Indiana Consumer Data Protection Act (INCDPA)

The Indiana Consumer Data Protection Act (INCDPA) was signed into law on May 1, 2023, and takes effect on January 1, 2026. Indiana became one of the growing number of US states to enact comprehensive consumer data privacy legislation.

What Is the INCDPA?

The INCDPA grants Indiana residents rights over their personal data and places obligations on businesses that collect or process that data. The law follows the opt-out model for general personal data and requires opt-in consent before processing sensitive data.

Who Does the INCDPA Apply To?

The INCDPA applies to businesses that conduct business in Indiana or produce products or services targeted to Indiana residents, and during the prior calendar year either:

• Controlled or processed the personal data of at least 100,000 consumers; or
• Controlled or processed the personal data of at least 25,000 consumers and derived more than 50% of gross revenue from the sale of personal data.

Consumer Rights Under the INCDPA

Indiana residents are entitled to:

• Right to access: confirm whether a business processes their personal data and request a copy
• Right to correction: request correction of inaccurate personal data
• Right to deletion: request deletion of their personal data
• Right to data portability: obtain a portable copy of their personal data
• Right to opt out: opt out of targeted advertising, sale of personal data, and profiling for significant decisions
• Right to appeal: appeal a business's denial of a rights request

Businesses must respond to verified consumer requests within 45 days, extendable by an additional 45 days when reasonably necessary.

Sensitive Data

Processing sensitive data requires opt-in consent from consumers. Sensitive data under the INCDPA includes racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, citizenship status, genetic or biometric data processed to uniquely identify an individual, precise geolocation data, and personal data of known children.

Enforcement

The Indiana Attorney General enforces the INCDPA. There is no private right of action. Businesses have a 30-day cure period upon receiving notice of a violation. Civil penalties of up to $7,500 per violation may be imposed for violations that are not cured.

How UniConsent Supports INCDPA Compliance

UniConsent provides the tools businesses need to meet INCDPA requirements:

• Opt-out and opt-in consent banners configurable by state
• Global Privacy Control (GPC) signal recognition
• Consumer rights request management
• Sensitive data consent workflows
• Integration with websites, mobile apps, and tag managers

Get started with UniConsent or explore our features.

Other US State Privacy Laws

• CCPA: California Consumer Privacy Act, learn more at CCPA
• CPRA: California Privacy Rights Act, learn more at CPRA
• CPA: Colorado Privacy Act, learn more at CPA
• VCDPA: Virginia Consumer Data Protection Act, learn more at VCDPA
• UCPA: Utah Consumer Privacy Act, learn more at UCPA
• CTDPA: Connecticut Data Protection Act, learn more at CTDPA
• TDPSA: Texas Data Privacy and Security Act, learn more at TDPSA
• DPDPA: Delaware Personal Data Privacy Act, learn more at DPDPA
• NHPA: New Hampshire Privacy Act, learn more at NHPA
• MTCDPA: Montana Consumer Data Privacy Act, learn more at MTCDPA
• FDBR: Florida Digital Bill of Rights, learn more at FDBR
• NJDPA: New Jersey Data Protection Act, learn more at NJDPA

Compare different US State Privacy Laws