Blog details

The Indiana Consumer Data Protection Act: continuing the trend of state level Privacy law in the US

The Indiana Consumer Data Protection Act: continuing the trend of state level Privacy law in the US

Many US states, including Indiana, have implemented comprehensive privacy laws to protect residents’ information, following trends set by the EU GDPR and fellow US States.


With the rise of data breaches and the increasing use of technology in everyday life, many US states have taken it upon themselves to enact comprehensive privacy laws safeguarding the information of their residents. Indiana is one such state with its own state level comprehensive  privacy law following a trend of implementation of privacy law within the US and internationally. Modeled initially on the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), the Indiana Consumer Data Protection Act has evolved into a robust piece of legislation that closely aligns with the privacy regulations in Virginia. 


Indiana Data Privacy Law (ICDPA)  offers a longer lead time for compliance aligning with other state regulations like CCPA.


One of the more unique aspects of the Indiana Consumer Data Protection Act is its longer lead time for compliance, as the law is set to come into force in 2026. This gives affected entities more time to prepare for the new regulations and to implement any necessary changes to ensure compliance. Additionally, the law’s alignment with other state level privacy regulations in the US like the CCPA means that organizations that are already on track to comply with the CCPA will likely face little extra work in meeting the requirements of the Indiana Data Privacy Law. This harmonization of privacy laws between states demonstrates a collaborative effort to enhance data protection across the country.


The ICDPA applies to certain entries conducting business in or targeting Indiana residents, with a few specific exceptions.


The Indiana Data Privacy Law applies to entities that conduct business in the state of Indiana or target Indiana residents, with the exception of government entities, nonprofits, higher education institutions, as well as entities already regulated by HIPAA (Health Insurance Portability and Accountability Act) and the Gramm-Leach-Billey Act (also known as the Financial Services Modernization Act). The ICDPA applies only to those entities which control or process personal data of a specified number of Indiana residents. This includes entities that control or process personal data of at least 100,000 Indiana residents, or at least 25,000 Indiana residents while deriving over 50 percent of their gross revenue from the sale of personal data. The law does not have a revenue threshold for compliance, and it does not apply to certain classes of data such as health records and employment-related information.


The ICDPA grants individuals rights to access, delete, and their personal data, as well as opt out of certain data processing activities.


The ICDPA empowers consumers with a range of rights regarding their personal data. These rights include:


  1. Access to personal data: Individuals have the right to request a copy of their personal data from businesses that process it. Businesses must provide this information in a readily accessible format within a reasonable time frame, usually within 30 days.


  1. Correction of inaccuracies: Consumers can request businesses to correct or update any inaccuracies in their personal data. Companies must promptly investigate these requests and make any necessary corrections.


  1. Deletion of personal data: Consumers have the right to request that businesses delete their personal data in certain circumstances, such as beyond the point necessary for the purpose it was collected. Businesses must comply with these requests unless they have a legitimate reason to retain the data.


  1. Data portability: Consumers have the right to receive their personal data in a portable format, allowing them to easily transfer it to another business. This right enhances individuals’ control over their data and supports competition in the marketplace.


  1. Opt-out of data processing: Consumers can opt out of certain types of data processing, such as targeted advertising or the sale of their personal data. Businesses must provide a clear and conspicuous mechanism for consumers to exercise this right.


The ICDPA imposes obligations on businesses processing personal data to protect consumer rights.


To ensure the effectiveness of the rights afforded to consumers, the ICDPA imposes specific obligations on businesses that process consumers’ personal data. Controllers, defined as individuals or entities that determine the purposes and means of data processing, must:


  1. Respond to consumer requests promptly: Businesses must respond to consumer requests regarding their personal data within a specified time frame, usually within 30 days. This ensures that consumers can exercise their rights without undue delay.


  1. Provide clear and accessible information: Companies must provide consumers with clear and accessible information about their data processing practices, including the purposes of data collection, the types of data processed, and the parties with whom the data is shared. Transparent communication fosters trust and empowers individuals to make informed decisions about their data.


  1. Establish an appeals process: If a business denies a consumer’s request to exercise their rights, the consumer has the right to appeal the decision. The business must have a process in place to handle appeals and provide consumers with an opportunity to present their case.


  1. Respect consumer choices: Consumers’ choices regarding their personal data must be respected by businesses. This includes honoring opt-out requests and ensuring that consumers are not discriminated against for exercising their rights.


To enforce these rights, individuals can file a complaint with the Indiana Office of the Attorney General if they believe a business has violated the ICDPA. The Attorney General’s office is responsible for investigating complaints and taking appropriate enforcement actions against businesses that fail to comply with the law.

Discover how Aphaia can elevate your data protection strategy to new heights. We specialize in empowering organizations like yours with cutting-edge solutions designed to not only meet but exceed the demands of today’s data security landscape. Contact Aphaia today to find out more.

Prev post
The Delaware Personal Data Privacy Act: A Comprehensive Overview
February 1, 2024
Iowa Consumer Data Privacy Act
Next post
Iowa Consumer Data Privacy Act: What organizations should be aware of
February 13, 2024