Indiana's Consumer Data Protection Act (CDPA)

The Indiana Consumer Data Protection Act (CDPA) was signed into law on May 1, 2023 and will take effect on January 1, 2026.

This article explains what the Indiana CDPA is, who it applies to, how to comply with the law, and what happens if you violate it.

What is the Indiana Consumer Data Protection Act (CDPA)?

The Indiana CDPA is Indiana's primary consumer privacy law. It protects Indiana residents' personal information, which is data that can be used to identify an individual.

Who Does the Indiana Consumer Data Protection Act (CDPA) Apply to?

The Indiana Consumer Data Protection Act (CDPA) applies to organizations that do business in Indiana or offer products or services to Indiana residents, and, in one calendar year, meet either of the following criteria:

• Control or process (use) personal data belonging to at least 100,000 Indiana residents, or
• Control or process personal data belonging to at least 25,000 Indiana residents and
• Get more than 50% of their gross revenue from selling personal data

Chapter 1, Section 1(a) of the CDPA explains this:

Who is Exempt From the Indiana Consumer Data Protection Act (CDPA)?

The Indiana Consumer Data Protection Act (CDPA) does not apply to any of the following entities:

• State agencies
• Third parties in contract with and acting on behalf of state agencies
• Financial institutions subject to the Gramm-Leach-Bliley Act
• Covered entities subject to the Health Insurance Portability and Accountability Act (HIPAA)
• Nonprofits
• Institutions of higher education
• Public utility companies

Chapter 1, Section 1(b) of the Indiana CDPA lists the entities that are exempt from the law, including financial institutions (and data) that are subject to the Gramm-Leach-Bliley Act, nonprofits, and higher education institutions:

Furthermore, the Indiana CDPA does not apply to certain types of personal information that is protected by other laws, including data regulated by the Driver's Privacy Protection Act, the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act.

Chapter 1, Section 2 of the Indiana CDPA describes the data that is exempt from the law, including personal health data protected by HIPAA, and certain patient identifying information:

What Does the Indiana Consumer Data Protection Act (CDPA) Require?

The Indiana Consumer Data Protection Act (CDPA) requires applicable organizations to:

• Only collect relevant information
• Keep the data they collect secure
• Respond to consumer requests in a timely fashion
• Give consumers a way to opt out of the processing and sale of their personal data
• Not discriminate against consumers for exercising their rights
• Get consent before processing sensitive personal data
• Maintain a Privacy Policy
• Disclose and facilitate user rights

What User Rights Does the Indiana Consumer Data Protection Act (CDPA) Grant?

The Indiana Consumer Data Protection Act (CDPA) gives Indiana consumers the following rights:

• The right to know whether their personal data is being processed
• The right to access their personal data
• The right to correct inaccuracies in their personal data
• The right to delete their personal data
• The right to get a portable copy or summary of any personal data they have provided to a controller (once per year)
• The right to opt out of the processing of their personal data for targeted advertising or profiling purposes
• The right to opt out of the sale of their personal data

Chapter 3, Section 1(b) of the Indiana CDPA lists Indiana consumers rights, including the right to know what data is being collected about them, and the rights to edit or delete their data:

How Do You Comply With the Indiana Consumer Data Protection Act (CDPA)?

There are several steps you should take to ensure compliance with the Indiana Consumer Data Protection Act (CDPA), including getting consent, collecting only necessary data, keeping data safe, giving consumers a way to exercise their rights, and maintaining a Privacy Policy.

Get Consent Before Processing Sensitive Personal Data

You will need to get consent before processing sensitive personal data, which is a special category of data that includes race, religious beliefs, health diagnoses, and sexual orientation.

Chapter 2, Section 28 of the Indiana CDPA lists the types of sensitive data it covers, which include the following:

• Personal data that discloses religious beliefs, racial or ethnic origins, physical or mental health diagnoses made by health care providers, citizenship, immigration status or sexual orientation
• Biometric or genetic data which is processed in order to uniquely identify a specific individual
• Personal data collected knowingly from a minor/child
• Any precise geolocation data

Here's what the law says:

To get compliant consent, it's recommended to always use a checkbox method and make users check a box next to a statement that clearly shows they agree or consent.

