The Indiana Consumer Data Protection Act was signed in May 2023. Businesses must comply by January 1, 2026.
Indiana Privacy & Accessibility Laws
Indiana enacted the Indiana Consumer Data Protection Act (ICDPA) in 2023, making it one of the states with comprehensive consumer privacy legislation. The law takes effect January 1, 2026. Indiana state agencies must also ensure their digital services are accessible to individuals with disabilities.
→
Privacy Law Status
ICDPA Enacted
→
Accessibility Requirements
State Government Websites
Indiana state agencies must ensure websites and digital services are accessible under ADA Title II and state IT accessibility policies.
Indiana Consumer Data Protection Act (ICDPA)
The ICDPA establishes privacy rights for Indiana consumers and obligations for businesses that process personal data.
Key Dates
- Enacted: May 1, 2023
- Effective Date: January 1, 2026
- Cure Period: 30 days (permanent, not subject to sunset)
Who Must Comply?
The ICDPA applies to entities that conduct business in Indiana or target Indiana residents AND:
| Threshold | Requirement |
|---|---|
| Data Volume | Control or process personal data of 100,000+ Indiana consumers |
| Revenue + Data | Derive more than 50% of gross revenue from selling personal data AND process data of 25,000+ consumers |
Consumer Rights Under ICDPA
| Right | Description |
|---|---|
| Right to Know | Confirm whether a controller is processing personal data and access that data |
| Right to Correct | Correct inaccuracies in personal data |
| Right to Delete | Delete personal data provided by or obtained about the consumer |
| Right to Portability | Obtain a copy of personal data in a portable, readily usable format |
| Right to Opt-Out | Opt out of targeted advertising, sale of personal data, and profiling |
Sensitive Data Categories
The ICDPA requires opt-in consent for processing sensitive data, including:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data for identification
- Personal data of known children
- Precise geolocation data
Accessibility Requirements
Indiana government agencies must ensure digital accessibility for all residents:
State Government Obligations
- Indiana state agencies must comply with ADA Title II for all public-facing digital content
- Indiana Office of Technology provides accessibility standards and guidance
- State websites must follow WCAG 2.1 Level AA guidelines
- Educational institutions must ensure accessible digital learning materials
- State IT procurement requires vendor accessibility compliance
Private Sector Considerations
- Businesses with physical locations are subject to ADA Title III
- Website accessibility claims can be brought under federal ADA
- Healthcare providers must ensure accessible patient portals
- Financial institutions must provide accessible online banking
Enforcement
→
Privacy Enforcement
- Indiana Attorney General - Exclusive enforcement authority for ICDPA
- 30-day cure period - Permanent (no sunset provision)
- No private right of action - Only AG can enforce
Contact:
Office of the Indiana Attorney General
Indiana Government Center South, 5th Floor
302 W. Washington Street
Indianapolis, IN 46204
(317) 232-6201
→
Accessibility Enforcement
- U.S. Department of Justice - ADA Title II and III enforcement
- Indiana Civil Rights Commission - State disability discrimination
- Private litigation - Federal ADA claims
Contact:
Indiana Disability Rights
4701 N. Keystone Avenue, Suite 222
Indianapolis, IN 46205
(317) 722-5555
ICDPA Penalties
| Violation Type | Maximum Penalty |
|---|---|
| Per violation (after cure period) | $7,500 per violation |
| Deceptive act | Subject to Indiana Deceptive Consumer Sales Act penalties |
| Injunctive relief | Court may order business practices to cease |
Business Obligations
| Obligation | Description |
|---|---|
| Privacy Notice | Clear notice of data categories, purposes, rights, and third-party sharing |
| Data Minimization | Limit collection to what is reasonably necessary for disclosed purposes |
| Purpose Limitation | Process data only for purposes disclosed to consumers |
| Security | Implement appropriate technical and organizational security measures |
| Sensitive Data Consent | Obtain opt-in consent before processing sensitive personal data |
| Request Response | Respond to consumer requests within 45 days (may extend 45 days) |
| Data Protection Assessments | Conduct assessments for high-risk processing activities |
Consumer Rights
Indiana residents have comprehensive privacy rights under the ICDPA:
- Right to Access: Confirm processing and access personal data
- Right to Correct: Correct inaccurate personal data
- Right to Delete: Request deletion of personal data
- Right to Portability: Receive data in portable format
- Right to Opt-Out: Opt out of targeted advertising, sales, and profiling
- Right to Non-Discrimination: Cannot be penalized for exercising rights
- Right to Appeal: Appeal controller's decision on consumer requests
Important Exemptions
The ICDPA exempts state and local governments, nonprofits, higher education institutions, HIPAA-covered entities, financial institutions under GLBA, and data regulated by FERPA, HIPAA, FCRA, or GLBA.
Related Resources
- US Privacy Laws Overview
- State Privacy Law Comparison
- ADA Title II Requirements
- All State Laws
- Privacy Compliance Guide
- Report a Violation
Need Help with Indiana Compliance?
The ICDPA takes effect January 1, 2026. Businesses should begin preparing now to meet compliance requirements. Contact our experts for guidance on privacy policies, consumer request processes, and data protection assessments.