← Back to all briefings
Policy 5 min read Published Updated Credibility 50/100

Policy Briefing — August 15, 2025

Indiana’s Consumer Data Protection Act will be enforceable on January 1, 2026, putting the final compliance quarter on the clock for businesses targeting Hoosier consumers.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
3 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: Indiana Senate Enrolled Act 5 (SEA 5) takes effect on January 1, 2026, creating comprehensive consumer privacy rights enforced by the Attorney General. Controllers meeting the 100,000-resident threshold—or 25,000 with at least 50 percent revenue from data sales—must honour access, correction, deletion, and portability requests within 45 days, publish clear privacy notices, and conduct data protection assessments for profiling, targeted advertising, and processing of sensitive personal data.

Key policy checkpoints

  • Transparency updates. Ensure privacy notices list processing purposes, categories of data shared with third parties, and appeal mechanisms as required by SEA 5 Section 8.
  • Universal opt-out. Implement mechanisms to recognise browser-based opt-out signals for targeted advertising and data sales.
  • Sensitive data governance. Require consent before processing precise geolocation, biometric, or children’s data, and maintain revocation handling.

Operational priorities

  • Request fulfilment. Build workflows to authenticate consumers, respond within statutory timelines, and log appeals for Attorney General review.
  • Assessment backlog. Prioritise data protection assessments for AI-driven profiling or automated decision-making that could materially affect consumers.
  • Vendor oversight. Amend processor contracts to include deletion assistance, sub-processor disclosures, and compliance attestations.

Enablement moves

  • Train frontline teams on Indiana-specific definitions—such as “targeted advertising” and “sale” of personal data—to avoid inconsistent interpretations.
  • Align Indiana readiness with neighbouring state requirements (Kentucky, Ohio) to streamline Midwest compliance operations.

Sources

Zeph Tech compresses Indiana privacy readiness into a single dashboard, aligning policy updates, consent engineering, and request handling playbooks.

Timeline plotting source publication cadence sized by credibility.
3 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Indiana Consumer Data Protection Act
  • State privacy laws
  • Consumer rights
  • Attorney General enforcement
Back to curated briefings