targeted ads and data sales; requires data protection assessments; expanded consumer rights
Up to $5,000 per violation
Colorado (CPA)
Colorado residents
July 1, 2023
Opt-out for targeted advertising; sensitive data consent; data protection assessments
Up to $20,000 per violation
California (CCPA/CPRA)
California residents
January 1, 2023
Right to access, delete, opt-out; data protection assessments; enforcement includes private right of action
Up to $7,500 per violation
Virginia (VCDPA)
Virginia residents
January 1, 2023
Opt-out rights, data protection assessments, strong consumer rights
Up to $7,500 per violation
Texas (TDPSA)
Texas residents
July 1, 2024
Consumer rights, data protection, opt-out of data sales
Up to $7,500 per violation
Oregon (OCPA)
Oregon residents
July 1, 2024
Strong consumer rights, opt-out options, data minimization
Up to $7,500 per violation
Iowa (ICDPA)
Iowa residents
January 1, 2025
Data protection, opt-out of data sharing
Up to $7,500 per violation
Montana (MCDPA)
Montana residents
October 1, 2024
Consumer rights, opt-out options, sensitive data consent
Up to $7,500 per violation
New Jersey (NJDPA)
New Jersey residents
January 15, 2025
Right to access, correct, delete data; opt-out of targeted advertising
Up to $10,000 per violation
What makes INCDPA stand out?
The Indiana Consumer Data Protection Act takes a practical approach to privacy regulation—balancing strong consumer rights with manageable compliance obligations for businesses. Here's what makes it stand out from other U.S. state privacy laws:
What makes INCDPA stand out:
7th U.S. state to pass a comprehensive privacy law
Modeled after Virginia’s VCDPA, offering a clean and structured compliance framework
High applicability thresholds (100,000+ consumers or 25,000+ with 50% revenue from data sales)
Strong consumer rights: access, correction, deletion, portability, opt-out of targeted ads, data sales, and profiling
Opt-in consent required for sensitive data (e.g., health, race, religion, precise geolocation)
No private right of action: only enforceable by the Indiana Attorney General
30-day cure period with no expiration, allowing businesses time to fix violations
What are the differences between INCDPA and CCPA?
Unlike California’s CCPA/CPRA, INCDPA:
Does not allow private lawsuits (no private right of action)
Does not include employee or B2B data
Lacks a universal opt-out mechanism (e.g., Global Privacy Control), though businesses may voluntarily support one
California is generally more stringent and consumer-empowering
What are the differences between INCDPA and GDPR?
INCDPA is U.S. state law with opt-out rights and limited scope, applying only to large businesses. GDPR is broader, applies globally, requires opt-in consent for most processing, allows private lawsuits, and mandates a data protection officer in some cases.
How to ensure INCDPA compliance
If you’ve read this far, you know that building a privacy-compliant business is important, but also far from easy.
What is INCDPA compliance
INCDPA compliance means meeting the requirements of Indiana’s data privacy law, including honoring consumer rights, securing personal data, limiting data collection, obtaining consent for sensitive data, and enabling opt-outs for targeted ads, data sales, and profiling.
How to comply with INCDPA
To comply with the Indiana Consumer Data Protection Act (INCDPA), businesses should:
Conduct data mapping to identify what personal data is collected, processed, and shared
Update privacy policies to clearly explain data practices and consumer rights
Enable consumer rights requests (access, correct, delete, opt-out, data portability) with a clear process and response timeline
Obtain opt-in consent before processing sensitive personal data
Implement reasonable security measures to protect personal data
Review and update vendor contracts to include required data processing terms
Develop an appeals process for denied consumer rights requests
Document compliance efforts to demonstrate good faith if investigated
Train employees on privacy obligations and how to handle consumer requests
Monitor regulatory updates to adjust practices before the January 1, 2026 enforcement date
How Ketch can simplify RIDTPPA compliance
Using the Ketch Platform, you can automate and streamline RIDTPPA compliance with:
Consent management: Enables businesses to collect and track opt-in consent for sensitive data processing.
Follow this tour for a detailed regulatory implementation guide:
When you automate these processes, you enable your internal stakeholders:
Your developers and marketers can do their jobs without fretting about regulations
Your legal team can set guidelines for notice and consent, secure in the knowledge that any changes they make will ripple through your whole data ecosystem (including vendors or third-party companies using your data!)
Final thoughts: Preparing your business for INCDPA
With the INCDPA set to take effect on January 1, 2026, businesses have a valuable window to assess and update their data privacy practices. Preparing now means mapping your data flows, updating privacy policies, implementing consumer rights processes, and ensuring vendor contracts and security measures align with the law. Taking a proactive, structured approach to data privacy compliance not only reduces legal risk but also builds trust with consumers in an increasingly privacy-aware marketplace.
Contact Ketch today to streamline your compliance and future-proof your privacy strategy.
This a sample accordion element needed for script above to work
Ketch supports compliance with major privacy laws, including GDPR, CCPA, CPRA, and various emerging US state laws, ensuring businesses meet global and local data privacy requirements.
Does INCDPA apply to nonprofit organizations? No, nonprofit organizations are explicitly exempt from INCDPA.
Does INCDPA apply to employee or B2B data? No, INCDPA only applies to consumers acting in an individual or household context; it does not cover employee or business-to-business data.
Are Data Protection Impact Assessments (DPIAs) required? Yes, businesses must conduct DPIAs for high-risk processing activities, such as targeted advertising, selling personal data, or processing sensitive data.
What qualifies as "sensitive data" under INCDPA? Sensitive data includes racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship or immigration status, biometric/genetic data, precise geolocation, and data of children under 13 years old.
How long do businesses have to respond to consumer requests? Businesses must respond within 45 days of receiving a request, with a possible 45-day extension when reasonably necessary.
Can consumers authorize someone else to make a request on their behalf? Yes, consumers may use an authorized agent to submit rights requests, provided proper authentication is given.
Does INCDPA require businesses to recognize global opt-out signals like Global Privacy Control (GPC)? No, unlike some other state laws, INCDPA does not require businesses to honor universal opt-out mechanisms, though they may choose to do so.
Is de-identified or publicly available data covered by INCDPA? No, INCDPA excludes de-identified data and publicly available information from its scope.
What are the penalties for non-compliance with INCDPA? The Indiana Attorney General can impose fines of up to $7,500 per violation.
Does INCDPA apply to small businesses? The Indiana Consumer Data Protection Act (INCDPA) generally does not apply to small businesses. It targets entities that control or process personal data of at least 100,000 Indiana residents, or at least 25,000 residents if more than 50% of their gross revenue comes from selling personal data.
Jack Carvel is Head of Legal and DPO at Ketch, helping global SaaS companies operationalize privacy, data governance, and AI responsibly. Jack is a dual-qualified privacy attorney with 10+ years of experience.
Automate your privacy compliance with Ketch
Risk of regulatory action or fine is no longer an unlikely, empty threat—regulators across Europe and now the United States are charging brands with irresponsible handing of consumer data.
Your knowledge of the regulations and requirements for your business may be the difference maker in ensuring your brand reputation stays intact. Ketch can help.
.webp)
