Indiana Privacy Law Overview
Indiana's privacy law took effect January 1, 2026 after a long lead time. It is a faithful adoption of Virginia's business-friendly framework, giving Indiana businesses the benefit of well-trodden compliance practices developed for the VCDPA and its many copies.
The Indiana Consumer Data Protection Act (INCDPA)
Indiana's law closely follows the Virginia model: comprehensive access, correction, deletion, portability and opt-out rights, with opt-in consent for sensitive data and a permanent right to cure. Enacted in 2023, it carried one of the longest lead times of any state law, taking effect on January 1, 2026.
INCDPA: Quick Overview
- Effective Date: January 1, 2026
- Citation: Ind. Code § 24-15
- Enforced By: Indiana Attorney General
- Maximum Penalty: Up to $7,500 per violation
- Private Right of Action: No (enforcement by the state only)
- Right to Cure: 30 days (permanent)
Who Must Comply
The INCDPA applies to businesses that meet Indiana's applicability thresholds:
- Controls or processes the personal data of 100,000+ Indiana consumers per year, or
- Processes data of 25,000+ consumers and derives over 50% of gross revenue from selling personal data
What makes Indiana different: Indiana is a near-copy of Virginia's law and had one of the longest gaps between enactment (2023) and effect (2026).
Consumer Rights Under the INCDPA
Indiana residents can exercise the following rights over their personal data:
- Right to access / confirm what data is held
- Right to correct inaccurate data
- Right to delete personal data
- Right to data portability
- Right to opt out of targeted advertising
- Right to opt out of the sale of personal data
- Right to opt out of profiling for significant decisions
Sensitive personal data: Businesses must obtain opt-in consent before processing sensitive data (such as health, biometric, precise-geolocation, or demographic data).
Data Breach Notification in Indiana
Indiana requires notice to affected residents within 45 days and to the Attorney General for breaches involving Indiana residents.
- Deadline to notify residents: Without unreasonable delay, no later than 45 days after discovery
- Attorney General notice: Notify the Indiana Attorney General for breaches affecting residents
- Covered data: Name combined with sensitive identifiers (SSN, driver's license, financial-account or medical information, and more)
Federal Privacy Laws That Apply in Indiana
Even where Indiana law is silent, residents and businesses are covered by federal privacy statutes:
- HIPAA — health information held by providers, plans and their vendors
- GLBA — privacy and safeguards rules for financial institutions
- FERPA — student education records
- FCRA — consumer reporting agencies and background screening
- COPPA — online collection of data from children under 13
- FTC Act §5 — unfair or deceptive privacy and data-security practices
Indiana Privacy Law FAQ
Which state law is Indiana's privacy law based on?
When did Indiana's privacy law take effect?
How a Indiana Privacy Attorney Can Help
For Businesses
- Build and audit a privacy compliance program
- Draft privacy policies, notices and vendor contracts
- Respond to consumer rights requests
- Manage data-breach response and notification
- Defend regulatory investigations and enforcement
For Consumers
- Enforce your privacy rights against non-compliant businesses
- Pursue or join data-breach litigation
- File complaints with the Indiana Attorney General
- Seek damages for identity theft and fraud
- Stop unlawful data sales and unwanted marketing
Need a Indiana Privacy Attorney?
Whether you are a business working toward compliance or a Indiana resident whose privacy has been violated, our network of Indiana-licensed attorneys can help.
Find a Indiana Privacy Attorney