Here's an example of using this method to obtain consent to send marketing information to users:

Here's another example of how this method can be used to get users to agree to important legal agreements like your Privacy Policy and Terms agreement:

Only Collect Necessary Information

The Indiana CDPA requires data controllers to only collect personal information that is relevant to the purposes that they disclose to consumers.

If you want to use the personal data you collect for purposes other than the ones you initially gave to consumers, you will need to get their consent before doing so.

Chapter 4, Section 1(a) of the Indiana CDPA explains that controllers must only collect data that aligns with the processing purposes that they have given consumers.

For example, if a user is signing up to receive your email newsletters, you surely don't need to be collecting their home mailing address, last name, or birthdate. Collecting just an email address will be information enough to complete the purpose of sending the emails.

If you don't need a piece of information for an actual business purpose, don't collect it without explicit consent to use it for something specific.

Keep the Data You Collect Safe

You should have technological and physical safeguards in place to keep the data you collect and process secure. A few security practices you might consider using include:

• Firewalls
• Antivirus software
• Multi-factor authentication
• Employee trainings on how to handle confidential information
• Security cameras
• Security guards

Whatever security measures you use, you should make sure that they provide adequate protection for the amount and types of personal data you collect and process.

Chapter 4, Section 1(3) of the Indiana CDPA explains that data controllers must maintain appropriate safety measures to protect the personal data they collect and use:

Include a security clause in your Privacy Policy that addresses this and discloses that you do have adequate security measures in place.

Here's an example of a simple yet effective security clause:

Here's one that's more detailed and includes some extra information, including a way for users to contact the company with security questions:

Respond Timely to Consumer Requests

Data controllers must respond to consumer requests regarding their rights within 45 days of receiving them.

You can extend your response time by an additional 45 days as long as you notify the consumer of your reasons for the extension within the initial 45 day time period.

If you decide to decline a consumer's request, you must explain your reason for refusing the request and provide a way for the consumer to appeal your decision. You must inform the consumer in writing within 60 days of receiving their appeal what your final decision is and why.

You should include the contact information for the attorney general so that consumers can file a complaint if they are not satisfied with your decision.

Responses to requests must be given free of charge, unless requests are "manifestly unfounded, excessive, or repetitive," in which case you can charge an administrative fee.

Chapter 3, Section 1(c) of the Indiana CDPA describes the timeline that data controllers must follow when responding to consumer requests:

Give Consumers a Way to Opt Out of Personal Data Sale and Processing

The Indiana CDPA requires you to give consumers a way to opt out of the sale of their personal data or the processing of their personal data for targeted advertising or profiling purposes.

Steak 'n Shake's Privacy Policy explains how consumers can contact the company to opt out of receiving marketing communications, as well as how to request changes to how it uses their information:

Conduct Data Protection Impact Assessments

A data protection impact assessment is an audit of your data protection practices that helps identify and minimize potential privacy risks.

Beginning January 1st, 2026, data controllers must conduct and keep a record of data protection impact assessments for each of the following data processing activities:

• Processing personal data for targeted advertising purposes
• Selling personal data
• Processing personal data for profiling purposes (if the profiling poses a risk of harm to the consumer)
• Processing sensitive data
• Any activities that increase the risk of harm to the consumer

Chapter 6, Section 1(b) of the Indiana CDPA describes the types of processing activities that will require a data protection impact assessment.

Maintain a Privacy Policy

A Privacy Policy is a publicly-displayed document that explains how you handle consumers' personal information.

It discloses how and why you do things such as collect, use and share personal information. It also discloses what rights users have regarding their personal information.

The Indiana CDPA requires applicable organizations to maintain an "accessible, clear, and meaningful" Privacy Policy that contains relevant clauses.

