Indiana Joins the US State Privacy Wave
Indiana became the seventh US state to pass a comprehensive consumer data privacy law when Governor Eric Holcomb signed Senate Bill 5 on 1 May 2023. The law, codified as Indiana Code Title 24, Article 15, took effect on 1 January 2026 - giving businesses roughly two and a half years to prepare.
The ICDPA follows the opt-out model established by Virginia's VCDPA, rather than the opt-in approach used under GDPR. For most personal data processing, explicit consent is not required upfront. Consumers must instead be given the ability to opt out of specific activities.
Indiana's Attorney General released a Consumer Data Protection Bill of Rights ahead of the effective date, summarising key obligations for businesses and rights for residents.
Which Businesses Does the ICDPA Apply To?
The ICDPA applies to for-profit entities that conduct business in Indiana or produce products and services targeting Indiana residents. Two processing thresholds determine applicability during a calendar year:
- Control or process the personal data of at least 100,000 Indiana residents; or
- Control or process the personal data of at least 25,000 Indiana residents and derive more than 50% of gross revenue from selling personal data.
These thresholds mirror the Virginia model closely. Compared to the Texas TDPSA, which has no revenue or processing threshold, Indiana's law is narrower in scope. Small businesses with limited Indiana traffic are unlikely to meet either threshold.
Several categories of organisation are exempt: nonprofits, utility companies, banks, entities subject to HIPAA or the Gramm-Leach-Bliley Act, higher education institutions, and state political subdivisions.
Consumer Rights Under the ICDPA
Indiana residents gained five core rights on 1 January 2026:
| Right | Description | Response Deadline |
|---|---|---|
| Access | Confirm whether a controller processes their data and obtain a copy | 45 days |
| Correction | Request correction of inaccurate personal data the consumer provided | 45 days |
| Deletion | Request deletion of personal data provided by or obtained about the consumer | 45 days |
| Data portability | Obtain a copy or representative summary of personal data in a usable format | 45 days |
| Opt-out | Opt out of targeted advertising, sale of personal data, or profiling | 45 days |
Controllers may extend the response period by an additional 45 days when reasonably necessary, provided the consumer receives notice and an explanation for the delay. Consumers also have the right to appeal a controller's refusal.
The opt-out right is the most relevant for website operators running analytics, advertising pixels, or remarketing campaigns. If your site processes Indiana residents' data for targeted advertising, you must provide a mechanism for them to refuse that processing.
Sensitive Data Requires Opt-In Consent
The ICDPA draws a clear line between general personal data (opt-out) and sensitive data (opt-in). Processing sensitive data without the consumer's prior consent is prohibited.
Indiana defines sensitive data as:
- Race or ethnicity
- Religious beliefs
- Mental or physical health diagnosis made by a healthcare provider
- Sexual orientation
- Citizenship or immigration status
- Genetic data
- Biometric data used to identify an individual
- Precise geolocation data
- Personal data collected from a known child under the age of 13
The health data definition is notably narrow. It covers only diagnoses made by a healthcare provider, not broader health-related information such as fitness tracker data or symptom searches. This differs from states like Connecticut and Oregon, which use wider definitions of health data.
For websites, sensitive data handling matters most when precise geolocation or data about children under 13 is involved. If your site collects either category, you must obtain explicit opt-in consent before processing.
Controller Obligations: Privacy Notices and Data Protection Assessments
The ICDPA requires controllers to place a clearly marked privacy notice or data-rights link in a prominent location on their website. The notice must cover data practices, categories of personal data processed, the purposes of processing, and how consumers can exercise their rights.
Data minimisation applies. Controllers must limit collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes. Collecting data speculatively - gathering everything and deciding its use later - does not satisfy this requirement.
Controllers must also conduct data protection impact assessments (DPIAs) for higher-risk processing activities, including:
- Targeted advertising
- Sale of personal data
- Profiling that presents a reasonably foreseeable risk of harm
- Processing of sensitive data
If your site runs Google Analytics 4 or advertising pixels that profile Indiana visitors, a DPIA covering those activities is advisable.
