Last updated: January 2025

Please note this is a highlighted overview and not a complete overview of privacy laws for this state. If you would like a complete review of this state's privacy laws or a multi-state privacy compliance cheat sheet on specific topics, please contact Vivien Peaden at vpeaden@bakerdonelson.com.

Disclaimer: These materials do not constitute legal advice and should not be substituted for the advice of legal counsel.

The Indiana Consumer Data Protection Act (Indiana CDPA)

Effective Date: January 1, 2026

1. Applicability Thresholds:

Subject to certain entity-level and data-level exemptions, the Indiana CDPA applies to any legal or natural person doing business in Indiana or producing products/services that are targeted to residents of Indiana who, during a calendar year, control or process the personal data of:

• 100,000+ Indiana consumers; or
• 25,000+ Indiana consumers and derive more than 50 percent of revenue from the sale of personal data.

2. Key Definitions:

Sales of Personal Data: Narrowly defined as "the exchange of personal data for monetary consideration by the Controller to a third party" subject to a few exemptions.

3. Business Obligations:

Indiana CDPA imposes additional obligations on individuals or legal entities that determine the purpose and means of processing personal information (Controller):

• Data Processing Agreement (DPA): Processing activities by a supplier, contractor, or service provider (known as Processor) shall be governed by a DPA between the Controller and Processor.
• Data Protection Impact Assessment: Controllers must conduct and document a data protection impact assessment for certain high-risk processing activities conducted after December 31, 2025.
• Privacy Notice: Yes, a Controller must provide consumers with a privacy notice including a list of required information.

4. Consumer Rights:

Under the Indiana CDPA, Indiana consumers have the right to:

• Confirm whether a Controller is processing their personal data and accessing such personal data;
• Correct inaccuracies in their personal data, which is narrowly scoped and limited to those provided by the consumer to the Controller;
• Delete personal data subject to certain exceptions;
• Obtain a copy of or a summary of their personal data provided to the Controller in a portable and readily usable format; and
• Opt-out of targeted advertising, sales of personal data, and "profiling in furtherance of solely automated decisions that produce legal or similarly significant effects."

5. Enforcement and Penalties:

Private Right of Action: None

Penalties: The state attorney general has sole authority to enforce the statute, at a maximum of $7,500 per violation.

Cure Period: There is a 30-day cure period; unlike some states, this is a permanent cure period that does not have a cutoff date.