Who is excluded from compliance with the Indiana Consumer Data Protection Act? 

The Indiana Consumer Data Protection Act excludes several types of entities and of data, such as 

• government entities or third parties under contract with these; 
• financial institutions and affiliates, or data subject to Title V of the federal Gramm-Leach-Bliley Act; 
• any nonprofit organization; 
• institutions of higher education; 
• entities and business associates covered by the United States Department of Health and Human Services, pursuant to HIPAA;
  public utility or their affiliated service companies;
• protected health information under HIPAA;
• patient identifying information;
• data covered by the federal Health Care Quality Improvement Act of 1986, the federal Patient Safety and Quality Improvement Act, the Fair Credit Reporting Act, the Driver's Privacy Protection Act, the Family Educational Rights and Privacy Act, or the Farm Credit Act;
• employment related data;
• human research data covered by federal laws.  
  
  
  

How can I keep my organization compliant with the Indiana Consumer Data Protection Act? 

Similar to other US consumer privacy laws, the Indiana Consumer Data Protection Act established a series of duties for controllers as follows: 

• limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer;
• unless otherwise provided by the law, you are not allowed to process personal data for purposes that are neither reasonably necessary for nor compatible with the disclosed purposes for which the personal data is processed, unless you obtain the consumer's consent;
• you are required to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, which must be appropriate to the volume and nature of the personal data at issue;
• you are not allowed to process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers, or discriminate against a consumer for exercising any of their consumer rights, including by denying goods or services to them, charging different prices or rates for goods and services, or providing a different level or quality of goods or services;
• you cannot process sensitive data concerning a consumer without obtaining their consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children's Online Privacy Protection Act;
• you have to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
  • the categories of personal data you process;
  • the purpose for processing personal data;
  • one or more secure and reliable means through which consumers can exercise their rights, including how they can appeal your decision with regard to their request, which has to take into account the ways in which consumers normally interact with you, the need for secure and reliable communication of such requests, and your ability to verify the identity of the consumer making the request.
  • the categories of personal data that you share with third parties, and the categories of third parties you share personal data with, if any;
  • if you sell personal data to third parties or process personal data for targeted advertising, you are required to clearly and conspicuously disclose such processing, as well as the manner in which consumers can exercise the right to opt out of such processing.
• you cannot require a consumer to create a new account in order to exercise their rights you are allowed to use an existing account.

A processor’s duties under Indiana’s data privacy law are to “adhere to the instructions of a controller” and “assist the controller in meeting its obligations” based on a contract that governs “the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract must be binding and clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.”

In addition to the above duties, the Indiana Consumer Data Protection Act requires controllers to perform a data protection impact assessment (DPIA), which will only apply to  “processing activities created or generated after December 31, 2025, and are not retroactive to any processing activities created or generated before January 1, 2026.” Said processing activities that require a data protection impact assessment are as follows: 

• “the processing of personal data for purposes of targeted advertising;
• the sale of personal data;
• the processing of personal data for purposes of profiling, if such profiling presents a reasonably foreseeable risk of:
  • unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
    financial, physical, or reputational injury to consumers;
  • a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, if such intrusion would be offensive to a reasonable person; or
  • other substantial injury to consumers.
• the processing of sensitive data.
• any processing activities involving personal data that present a heightened risk of harm to consumers.”

What data access rights does the Indiana Consumer Data Protection Act grant? 

The Indiana Consumer Data Protection Act grants consumers the following rights: 

• The Right to Know
• The Right to Access
• The Right to Correct
• The Right to Delete
• The Right to Data Portability
• The Right to Opt Out of personal data processing for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer. 

How to address data subject access requests under the Indiana Consumer Data Protection Act?

As a controller, you are required to respond to a consumer request “without undue delay, but in any case not later than 45 days after receipt of the request” and may extend this with an additional 45 days “when reasonably necessary, taking into account the complexity and number of the consumer's requests” as long as you inform the consumer of any such extension within the initial 45 day response period, along with the reason for the extension.

If you refuse a consumer request you are required to inform the consumer “without undue delay, but in any case not later than 45 days after receipt of the consumer's request of the justification for declining to take action, and to provide instructions for how they can appeal your decision. In order for consumers to be able to appeal your decision, you are required to establish a process for this and make it available to consumers. Said appeal process has to be “conspicuously available and similar to the process for submitting requests” and you have 60 days after receipt of an appeal to inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If you deny the appeal, you must also provide the consumer with an online mechanism, if available, or other methods through which they can contact the Attorney General to submit a complaint.

Information provided in response to a consumer request has to be provided free of charge, up to one time per year, per consumer. If a consumer sends multiple requests that are “manifestly unfounded, excessive, or repetitive,” you are allowed to charge them “a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request,” but you have to demonstrate the manifestly unfounded, excessive, or repetitive nature of the request. 

Before responding to a consumer request, you must be able to authenticate this. If you are unable to do so “using commercially reasonable efforts,” you will not be required to comply with the request and are allowed to ask that the consumer provide additional information reasonably necessary to authenticate them and their request.

In the case of a request for correcting inaccuracies in their personal data that you hold, you are required to “correct inaccurate information as requested by the consumer, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.” Where a request for data portability is made, according to the law, the information “must be in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data or summary to another controller without hindrance, in any case in which the processing is carried out by automated means.” Furthermore, you are not required to provide a copy or a representative summary of a consumer's personal data to the same consumer more than one time in a 12 month period. 

Enforcement and penalties

The Attorney General has exclusive authority to enforce the Indiana Consumer Data Protection Act. According to the law, they “may initiate an action in the name of the state and may seek an injunction to restrain any violations of this article and a civil penalty not to exceed $7,500 for each violation” and “may recover reasonable expenses incurred in investigating and preparing the case, including attorney's fees, in any action initiated” under this law. However, before initiating any action, the Attorney General will provide a cure period of 30 days for the controller or processor to cure the violation. 

Data Subject Rights - GDPR vs. the Indiana Consumer Data Protection Act 

FAQs about the Indiana Consumer Data Protection Act