Chapter 4, Section 3 of the CDPA describes the clauses that you should include in your Privacy Policy:

Let's take a look at the clauses you need to include in your Privacy Policy to make it Indiana CDPA-compliant.

The Types of Personal Data You Process

This clause describes what personal data you collect and process, such as names, addresses, browser information, and financial and health information.

Indiana University's Privacy Policy lists the types of information it collects and uses, including academic history, video images, contact information, and IP addresses:

Your Reasons for Processing Personal Data

This clause explains why you are processing consumers' personal data. Common reasons for processing personal data include to improve the customer experience, to contact consumers, to process and ship orders, and for marketing purposes.

The Indianapolis Motor Speedway's Privacy Policy explains how it uses the data it collects, including to respond to requests and for advertising purposes. It also informs consumers that they can opt out of receiving promotional materials or request that it refrain from sharing their data with third parties:

How Consumers Can Exercise Their Rights

You will need to explain how consumers can exercise their rights, including how to appeal your decisions regarding their requests.

You will also need to inform consumers if you sell their personal data or use it for targeted advertising, and provide them with a way to opt out.

One of the most efficient ways to do this is to provide a link within your Privacy Policy to an email address or an online form that consumers can use to contact you with requests or to opt out.

Koch Industries' Privacy Policy lists consumers rights and lets them know how they can contact the company with any requests. It also includes a link for opting out of targeted advertising and a link for appealing request decisions:

What Third Parties You Share Personal Data With

You should inform consumers of the third parties you share their information with, and your reasons for sharing their personal data.

Corteva's Privacy Policy lists the third parties it shares personal data with, including its parent company, affiliates, service providers, and business partners. It describes its reasons for disclosing the data it collects to third parties, including to facilitate services and for marketing purposes:

What are the Penalties for Not Complying With the Indiana Consumer Data Protection Act (CDPA)?

The attorney general is the regulating body responsible for enforcing the Indiana Consumer Data Protection Act (CDPA).

Before taking any actions against an organization suspected to be in violation of the Indiana CDPA, the attorney general will provide it with a 30 days written notice that describes the alleged violation.

The organization then has 30 days to cure the violation and send the attorney general written notification that the violation has been cured.

If the organization does not cure the violation, the attorney general can then take action against it.

If you are found to be in violation of the law, you can face fines of up to $7,500 per violation.

Chapter 10, Section 2 of the Indiana CDPA explains that the attorney general is authorized to take action and charge penalties of up to $7,500 per violation of the law:

Summary

The CDPA is Indiana's data protection law. It gives Indiana residents rights concerning their personal data and outlines how applicable organizations must handle the personal information they collect and process.

The Indiana CDPA applies to organizations that do business in the state of Indiana or offer goods or services to Indiana residents and:

• Control or process the personal data of at least 100,000 Indiana residents, or
• Control or process personal data of at least 25,000 Indiana residents and
• Obtain more than half their gross revenue from selling personal data

To comply with the Indiana Consumer Data Protection Act (CDPA) you should:

• Get consent before collecting or processing consumers' sensitive personal data
• Only collect personal data that is necessary for the purposes you have disclosed to consumers
• Keep the data you collect secure
• Respond to consumer requests
• Provide a way for consumers to opt out of the sale of their personal data or the processing of their personal data for targeted advertising purposes
• Conduct regular data protection impact assessments for certain processing activities (from January 1st, 2026 onward)
• Maintain a clearly written and regularly updated Privacy Policy

To comply with the Indiana Consumer Data Protection Act (CDPA), your Privacy Policy should contain the following clauses:

• What kind of personal data you collect
• Why you process consumers' personal data
• How consumers can exercise their rights (including opting out)
• What types of personal data you share with third parties
• What third parties you share personal data with

The attorney general can charge a civil penalty of up to $7,500 per violation of the Indiana CDPA if violations are not addressed within a 30 day window.