Indiana Passes Comprehensive Privacy Law: What You Need to Know

As technology advances and more of our personal information is shared online, concerns about data privacy have become increasingly prevalent. In response to these concerns, Indiana has recently passed the Consumer Data Protection Act (CDPA), a new law aimed at protecting the personal information of Indiana residents.

The CDPA, which goes into effect on January 6, 2026, will require businesses that collect, process, or sell the personal information of Indiana residents to implement reasonable data security measures and provide certain data rights to individuals.

Easily Manage Current and Upcoming Regulations with WireWheel’s Universal Consent and Preference Platform

What is the Indiana Consumer Data Protection Act?

The Indiana CDPA is a new law that regulates how businesses can collect, process, and sell the personal information of Indiana residents. The law is modeled after the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) and provides similar protections for personal information.

The CDPA applies to businesses that meet certain criteria, such as those who control or process the personal data of either 100,000 consumers, or 25,000 consumers while deriving over 50% of their gross revenue from the sale of personal data.

What are the key provisions of the CDPA?

Under the CDPA, businesses that collect, process, or sell the personal information of Indiana residents must provide certain data rights to individuals. These data rights include:

• The right to know what personal information is being collected: Businesses must disclose what personal information they are collecting and why.
• The right to access: Individuals have the right to request correct inaccuracies to their personal information that is being collected, processed, or sold.
• The right to correct: Individuals have the right to request access to their personal information that is being collected, processed, or sold.
• The right to request deletion: Individuals have the right to request that their personal information be deleted.
• The right to opt-out: Individuals have the right to opt-out of the sale of their personal information.
• The right to data portability: Individuals have the right to receive their personal information in a portable and readily usable format.

In addition to these data rights, the CDPA also requires businesses to implement reasonable data security measures to protect the personal information they collect, process, or sell. The law requires businesses to conduct risk assessments and implement appropriate safeguards to protect personal information, such as encryption and access controls.

What does the CDPA mean for businesses?

In Indiana, covered entities have certain obligations, which were also present in the previous versions of the law. The obligations are as follows:

• Purpose limitation: Controllers must obtain consumer consent for any processing beyond the disclosed purposes and limit personal data collection to what is necessary for processing.
• Data security: Controllers must implement reasonable administrative, technical, and physical data security practices to protect personal data’s confidentiality, integrity, and accessibility.
• Consent requirements: Consent must be an affirmative act indicating a consumer’s specific, informed, and unambiguous agreement to process their data, and there is no requirement to offer a method to allow consumers to revoke their consent.
• Nondiscrimination: Personal data must not be processed in a way that violates antidiscrimination laws. Additionally, controllers must not discriminate against consumers for exercising their rights.
• Transparency: Controllers must provide consumers with an accessible, clear, and meaningful privacy notice and disclose their use or sale of personal data to third parties for targeted advertising and provide a method to opt-out of this use or sale.
• Assessments: Controllers must conduct data protection impact assessments for processing sensitive data, selling personal data, processing personal data for targeted advertising purposes, and processing personal data that heightens the risk of harm to consumers.
• Data processing contracts: Controllers must provide processors with a binding data processing contract that details instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.

The law also includes a carveout for riverboat casinos that use facial recognition technology approved by the Indiana Gaming Commission. However, the law does not explicitly require organizations to recognize universal opt-out mechanisms.

What does the CDPA mean for consumers?

For consumers, the CDPA provides increased protections for their personal information. Individuals now have certain data rights that allow them to control how their personal information is collected, processed, and sold.

Consumers can now request that their personal information be deleted, opt-out of the sale of their personal information, and access their personal information that is being collected, processed, or sold. The CDPA also requires businesses to implement reasonable data security measures to protect personal information, which can help prevent data breaches and other privacy violations.

Enforcement

Upon having reasonable suspicion that an entity has violated the law, the attorney general’s office may issue a civil investigative demand. Before enforcing the law, the attorney general must notify the controller or processor in writing of the specific violations and allow 30 days to correct them. The entity must provide written confirmation that the violations have been remedied and no further similar violations will occur. Failure to address the violations or breach the written statement within the given cure period allows the attorney general to enforce the law by issuing an injunction and/or seeking a civil penalty of up to $7,500 for each violation. The right to cure within 30 days does not have a time limit and is similar to the cure provision in Utah and Virginia’s laws.

The Indiana Consumer Data Protection Act represents a significant step forward in protecting the personal information of Indiana residents. The law requires businesses that collect, process, or sell personal information to implement reasonable data security measures and provide certain data rights to individuals