Indiana

Privacy Law Status

Comprehensive Privacy Law

Indiana has enacted a comprehensive consumer data protection law, becoming the seventh state in the nation to pass such legislation[1][2][3]. The Indiana Consumer Data Protection Act (ICDPA), officially known as Senate Bill 5, was signed into law by Governor Eric Holcomb on May 1, 2023[1][4][5]. This law establishes privacy rights for Indiana residents and sets obligations for businesses that collect and process personal data.

The law follows a business-friendly model similar to Virginia’s Consumer Data Protection Act, rather than the more stringent approaches seen in California or Colorado[3][6]. Indiana’s law focuses on providing clear rights to consumers while giving businesses reasonable frameworks for compliance[7][8].

Legislative Activity

The legislative process for Indiana’s privacy law moved swiftly through both chambers with overwhelming bipartisan support[7][8]. The Senate originally passed the bill by a vote of 49-0 on February 9, 2023, while the House passed an amended version by a vote of 98-0 on April 11, 2023[7]. The Senate then concurred with the House amendments on April 13, 2023, sending the final bill to the governor[7][8].

During the legislative process, lawmakers specifically chose an extended effective date to allow businesses time to observe how other states implement their privacy laws and to ensure smoother compliance[7]. The Attorney General is also permitted to maintain resources on their website, including sample privacy notices, to assist businesses with compliance[7].

Implementation Timeline

The Indiana Consumer Data Protection Act will become effective on January 1, 2026, providing businesses with over two and a half years to prepare for compliance[1][9][6]. This extended timeline is longer than most other state privacy laws, with Indiana specifically choosing this approach to learn from other states’ experiences[7][6]. The delayed effective date means that other states may pass and implement their privacy laws before Indiana’s takes effect[7].

Businesses are encouraged to begin compliance preparations early, as implementing comprehensive privacy frameworks including data mapping, consent processes, and consumer request systems requires significant operational changes[6]. The Indiana Attorney General’s office may provide additional guidance and resources as the effective date approaches[7].

Your Rights as a Indiana Resident

Once the Indiana Consumer Data Protection Act takes effect in 2026, Indiana residents will gain several important rights regarding how businesses collect, use, and share their personal information[1][5][10].

Right to know what data is collected: You can request confirmation of whether a business is processing your personal data and obtain access to that information[1][5][10]
Right to delete personal information: You can request that businesses delete personal data they have collected about you, with certain exceptions for legitimate business purposes[1][5][10]
Right to opt out of data sales: You can opt out of the sale of your personal data, targeted advertising, and profiling that produces legally significant effects[1][5][8]
Right to correct inaccurate data: You can request correction of inaccuracies in personal data that you previously provided to a business, though this right is more limited than in some other states[1][7][8]
Right to non-discrimination: Businesses cannot discriminate against you for exercising your privacy rights under the law[1][5]
Right to data portability: You can obtain a copy or representative summary of your personal data in a portable, readily usable format[8][10]

Businesses must respond to your requests within 45 days, with a possible 45-day extension in certain circumstances[8]. Unlike some other states, Indiana’s law does not provide consumers with a private right to sue businesses for violations, meaning enforcement relies exclusively on the Indiana Attorney General[4][11][8].

Business Requirements

The Indiana Consumer Data Protection Act applies to businesses that conduct business in Indiana or target products and services to Indiana residents, provided they meet specific data processing thresholds[1][12][8].

Which companies must comply: Businesses that control or process personal data of at least 100,000 Indiana consumers annually, or those that handle data for 25,000 consumers and derive over 50% of gross revenue from selling personal data[1][12][8]
Notice and transparency requirements: Companies must provide clear and meaningful privacy policies, disclose data sales, limit data collection to what is adequate and necessary for disclosed purposes, and obtain consent before processing sensitive personal information[1][5][8]
Consumer request response procedures: Businesses must establish processes to verify consumer identities, respond to rights requests within 45 days, and provide clear methods for consumers to submit requests and appeals[1][8][10]
Security and breach notification rules: Companies must implement reasonable technical, administrative, and physical security practices appropriate to the volume and nature of data collected, and must conduct data protection assessments for high-risk processing activities[1][5][8]

The law includes various exemptions for entities already covered by federal regulations such as HIPAA and the Gramm-Leach-Bliley Act, as well as for government agencies, nonprofits, higher education institutions, and public utilities[1][12][8].

Practical Impact

How these laws protect residents in daily life: The law will give Indiana residents more control over their personal information used by retailers, social media platforms, data brokers, and other businesses for marketing, advertising, and commercial purposes[1][9]. Residents will be able to find out what information companies have about them and request its deletion or correction[5][10].
What to do if rights are violated: Since there is no private right to sue under Indiana’s law, residents who believe their rights have been violated must file complaints with the Indiana Attorney General’s Consumer Protection Division[4][9][11]. The Attorney General has exclusive enforcement authority and can impose civil penalties up to $7,500 per violation[4][11][13].
Limitations and gaps in protection: The law only applies to larger businesses that meet specific data processing thresholds, potentially leaving residents unprotected from smaller companies[12]. The right to correct data is limited to information consumers previously provided themselves, unlike broader correction rights in other states[7]. Additionally, certain types of data including employment records, health information already covered by HIPAA, and publicly available information are excluded from the law’s protections[1][12].

