Indiana Privacy Law

Please note that this is intended to be a summary. It is not a complete recitation of the applicable laws and/or regulations and is not intended to be used as legal advice.

Indiana Governor Eric Holcomb signed Senate Bill 384, the Indiana Consumer Data Protection Act (ICDPA) into law on May 1, 2023. The ICDPA’s main provisions become effective on January 1, 2026.

Like other state privacy laws, the Indiana law creates obligations on “controllers” and “processors” of personal data; defined as the individuals or legal entities who, alone or jointly with another person, determine the purposes and means for processing personal data, and the persons who process personal data on behalf of a controller, respectively.

The ICDPA applies to any persons who conduct business in Indiana, or who produce products or services that are targeted to Indiana residents, and during a calendar year, control or process the personal data of at least: (1) 100,000 consumers who are Indiana residents; or (2) 25,000 consumers, while deriving more than 50% of annual gross revenue from the sale of personal data.

Like many other states’ privacy laws, information and data exempt from the provisions of the ICDPA include, among other types, personal data subject to regulation under the FRCA, HIPAA, FERPA, and GLBA.  

Controllers have the following obligations under the ICDPA:

  • Privacy Notice: controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the categories of personal data processed by the controller; the purpose for processing personal data; the categories of personal data that the controller shares with third parties, if any; the categories of third parties, if any, with which the controller shares personal data; and, how consumers may exercise their consumer rights and appeal any controller’s decision regarding a consumer’s request.
  • Restraint: controllers must limit the controller’s collection of personal data to that which is adequate, relevant and reasonably necessary for the purposes of processing, and must obtain consumer consent for any processing outside of the previously disclosed purposes.
  • Security: controllers must have reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data.
  • Rights Request Mechanism: controllers must provide an effective means by which a consumer may exercise its rights under the ICDPA.

Consumer rights under the ICDPA include the right to:

  • Confirm whether a controller is processing or has processed the consumer’s personal data and access that personal data;
  • Require a controller to correct inaccuracies in personal data about the consumer;
  • Require a controller to delete personal data about the consumer;
  • Obtain a copy of the consumer’s personal data previously provided by the consumer to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another controller; and,
  • Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling the consumer in furtherance of decisions made by the controller that produce legal effects or effects of similar significance for the consumer, such as those that result in the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, or access to essential goods or services.

Controllers must respond to a consumer’s rights request within 45 days of receipt of the consumer’s request, with an option to extend such response by an additional 45 days with notice to the consumer.

Like most of the recent data privacy laws being enacted, the ICDPA does not provide a private right of action, with violations only enforceable by the Indiana Attorney General’s office. The Indiana Attorney General must issue a notice of violation to a controller prior to initiating any action for violation of the ICDPA, and if the controller fails to correct the action within 30 days of the notice, the attorney general may bring an action under the ICDPA, which may result in an injunction or a civil penalty of up to $7,500 for each violation.

Have more Questions?