Indiana Consumer Data Protection Act: Compliance Requirements and Implementation

The Indiana Consumer Data Protection Act (CDPA) establishes privacy rights for Indiana residents and obligations for organizations processing their personal data. Effective January 1, 2026, the CDPA follows the pattern of state privacy laws enacted in Virginia, Colorado, Connecticut, and Utah, creating compliance requirements that organizations serving Indiana consumers must address. If you are affected, begin compliance preparation to meet the January 2026 effective date.

Scope and applicability

The Indiana CDPA applies to organizations conducting business in Indiana or producing products or services targeted to Indiana residents that process personal data of at least 100,000 Indiana consumers, or process personal data of at least 25,000 Indiana consumers and derive more than 50% of gross revenue from the sale of personal data.

Exemptions exclude certain entities and data types from CDPA coverage. Financial institutions subject to the Gramm-Leach-Bliley Act, covered entities under HIPAA, nonprofit organizations, and higher education institutions receive exemptions. Data processed under GLBA, HIPAA, FERPA, and certain other federal frameworks is also exempt. If you are affected, assess which portions of their data processing activities fall within CDPA scope.

Personal data is defined broadly to include information linked or reasonably linkable to an identified or identifiable individual. Publicly available information and de-identified data that cannot reasonably be linked to an individual are excluded from the personal data definition. If you are affected, evaluate their data classifications against CDPA definitions to identify covered data.

Consumer rights under the CDPA

Indiana consumers have rights to access, correct, delete, and obtain copies of their personal data. Organizations must provide mechanisms enabling consumers to exercise these rights and must respond to verified requests within specified timelines. Response processes should be documented and tested before the law becomes effective.

The right to opt out of personal data sales requires that organizations provide clear mechanisms for consumers to decline data sales. Organizations that sell personal data must honor opt-out requests and ensure that downstream recipients respect consumer preferences. Sale definitions and opt-out requirements should be analyzed against organizational data sharing practices.

The right to opt out of targeted advertising enables consumers to prevent use of their personal data for personalized advertising based on their activities across different businesses. Organizations using personal data for targeted advertising must provide opt-out mechanisms and respect consumer choices. Advertising technology configurations should be reviewed for compliance capability.

Appeal rights enable consumers to challenge decisions denying their data subject requests. Organizations must provide appeal mechanisms and respond to appeals within reasonable timelines. Appeal processes should be documented and staff trained on appropriate handling.

Controller obligations

Organizations acting as data controllers under the CDPA must implement privacy notices explaining data collection, processing, and sharing practices. Notices must describe the categories of personal data processed, purposes for processing, consumer rights, and how to exercise those rights. Notice requirements should be assessed against current privacy disclosures.

Purpose limitation requires that personal data be collected and processed only for disclosed purposes. If you are affected, document processing purposes and implement controls preventing use of personal data beyond disclosed purposes. Data governance processes should enforce purpose limitation consistently.

Data minimization requires that personal data collection be limited to what is reasonably necessary for disclosed purposes. If you are affected, evaluate data collection practices and eliminate unnecessary data collection. Minimization assessments should be documented to show compliance.

Security requirements obligate controllers to implement reasonable administrative, technical, and physical security measures protecting personal data. Security programs should be assessed against CDPA requirements and improved where gaps are identified. Security documentation supports compliance demonstration.

Data processing agreements

Controllers must establish written agreements with processors that govern personal data processing. Agreements must address processing instructions, confidentiality obligations, security requirements, subprocessor restrictions, and cooperation with data subject requests. Existing processor agreements should be reviewed and amended as necessary.

Processor obligations under agreements include processing personal data only according to controller instructions, implementing appropriate security measures, notifying controllers of data breaches, and supporting controllers in responding to data subject requests. Processors should assess their capabilities against expected contractual requirements.

Subprocessor engagement requires controller approval and must be governed by written agreements imposing equivalent obligations. Organizations acting as processors should review subprocessor relationships and ensure appropriate agreements are in place. Controller notification procedures for subprocessor changes should be established.

Sensitive data requirements

Processing of sensitive data categories requires consumer consent under the CDPA. Sensitive data includes racial or ethnic origin, religious beliefs, health information, genetic or biometric data, precise geolocation, and data concerning sexual orientation. Organizations processing sensitive data must obtain consent and document consent mechanisms.

Consent requirements specify that consent must be freely given, specific, informed, and unambiguous. Pre-checked boxes and bundled consent are generally not acceptable. If you are affected, review consent mechanisms for sensitive data processing and implement compliant consent flows.

Children's data receives heightened protection. Processing personal data of children under 13 requires parental consent. Organizations processing children's data should implement age verification and parental consent mechanisms compliant with CDPA and COPPA requirements.

Data protection assessments

Organizations must conduct data protection assessments for processing activities presenting heightened risks to consumers. Assessment-required activities include targeted advertising, personal data sales, processing sensitive data, and profiling that presents reasonably foreseeable risks. Assessment requirements should be integrated into data governance processes.

Assessment content should evaluate processing purposes, data categories involved, risks to consumers, and safeguards mitigating identified risks. Assessments should document the balancing of organizational interests against consumer privacy risks. Assessment records should be maintained to show compliance.

Assessment timing requires that assessments be conducted before starting covered processing activities. If you are affected, establish processes that trigger assessment requirements when new processing activities are proposed. Retroactive assessments should be conducted for existing covered activities.

Enforcement and penalties

The Indiana Attorney General has exclusive enforcement authority under the CDPA. The law provides for a 30-day cure period before enforcement action, allowing organizations to remedy violations after receiving notice. Cure period availability emphasizes the importance of responsive compliance capabilities.

Civil penalties of up to $7,500 per violation may be assessed for violations that are not cured within the cure period. Enforcement actions may also seek injunctive relief and attorney's fees. Potential penalty exposure should inform compliance investment prioritization.

No private right of action exists under the CDPA. Consumers cannot sue organizations directly for CDPA violations. However, Attorney General enforcement and reputational risks provide meaningful compliance incentives even without private litigation exposure.

Recommended actions for compliance preparation

• Assess organizational data processing activities against CDPA scope and exemption provisions.
• Inventory personal data collection, processing, and sharing practices involving Indiana consumers.
• Implement or improve data subject request mechanisms for access, correction, deletion, and opt-out rights.
• Review and update privacy notices to meet CDPA disclosure requirements.
• Evaluate data processing agreements with vendors and implement required contractual provisions.
• Assess sensitive data processing and implement consent mechanisms where required.
• Conduct data protection assessments for high-risk processing activities.
• Train staff on CDPA requirements and data subject request handling procedures.

Assessment

The Indiana CDPA follows established patterns from other state privacy laws, enabling organizations with existing state privacy compliance programs to extend those programs to cover Indiana requirements. Organizations that have implemented Virginia CDPA or Colorado Privacy Act compliance will find Indiana requirements familiar, though specific requirements should be reviewed for any variations.

The January 2026 effective date provides adequate preparation time for organizations that begin compliance efforts now. Organizations that delay may find the preparation timeline compressed, particularly if compliance requires significant process or technology changes. Early assessment enables informed planning and resource allocation.

Recommended: that organizations develop unified state privacy compliance frameworks rather than implementing separate programs for each state. Common requirements across state laws can be addressed through consolidated compliance capabilities, with state-specific variations handled through configuration rather than separate setups. Unified approaches reduce compliance costs and improve consistency.