Privacy Laws in Indiana: What You Need to Know

Indiana became one of the latest states to enact comprehensive consumer privacy legislation with the Indiana Consumer Data Protection Act. The INCDPA took effect on January 1, 2026, giving Hoosiers new rights over their personal data and placing obligations on businesses that collect and sell that information. Here is what Indiana residents need to know about their privacy rights under this new law.

The Indiana Consumer Data Protection Act (INCDPA)

The INCDPA closely tracks the Virginia Consumer Data Protection Act (VCDPA), making it one of the more business-friendly state privacy laws in the country. It establishes clear rules for how businesses must handle personal data while providing consumers with enforceable rights to control their information.

The law applies to businesses that conduct business in Indiana or produce products and services targeted at Indiana residents and meet at least one of the following thresholds:

• Process the personal data of 100,000 or more Indiana residents during a calendar year, or
• Process the personal data of 25,000 or more Indiana residents and derive more than 50% of gross revenue from the sale of personal data.

These thresholds are identical to those in Virginia's law and are higher than some other states like Delaware, which means fewer small and mid-size businesses fall under Indiana's jurisdiction. However, most major data brokers and people search sites easily meet these thresholds and are fully covered.

Your Rights Under the INCDPA

As an Indiana resident, you now have the following rights with respect to your personal data:

Right to Access

You can confirm whether a business is processing your personal data and request access to the specific data they hold about you. This includes information collected directly from you and information obtained from third-party sources like data brokers.

Right to Correct

If a business holds inaccurate personal data about you, you have the right to request that they correct it. This is particularly important for people search sites that often display outdated or wrong addresses, phone numbers, and associations.

Right to Delete

You can request that a business delete the personal data it has collected from you or about you. Limited exceptions apply for data needed to fulfill legal obligations, complete transactions, or detect security incidents.

Right to Data Portability

You can obtain a copy of your personal data in a portable, readily usable format, allowing you to transfer your information to another service without barriers.

Right to Opt Out

Indiana law gives you the right to opt out of three types of data processing:

• Targeted advertising — ads based on your personal data collected across different websites and services
• Sale of personal data — the exchange of your data for monetary consideration
• Profiling — automated processing that produces legal or similarly significant effects, such as decisions about credit, employment, or insurance

Business Obligations

The INCDPA does not just give consumers rights. It also imposes specific obligations on businesses that process Hoosiers' personal data:

Clear Privacy Notices

Businesses must provide clear, accessible privacy notices that explain what personal data they collect, why they collect it, how consumers can exercise their rights, and whether the data is shared with or sold to third parties.

Opt-In Consent for Sensitive Data

Before processing sensitive personal data, businesses must obtain your explicit opt-in consent. Sensitive data under the INCDPA includes:

• Racial or ethnic origin
• Religious beliefs
• Health diagnosis or conditions
• Sexual orientation
• Citizenship or immigration status
• Genetic or biometric data used for identification
• Personal data of known children
• Precise geolocation data

This opt-in requirement is an important safeguard. Companies cannot collect your health information, biometric scans, or your children's data without first asking for and receiving your affirmative consent.

Data Protection Impact Assessments

Businesses must conduct Data Protection Impact Assessments (DPIAs) before engaging in processing activities that present a heightened risk of harm to consumers. These assessments apply to processing for targeted advertising, data sales, profiling, and the handling of sensitive data. The assessments must weigh the benefits of processing against potential risks and must be made available to the Attorney General upon request.

The 30-Day Cure Period

One of the more business-friendly aspects of the INCDPA is its 30-day cure period. When the Attorney General identifies a potential violation, the business has 30 days to fix the issue before enforcement action is taken. If the business cures the violation within that window and provides a written statement that it will not repeat the violation, the matter is considered resolved.

This cure period is a double-edged sword. On one hand, it gives businesses a fair chance to correct mistakes. On the other, it means that companies can violate your privacy rights and face no consequences as long as they fix the problem within 30 days of being caught.

Exemptions

The INCDPA exempts certain entities and data types from its requirements:

• HIPAA-covered entities and protected health information
• Financial institutions covered by the Gramm-Leach-Bliley Act (GLBA)
• Data regulated by the Fair Credit Reporting Act (FCRA)
• Educational data covered by the Family Educational Rights and Privacy Act (FERPA)
• Data covered by the Driver's Privacy Protection Act (DPPA)
• Data covered by the Farm Credit Act (FCA)

These exemptions cover the specific data types regulated by those federal laws, not all data held by those entities. A financial institution, for example, is exempt for GLBA-covered financial data but may still be subject to the INCDPA for other personal data it processes.

How the INCDPA Compares to Other State Laws

The INCDPA is closely modeled on Virginia's VCDPA, which means it shares many characteristics with the broader wave of state privacy legislation. Key comparisons:

• Virginia (VCDPA): Nearly identical structure and thresholds. Indiana's law was intentionally designed to align with Virginia's framework.
• California (CCPA/CPRA): California's law is broader, with lower thresholds, a private right of action for data breaches, and the centralized DELETE Act. Indiana is more business-friendly.
• Iowa (ICDPA): Iowa's law is even more business-friendly than Indiana's, with a 90-day cure period and no right to correct data. Indiana provides slightly stronger consumer protections.
• Delaware (DPDPA): Delaware has lower thresholds (35,000 consumers) and will soon require recognition of Universal Opt-Out Mechanisms. Indiana does not currently require UOOMs.

How to Exercise Your INCDPA Rights

1. Search for yourself online. Look up your name on Google and on major people search sites to see what personal data is publicly available about you.
2. Submit opt-out and deletion requests. Contact each data broker directly through their privacy or opt-out pages. Reference the INCDPA in your request and note the business's obligation to respond.
3. File complaints for non-compliance. If a business ignores your request or fails to respond within the required timeframe, file a complaint with the Indiana Attorney General's Consumer Protection Division.
4. Monitor for re-listings. Data brokers routinely re-add information after removal. Check back regularly to ensure your data stays off their sites.

Let PrivacyOn Handle Your Data Removal

The INCDPA gives Indiana residents real rights over their personal data, but exercising those rights across more than 100 data broker sites is an enormous task. PrivacyOn automates the entire process, submitting opt-out requests on your behalf, monitoring for re-listings, and re-submitting removal requests whenever your data reappears. We also include dark web monitoring to alert you if your information surfaces in places no opt-out form can reach.

Indiana's privacy law provides the legal framework. PrivacyOn provides the ongoing execution. Together, they ensure your personal information stays where it belongs: with you, and no one else.