Indiana's INCDPA: What E-Commerce Owners Need to Know
Indiana joined the wave of state privacy legislation in 2024 with the Indiana Consumer Data Protection Act (INCDPA). For e-commerce businesses, this law isn't optional—it's a legal requirement that affects how you collect, use, and protect customer data.
Unlike the headline-grabbing California Consumer Privacy Act (CCPA), Indiana's law is more straightforward and less aggressive. But "simpler" doesn't mean you can ignore it. Violations carry real penalties, and the cure periods are tight.
This guide breaks down what you need to know to stay compliant.
Who Does the INCDPA Apply To?
Not every business operating in Indiana is covered by the INCDPA. The law has specific thresholds based on business size and data collection volume.
Applicability Thresholds
The INCDPA applies to for-profit entities that collect or maintain personal data of Indiana residents and meet at least one of these criteria:
| Threshold | Details |
|---|---|
| Annual Revenue | $1 million or more in annual revenue |
| Data Volume | Collect/maintain data of 100,000+ Indiana residents or households |
| Data as Primary Business | Derive 20%+ of revenue from selling or sharing personal data |
If your e-commerce store generates $1 million+ annually, you're covered—even if you're not headquartered in Indiana.
Who's Exempt?
Certain entities are carved out:
- Financial institutions regulated by the Federal Trade Commission (FTC) under GLBA
- Health care entities covered by HIPAA
- Nonprofits
- Government agencies
- Businesses collecting data solely for compliance with law or court order
If you're unsure whether you qualify for an exemption, consult an attorney.
Consumer Rights Under Indiana Privacy Law
The INCDPA gives consumers four core rights. Your job is to honor them.
1. Right to Know
Consumers can request what personal data you collect about them, the sources of that data, and how you use it. You must provide this in a clear, understandable format within 45 days of a verifiable request.
2. Right to Delete
Consumers can request deletion of their personal data (with limited exceptions). You have 45 days to comply or explain why deletion isn't possible—for instance, if you need the data for legal obligations or fraud prevention.
3. Right to Opt Out of Sales and Sharing
Consumers can opt out of:
- Sales of personal data (defined broadly to include any monetary transaction)
- Sharing for behavioral targeting and profiling
You must honor opt-out requests within 45 days.
4. Right to Appeal
If you deny a consumer request, they can appeal your decision. You must respond to appeals within 45 days.
Consumers can submit these requests directly or through an authorized agent or privacy broker.
What the INCDPA Requires of Your Business
Compliance isn't just about responding to requests. You need policies, systems, and practices in place before requests arrive.
Privacy Notice Requirement
You must provide a clear, conspicuous privacy notice that discloses:
- Categories of personal data you collect
- Purpose of collection and use
- How long you retain data
- Consumer rights under the INCDPA
- How consumers can exercise those rights (e.g., contact info, web form)
- Whether you sell or share data for behavioral targeting
The notice should be accessible from your homepage and before data collection occurs.
Data Security and Risk Assessments
The law requires:
- Reasonable safeguards for personal data (encryption, access controls, employee training)
- Data minimization (collect only what you need)
- Risk assessments when processing personal data for targeted advertising or profiling
You don't need military-grade security, but you do need a documented, reasonable approach.
Opt-Out Mechanisms
You must provide clear, easy ways for consumers to opt out:
- A clickable link in your privacy notice labeled "Do Not Sell or Share My Personal Data" or "Opt Out of Sales"
- An email address or online form for opt-out requests
- Respect for Global Privacy Control (GPC) signals if you process them
Honoring opt-outs means stopping the sale or sharing of that consumer's data within 45 days.
Service Provider Agreements
If you use third-party vendors (email platforms, analytics tools, payment processors), you must have written contracts that:
- Limit their use of personal data to providing services
- Prohibit them from selling or sharing data
- Require them to implement reasonable safeguards
You're not liable for their violations if the contract is in place—but you are responsible for choosing vendors wisely.
