Overview
Although Indiana adopted the Consumer Data Protection Act (CDPA) in 2023, on January 1, 2026, the CDPA rubber officially hit the road. This data privacy law regulating how businesses must handle the personal information of their Indiana customers should be at the top of your new year’s resolutions. The Indiana Attorney General’s Office has signaled that it will be actively enforcing the CDPA on behalf of Indiana residents, so it’s important for your business to review what the law requires and how it may apply to your activities in Indiana.
If you are already complying with other state data privacy laws (19 other states have passed laws that are similar, but not identical, to the CDPA), you may require only a moderate upgrade or refresh. But for many Midwest companies, this law may be the first one governing your collection, use, disclosures, and sharing of personal data. Even if your website simply has a “Contact Us” page, you should consider the following legal and operational issues that may apply to you.
New Consumer Rights Under the Indiana CDPA
The CDPA gives Indiana residents (“consumers”) a series of rights they can exercise against companies that collect and use their personal information (“controllers”). The CDPA gives consumers a series of basic rights common to most data privacy laws, specifically the rights to:
- Know what personal information the controller possesses about them,
- Correct that personal information if it is inaccurate,
- Request that the controller delete that personal information, and
- Obtain a copy (in a “portable” format) of their personal information from the controller.
In addition to these basic informational rights, the CDPA gives consumers the right to opt out of certain online marketing practices controllers may be performing with consumers’ personal information. This includes:
- Selling consumer personal information to third parties (“selling”),
- Showing consumers advertisements based on their web browsing habits (“targeted advertising”), and
- Using artificial intelligence (AI) and other automated tools to categorize consumers and make significant decisions about them, such as giving them a loan or hiring them (“profiling”).
The law also provides special “opt-in” protections for “sensitive” personal information, such as precise geolocation, race, religious beliefs, and mental or physical health.
New Business Obligations for Companies with Indiana Customers
The CDPA requires controllers to clearly explain their data practices in a privacy policy, notify consumers of how they can exercise their CDPA rights, and timely respond when consumers exercise those rights (generally with 45 days of receiving a request).
The law also imposes other obligations on controllers, such as limiting the personal information they may gather (“data minimization”) and restricting the ways they may use the personal information (“purpose limitation”). Like other data privacy laws, the CDPA requires that these companies have a reasonable cybersecurity protocol or program to protect from security breaches and make sure their business partners or sub-contractors maintain similar levels of security.
For controllers that use digital marketing on their websites, their activities may fall under the CDPA’s definition of “selling,” “targeted advertising,” and “profiling.” If so, there are additional technical requirements that you will need to discuss with your website provider, IT department or managed service provider, and marketing teams. You may need to add pop-up windows or other “consent management” tools on your website(s), as well as “back-end” system applications to keep track of the consumers who have opted out for future visits. In addition, controllers must complete a “Data Protection Impact Assessment” (DPIA) that documents the risks their marketing practices present to consumers’ personal information.
Does the Indiana CDPA Apply to Your Business?
The CDPA does not cover all businesses and types of personal information. General rules of thumb are that businesses that collect the personal information of fewer than 100,000 Indiana residents and whose collection and use of personal information are already regulated by the HIPAA and Gramm-Leach-Bliley federal privacy laws are exempt. In addition, the CDPA also contains a number of “data-level” exemptions for personal information regulated by other privacy laws covering health care, consumer credit, and educational records. Personal information businesses collect for hiring and employment purposes are also exempt.
Risks of Noncompliance With the Indiana CDPA
Under the CDPA, consumers do not have a private cause of action—so they cannot file a lawsuit against companies for failure to comply. Instead, only the Indiana Attorney General may enforce the law. The Indiana law also allows covered businesses 30 days to cure a potential violation. In other words, if the Indiana Attorney General sends a written notice to a business about a violation, it has 30 days to correct the violation and confirm in writing that actions have been taken to prevent future violations. However, failure to comply may result in a fine of up to $7,500 per violation.
How Businesses Can Prepare for CDPA Compliance
Like other states’ privacy laws, the CDPA was intended to give consumers more transparency around company collection and use of data. In a “Consumer Bill of Rights” it recently published, the Indiana Attorney General’s Office explained that the CDPA “gives Hoosiers the right to understand how their data is used and make informed choices about how and with whom their data is sold or used.” This means that every company with a website and an Indiana customer base should consider:
- What personal information is your company currently collecting about your Indiana customers? If you have not done a data mapping exercise ever or in a while, this is a great opportunity to discover what types of personal information you have and what the different parts of your organization are doing with it today. It is important to include your HR, sales, and marketing departments in this review, because they tend to be the teams that collect sensitive personal information and use software vendors that engage in the highly-regulated areas of “selling,” “targeting,” and “profiling.”
- Does your public-facing privacy policy tell the full story about how you collect and use personal information? If your company has already gone through the exercise of updating your privacy policy to comply with other states’ privacy laws, then you fortunately may not have much work to do. But if your current privacy policy does not match how your company actually collects and processes personal data, you are at risk for both consumer complaints and regulatory inquiries under the CDPA.
- Are you prepared to respond when consumers exercise their CDPA rights? For example, if Indiana consumers exercise their right to opt out of profiling or ask you to delete their information, you should have systems in place to process, technically implement, and then document how you handled their requests.
- Can you document that the CDPA does not apply to your company? If you believe that your company falls under one of the CDPA’s exemptions, you should be able to document, for consumers and regulators, why you believe the law does not apply to you.
Each company’s personal data profile is different, but given the enforcement and fine provisions of the CDPA, all businesses should be prepared for the heightened level of scrutiny this new law will bring to data practices and consult their trusted privacy advisors for better peace of mind.