How the ICDPA Compares to Other 2026 State Laws
Indiana was not the only state with a privacy law taking effect on 1 January 2026. Kentucky and Rhode Island went live on the same date, creating a cluster of new obligations for businesses operating across multiple states.
Key differences between the three:
| Feature | Indiana (ICDPA) | Kentucky (KCDPA) | Rhode Island |
|---|---|---|---|
| Processing threshold | 100,000 residents or 25,000 + 50% revenue | 100,000 residents or 25,000 + 50% revenue | Applies broadly; no minimum threshold |
| Consent model | Opt-out (opt-in for sensitive data) | Opt-out (opt-in for sensitive data) | Opt-out with transparency requirements |
| Cure period | 30 days | 30 days | None specified |
| Enforcement | Attorney General only | Attorney General only | Attorney General only |
| Max civil penalty | $7,500 per violation | $7,500 per violation | $10,000 per violation |
| GPC/universal opt-out signal | Not required | Not required | Not required |
For a broader view across all active state frameworks, the US state privacy laws comparison covers thresholds, opt-out requirements, and enforcement mechanisms side by side.
Enforcement: The Attorney General and the 30-Day Cure Period
The Indiana Attorney General holds exclusive enforcement authority over the ICDPA. There is no private right of action - consumers cannot sue businesses directly for violations.
Before taking enforcement action, the Attorney General must provide a 30-day written notice identifying the specific provisions allegedly violated. The business then has 30 days to cure the violation. If the business fails to remedy the issue, the Attorney General may seek injunctive relief and civil penalties of up to $7,500 per violation.
The cure period is a significant feature. Several newer state privacy laws have removed or plan to sunset their cure provisions. Indiana's cure period has no expiry date, making it comparatively forgiving for businesses making good-faith compliance efforts.
Consumers who believe a business has violated the ICDPA can submit complaints directly to the Indiana Attorney General's office, including through an online portal.
What Website Owners Should Do Now
The law is already in effect. If your website meets either processing threshold, these steps are worth prioritising:
- Audit your data collection. Identify what personal data your site gathers from Indiana residents, including through cookies, pixels, and embedded scripts.
- Update your privacy notice. Ensure it lists the categories of data collected, purposes, consumer rights under the ICDPA, and a method for exercising those rights.
- Add opt-out mechanisms. Provide a clear way for visitors to opt out of targeted advertising and data sales. A properly configured cookie banner with granular category controls can serve this function.
- Review sensitive data handling. If your site collects precise geolocation or data from children under 13, implement opt-in consent flows before that processing begins.
- Conduct DPIAs. Document risk assessments for any processing activity involving targeted advertising, profiling, or sensitive data.
- Establish a response process. Build or adapt a workflow to handle consumer rights requests within the 45-day window.
Frequently Asked Questions
Does the ICDPA apply to small businesses?
Only if the business meets one of two thresholds: processing data of 100,000 or more Indiana residents, or processing data of 25,000 or more Indiana residents while deriving over 50% of gross revenue from data sales. Most small businesses fall below these thresholds.
Do I need cookie consent for Indiana visitors?
The ICDPA does not require prior opt-in consent for standard cookies. It does require that visitors can opt out of targeted advertising and data sales. If your cookies support those activities, you need an opt-out mechanism.
What counts as sensitive data under the ICDPA?
Race, ethnicity, religious beliefs, health diagnoses from a healthcare provider, sexual orientation, citizenship or immigration status, genetic data, biometric data, precise geolocation, and data from known children under 13.
Is there a private right of action under the ICDPA?
No. Only the Indiana Attorney General can enforce the ICDPA. Consumers may file complaints with the Attorney General's office but cannot bring private lawsuits.
Does Indiana require recognition of Global Privacy Control signals?
No. Unlike Colorado and several other states, Indiana does not mandate that businesses honour Global Privacy Control or other universal opt-out signals.
What is the penalty for violating the ICDPA?
The Attorney General can seek up to $7,500 in civil penalties per violation, plus injunctive relief. A mandatory 30-day cure period applies before any enforcement action.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets or whether your opt-out mechanisms cover Indiana's requirements, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