Penalties for Non-Compliance
Indiana takes violations seriously. Here's what you're facing:
| Violation Type | Penalty | Enforcer |
|---|---|---|
| Per-violation civil penalty | Up to $1,000 per violation | Indiana Attorney General |
| Pattern or practice | Up to $5,000 per violation | Indiana Attorney General |
| Consumer statutory damages | $100–$750 per incident | Private right of action |
The Attorney General enforces the law and can seek civil penalties. Individual consumers can sue for statutory damages if you knowingly or recklessly violate the law (not just any violation—there's a knowledge threshold).
Unlike some state laws, there's no right of action for ordinary negligence—only intentional or reckless conduct.
The Cure Period: Your Safety Net
Here's the good news: Indiana includes a 30-day cure period.
If the Attorney General notifies you of a violation, you have 30 days to:
- Cure the violation
- File a written statement explaining your remedial actions
- Provide proof of compliance
If you fix it within 30 days and demonstrate good faith, the Attorney General can opt not to pursue penalties. This is your lifeline—take it seriously.
Practical Compliance Steps for E-Commerce Businesses
Here's a roadmap to get compliant:
Step 1: Audit Your Data Practices (Week 1–2)
Document:
- What personal data you collect (names, emails, purchase history, IP addresses, etc.)
- How long you keep it
- Who you share it with (email providers, advertisers, analytics)
- Whether you're selling or sharing data for behavioral targeting
Step 2: Draft or Update Your Privacy Notice (Week 2–3)
Write a clear, consumer-friendly privacy notice covering:
- Categories of data collected
- Purposes and retention periods
- Consumer rights and how to exercise them
- Whether you sell/share data
Post it on your website before collection. Get it reviewed by an attorney.
Step 3: Build Opt-Out Mechanisms (Week 3–4)
Implement:
- A "Do Not Sell My Personal Data" link in your footer
- A web form or email contact for requests
- A process to track and honor opt-outs
- A system to log consumer requests and your responses
Step 4: Update Service Provider Contracts (Week 4–5)
Review agreements with vendors. Add clauses that:
- Limit data use to providing services
- Prohibit selling/sharing data
- Require reasonable security
Step 5: Implement Security Measures (Week 5–6)
- Encrypt sensitive data in transit and at rest
- Limit employee access to customer data
- Train staff on privacy and data handling
- Conduct a risk assessment for behavioral targeting activities
Step 6: Build Request-Handling Processes (Week 6–7)
Create systems to:
- Receive consumer requests (web form, email)
- Verify identity
- Retrieve data within 45 days
- Delete data or explain exceptions
- Document everything
Step 7: Monitor and Update (Ongoing)
- Review privacy practices annually
- Update notices if your data practices change
- Train new employees on privacy
- Subscribe to regulatory updates
Key Dates and Deadlines
| Milestone | Date |
|---|---|
| Law Effective Date | January 1, 2025 |
| Enforcement Begins | January 1, 2025 |
| Consumer Request Deadline | 45 days from valid request |
| Cure Period (if notified) | 30 days to remedy |
Common Mistakes to Avoid
Ignoring the law because you're small. If you hit the $1M revenue threshold, you're covered. Size doesn't exempt you.
Hiding your privacy notice. Make it conspicuous and accessible. Bury it in a footer and you're asking for trouble.
Ignoring opt-out requests. Track every request, honor deadlines, and document your actions.
Assuming your vendors are compliant. You're responsible for their practices. Vet them and get contracts in writing.
Delaying security measures. A data breach triggers lawsuits and regulatory scrutiny. Invest in basics: encryption, access controls, employee training.
The Bottom Line
The INCDPA is more balanced than California's CCPA, but it's not a free pass. For most e-commerce businesses doing $1M+ annually, compliance is non-negotiable.
The good news: the law is clear, the cure period exists, and the compliance steps are manageable if you act now. Start with a data audit, build your privacy notice, and implement request-handling systems. Get legal review where it matters.
Investment now prevents penalties, lawsuits, and reputational damage later.
Stay on top of changes like these — BriefStack monitors all 20 state privacy laws and delivers what matters to your inbox daily.
Disclaimer
This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business. Privacy laws are complex and evolving; professional legal counsel is essential for full compliance.