← All state laws
IN · INCDPA

Indiana Consumer Data Protection Act

Applies to businesses processing personal data of 100,000+ Indiana residents, or 25,000+ if you derive 50%+ of revenue from selling personal data. Effective January 1, 2026.

Effective
2026-01-01
Penalty max
$7,500
Cure period
30 days
Honor GPC
Not required

Overview

The Indiana Consumer Data Protection Act (INCDPA) took effect January 1, 2026. Indiana's law is closely modeled on Virginia's VCDPA, with a permanent 30-day cure period and a standard set of consumer rights including access, correction, deletion, portability, and opt-out from sales, targeted advertising, and profiling. Indiana does not require honoring browser-level Global Privacy Control (GPC) signals — but you must provide an in-product opt-out mechanism. Data protection assessments are required for high-risk processing.

Who it applies to

  • Businesses processing personal data of 100,000+ Indiana residents annually.
  • Businesses processing personal data of 25,000+ Indiana residents AND deriving 50%+ of revenue from selling personal data.

Consumer rights

Right to access
Consumers can request a copy of the personal data you hold about them.
Right to correction
Consumers can request you correct inaccurate personal data.
Right to deletion
Consumers can request you delete their personal data, subject to limited exceptions.
Right to portability
Consumers can request a machine-readable copy of their data to transfer elsewhere.
Right to opt out of sale
Consumers can opt out of the sale of their personal data to third parties.
Right to opt out of targeted advertising
Consumers can opt out of personalized ad targeting based on their behavior.
Right to opt out of profiling
Consumers can opt out of automated profiling for decisions with legal or similarly significant effects.

What this means for e-commerce

Indiana's law took effect January 1, 2026 — making it one of the newest comprehensive state privacy laws in the country. Structurally very similar to Virginia's VCDPA: 30-day permanent cure period, no GPC requirement, but full consumer rights including correction and profiling opt-out. Enforcement guidance from the Indiana AG is still developing.

Penalties & enforcement

Enforced by the Indiana Attorney General. Penalties range from $0 to $7,500 per violation.

Indiana provides a 30-day cure period (permanent). The AG must give you written notice of an alleged violation and time to fix it before bringing an enforcement action.

Compliance checklist

  • Add an opt-out link for targeted advertising and data sales in your site footer
  • Update privacy policy with INCDPA-required disclosures
  • Implement a 45-day consumer request response process
  • Conduct data protection assessments for high-risk processing
  • Obtain opt-in consent before processing sensitive personal data
  • Update vendor and processor agreements with INCDPA-required terms
Does the INCDPA apply to your business?

Run a free 60-second compliance check across all state privacy laws — including Indiana.

Check my compliance →
BriefStack is for informational purposes only and does not constitute legal advice. For decisions specific to your business, consult a qualified attorney.