Comparison Context

How Indiana compares to leading privacy states: Indiana’s law is considered more business-friendly than California’s comprehensive privacy framework or Colorado’s Consumer Privacy Act[3][6]. It closely resembles Virginia’s approach with similar thresholds and enforcement mechanisms, but provides businesses with more time to comply than most other states[3][7][6]. Unlike California, Indiana does not include a revenue threshold alone for determining which businesses must comply[12].
What residents might be missing compared to other states: Indiana residents will not have the ability to file private lawsuits against companies that violate their privacy rights, unlike in California[11][8]. The state also does not require businesses to recognize universal opt-out signals from web browsers, which some other states mandate[6]. The right to correct personal information is more limited in Indiana, applying only to data consumers previously provided rather than all personal data held by businesses[7].

Action Steps for Residents

Immediate steps to protect privacy: Review privacy policies of websites and services you use, limit unnecessary personal information sharing, use privacy settings on social media platforms, and consider using ad blockers and privacy-focused browsers while waiting for the law to take effect[9][6]
How to exercise legal rights (if available): Once the law takes effect in 2026, residents can submit privacy rights requests through methods provided by individual businesses, typically through online forms or email addresses specified in privacy policies[8][6]. Keep records of your requests and responses for potential complaints if businesses fail to comply properly[10].
Resources for staying informed: Monitor the Indiana Attorney General’s website for guidance and resources as the law’s effective date approaches, stay updated on any implementing regulations or guidance documents, and follow consumer advocacy organizations that track privacy law developments[9][7]

Official Resources and Contact Information

Indiana Attorney General – Consumer Protection

The Indiana Attorney General’s Consumer Protection Division will be responsible for enforcing the state’s privacy law and investigating consumer complaints about privacy violations[4][9][14]. They currently handle various consumer protection matters and provide educational resources.

Phone: (317) 232-6330 or toll-free (800) 382-5516[15][16][14]
Address: Consumer Protection Division, 302 West Washington Street, 5th Floor, Indianapolis, IN 46204[16][14]
Website: https://www.in.gov/attorneygeneral/consumer-protection-division/
Email: info@atg.in.gov[15]

Indiana General Assembly

Contact your state representatives to provide input on privacy legislation, express concerns about privacy rights, or request information about future privacy-related bills[17].

Indiana House of Representatives: (317) 232-9600 or toll-free (800) 382-9842[17]
Indiana Senate: (317) 232-9400 or toll-free (800) 382-9467[17]
Find Your Representatives: https://iga.in.gov/legislative/find-legislators/

Official Text and Updates

Access the complete text of Indiana’s Consumer Data Protection Act and track any amendments or implementing regulations through the official state legislature website.

Indiana General Assembly: https://iga.in.gov/
Senate Bill 5 (Consumer Data Protection Act): https://iga.in.gov/legislative/2023/bills/senate/5

While Indiana’s privacy law doesn’t take effect until 2026, residents can currently file complaints about deceptive business practices, identity theft, and other consumer protection issues with the Attorney General’s office[14].

Complaints can be filed online, by phone at the numbers listed above, or by mail to the Consumer Protection Division address. The office mediates consumer complaints and investigates potential violations of Indiana’s consumer protection laws[14].

Sources and Citations

[1] termly.io/resources/articles/indiana-consumer-data-protection-act/

[2] www.dwt.com/blogs/privacy–security-law-blog/2023/05/indiana-consumer-data-privacy-law

[3] www.akingump.com/en/insights/blogs/ag-data-dive/indiana-data-protection-act-what-businesses-need-to-know

[4] www.cliffordchance.com/insights/resources/blogs/talking-tech/en/articles/2023/12/the-indiana-data-privacy-law-an-overview.html

[5] www.boselaw.com/2023/05/indiana-adopts-its-first-consumer-data-privacy-statute/

[6] www.velotix.ai/privacy-regulations/indiana-consumer-data-protection-act/

[7] www.bytebacklaw.com/2023/04/indiana-legislature-passes-consumer-data-privacy-bill/

[8] www.hunton.com/privacy-and-information-security-law/indiana-likely-to-become-seventh-state-to-enact-a-comprehensive-state-privacy-law

[9] www.cookieyes.com/blog/indiana-consumer-data-protection-act/

[10] www.whitecase.com/insight-alert/indiana-becomes-seventh-state-enact-comprehensive-data-privacy-law

[11] www.truevault.com/learn/indianas-privacy-law-quick-facts

[12] usercentrics.com/knowledge-hub/indiana-consumer-data-protection-act-incdpa/

[13] www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20230119-state-comprehensive-privacy-law-update-for-2023

[14] www.in.gov/attorneygeneral/consumer-protection-division/

[15] indiana-attorney-general.pissedconsumer.com/customer-service.html

[16] consumerfed.org/wp-content/uploads/2010/08/cy%20pres%20state%20regulator%20contacts%20Appendix%20B%2009%20update%25281%2529.pdf

[17] faqs.in.gov/hc/en-us/articles/115005226348-How-do-I-contact-my-State-Senator-or-Representative

Last Updated August 2025. Written with contributions from both human authors and Perplexity AI. If you find incorrect or outdated information let us know at support@optery.com.