Policy Briefing — Indiana consumer data protection enforcement enters first post-launch quarter

Executive briefing: Indiana Senate Enrolled Act 5 (2023) took effect on 1 January 2026, granting the Attorney General enforcement authority over consumer data rights. With the initial quarter complete, organisations must evidence that opt-out controls, appeal processes, and assessment logs meet the statute’s requirements before the Attorney General moves beyond the 30-day cure period.

Mandatory deliverables

Consumer request fulfilment. Section 24-15-3-1 mandates responses to access, deletion, correction, and portability requests within 45 days, including secure delivery mechanisms.
Opt-out orchestration. Section 24-15-3-2 requires honouring opt-outs from targeted advertising, sale of personal data, and profiling in decisions producing legal or similarly significant effects.
Data protection assessments. Section 24-15-3-3 compels written assessments for targeted advertising, profiling, sale of personal data, and processing of sensitive data, retained for Attorney General review.

Program actions

Lifecycle audits. Review subject request tickets from the first quarter to confirm timeliness, authentication, and remediation of root-cause delays.
Signal alignment. Ensure global privacy control signals, cookie banners, and loyalty programme workflows route through the same opt-out orchestration layer to avoid inconsistent treatment.
Assessment governance. Catalogue Indiana-focused data protection assessments, linking each to risk owners, mitigation steps, and review cadences that align with enterprise privacy impact assessment programs.

Enablement moves

Harmonise Indiana artefacts with Virginia, Colorado, and Connecticut privacy regimes to streamline multi-state attestations.
Update vendor contracts to propagate Indiana obligations, including audit cooperation and deletion support, for processors handling Hoosier resident data.

Mandatory deliverables

Program actions

Enablement moves

Sources