Indiana has become the seventh U.S. state to pass its own data privacy law. Like the other state laws (with the exception of California’s CCPA), it is closely modeled on the Virginia Consumer Data Protection Act. However, like other state laws, it is not quite identical to any its counterparts.

Here is a quick introduction to the major components of Indiana’s privacy law.

When Does It Go Into Effect?

Indiana’s privacy law will go into effect on January 1, 2026, giving businesses plenty of time to prepare.

What Businesses Must Comply?

For-profit businesses must comply with the Indiana law if they do business in the state (or target Indiana residents for their products/services), and meet at least one of the following conditions:

1. Control or process the personal data of at least 100,000 Indiana residents per year, OR
2. Control or process the personal data of at least 25,000 Indiana residents per year AND derive more than 50% of gross revenue from the sale of personal data

What Rights Do Consumers Have Under the Indiana Law?

Indiana consumers now have the following privacy rights:

• Right to Know - Consumers have the right to confirm whether a business is processing their personal data and, if so, to access that data.

• Right to Delete - Upon request, businesses must delete personal data provided by or obtained about the consumer.

• Right to Portability - Upon request, businesses must provide either a copy or a representative summary of the consumer’s personal data in a readily portable format so that it can be transmitted to another controller.

• Right to Opt Out - Consumers can opt out of:
  • Targeted advertising
  • The sale of their personal data
  • Profiling in furtherance of automated decision-making that produces legal or similarly significant for the consume

What Is “Personal Data”?

Indiana’s definition of personal data mirrors that of other privacy laws, and includes all information that is “linked or reasonably linkable to an identified or identifiable individual.” This covers everything from IP addresses to shopping habits.

Personal data does not include: de-identified data, aggregate data, and publicly available information.

Are Data Protection Impact Assessments Required?

As is the case with several other states, Indiana’s privacy law requires businesses to perform data protection impact assessments for certain types of processing activities. A DPIA is required for:

• Targeted advertising
• Sale of personal data
• Profiling of consumers, where it presents a foreseeable risk of harm
• Processing of sensitive personal data
• Any other processing activity that presents a heightened risk of harm to consumers

These assessments must weigh the benefits of a particular processing activity against any potential risks to the consumer, and consider any mitigating safeguards that might be employed.

How Much Do Violations Cost?

Each violation of the Indiana privacy law is punishable by civil penalties of up to $7,500, plus payment of the Attorney General’s expenses in investigating and prosecuting the case.

Can Businesses Be Sued by Consumers?

The Indiana privacy law does not grant a private right of action to consumers, meaning they cannot sue a business over alleged violations.