Clym Logo
US flag

US

Indiana Consumer Data Protection Act

Overview

The Indiana Consumer Data Protection Act  is a comprehensive law aimed at regulating how businesses handle personal data of Indiana residents. Effective January 1, 2026, it introduces requirements for companies to manage data responsibly, protect consumer rights are respected, and provide transparency in data handling practices.

Regulation Summary

  • March 2023: passed in the Indiana legislature.
  • May 1, 2023: Signed into law.
  • January 1, 2026: effective date.

  • Applies to businesses operating in Indiana or targeting Indiana residents.
  • Businesses that meet one of the following criteria:
    • Process data of 100,000+ consumers annually.
    • Process data of 25,000+ consumers and derive more than 50% of revenue from data sales.

  • Government entities, nonprofits, and financial institutions.
  • Data regulated by HIPAA, GLBA, FERPA, and COPPA.
  • Employment and household data.

  • Data Security: Implement appropriate administrative, technical, and physical safeguards.
  • Transparency: Provide clear and accessible privacy notices.
  • Purpose Limitation: Avoid processing data for undisclosed purposes without consumer consent.
  • Non-discrimination: Prohibit unfair treatment of consumers exercising their rights.

  • Opt-Out Mechanism: Provide opt-out options for data sales, targeted advertising, and profiling.
  • Privacy Notices: Display detailed disclosures about data collection and usage.
  • Data Access Requests: Respond to consumer requests within 45 days.

  • Sensitive Data: Consent required for processing sensitive data (e.g., health data, biometric data).
  • Data Protection Assessments: Required for high-risk processing activities, such as targeted advertising and profiling.

  • Access: Request access to personal data.
  • Correction: Request corrections to inaccurate data.
  • Deletion: Request deletion of personal data.
  • Portability: Obtain data in a machine-readable format.
  • Opt-Out: Refuse data sales and profiling decisions.

  • Enforced by the Indiana Attorney General.
  • Cure period: 30 days to address violations after notice.
  • Civil penalties of up to $7,500 per violation.
  • No private right of action (individual lawsuits not allowed).