# [Indiana Consumer Data Protection Act (Indiana CDPA) – an overview](https://www.cookiebot.com/en/indiana-consumer-data-protection-act/) **The Indiana Consumer Data Protection Act (Indiana CDPA) goes into effect in 2026. Learn how the Indiana data privacy law impacts businesses and consumers.** · [Scan now](https://www.cookiebot.com/en/cookie-checker/) · [Subscribe](javascript:void(0)) --- ## What is the Indiana Consumer Data Protection Act? The [Indiana Consumer Data Protection Act (Indiana CDPA)](https://iga.in.gov/pdf-documents/123/2023/senate/bills/SB0005/SB0005.05.ENRH.pdf) aims to protect the privacy and personal data of Indiana residents. It establishes rules for businesses that either operate in Indiana or sell products and services to the state’s residents, known as “consumers” under the law, and process their personal data. The Indiana privacy law defines a consumer as an Indiana resident who is “acting only for a personal, family, or household purpose,” and not for commercial or employment purposes. Like other US states with consumer privacy laws, Indiana follows an opt-out model. It requires businesses to clearly explain what personal data they collect and why they collect it, third parties they share it with, and how consumers can opt out of its collection and processing for certain purposes. --- ## Definitions under the Indiana Consumer Data Protection Act The Indiana privacy law defines key terms related to who is protected under the law, what data it protects, and data processing activities. ### Personal data under the Indiana CDPA The Indiana CDPA defines personal data as *“information that is linked or reasonably linkable to an identified or identifiable individual”*. The definition explicitly excludes [de-identified data](https://usercentrics.com/knowledge-hub/data-anonymization/), aggregate data, or publicly available information. The law does not provide specific examples of personal data, unlike some other [US state-level data privacy laws](https://www.cookiebot.com/en/us-data-privacy-laws/), but common types that businesses collect include name, email address, phone number, Social Security Number, and passport number. ### Sensitive data under the Indiana CDPA Sensitive personal data is data that presents a risk of harm to consumers if misused and includes: - racial or ethnic origin - religious beliefs - health information or mental or physical health diagnosis made by a healthcare provider - sexual orientation - citizenship or immigration status - genetic or biometric data processed for the purpose of uniquely identifying a specific individual - personal data collected from a known child (under 13 years of age) - precise geolocation data that can accurately identify a natural person’s specific location within a radius of 1,750 feet or 533.4 meters The federal [Children’s Online Privacy Protection Act (COPPA)](https://usercentrics.com/knowledge-hub/childrens-online-protection-act-coppa/) covers consent requirements and handling of children’s data. In Indiana, as with most US state-level privacy laws, data of known children is categorized as sensitive data. The European Union’s [General Data Protection Regulation (GDPR)](https://usercentrics.com/knowledge-hub/the-eu-general-data-protection-regulation/) has influenced what consent means under many data privacy laws worldwide, including the Indiana data privacy law*.* The law defines consent as *“a clear affirmative act that signals a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.”* ### Controller under the Indiana CDPA The Indiana CDPA defines a controller as *“a person that, alone or jointly with others, determines the purpose and means of processing personal data.”* A controller is also known as a “data controller” under some other privacy laws. ### Processor under the Indiana CDPA A controller may collect and share personal data with a third party for processing purposes. The Indiana CDPA defines this third-party entity as the processor or *“a person that processes personal data on behalf of a controller.”* ### Sale under the Indiana CDPA The Indiana data privacy law defines sale of personal data as the *“the exchange of personal data for monetary consideration by a controller to a third party.”* The definition excludes the disclosure of personal data: - to a processor that processes the personal data on the controller’s behalf - to a third party for purposes of providing a product or service that is requested by the consumer or the parent of a child whose personal data is in question - to an affiliate of the controller, including transfer of personal data - that the consumer intentionally made available to the public through a mass media channel not restricted to a specific audience (e.g. social media posts) - to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets, including transfer of personal data ### Targeted advertising under the Indiana CDPA Targeted advertising means *“displaying of an advertisement to a consumer in which the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests.”* The Indiana privacy law’s definition excludes: - ads based on activities within a controller's own or affiliated websites or online applications - ads based on the context of a consumer's current search query, visit to a website, or online application - ads directed to a consumer in response to the consumer's request for information or feedback - the processing of personal data solely for measuring or reporting advertising performance, reach, or frequency --- ## Who must comply with the Indiana Consumer Data Protection Act The Indiana data privacy law applies to businesses that operate in Indiana or produce products or services targeted to Indiana residents, even if the business itself is located outside the state. To be subject to Indiana CDPA compliance, businesses must either: - control or process the personal data of at least 100,000 Indiana residents during a calendar year or - control or process the personal data of at least 25,000 Indiana consumers and make over 50% of their gross revenue from the sale of personal data within a calendar year ### Exemptions to Indiana Consumer Data Protection Act compliance Similar to other US data privacy laws, the Indiana privacy law exempts certain entities from compliance, including: - state government agencies, including third parties under contract with state government agencies when acting on their behalf - financial institutions and affiliates or subject to the Gramm-Leach-Bliley Act - covered entity or business associate governed by the Health Insurance Portability and Accountability Act (HIPAA) - nonprofit organizations - institutions of higher education - public utilities or service company affiliated with a public utility Data that is exempt from the law includes protected health information; research data; data that is processed or maintained for employment-related purposes; and information created for or collected in pursuance to several federal laws. --- ## Consumers' rights under the Indiana Consumer Data Protection Act The Indiana CDPA grants several rights to consumers to protect their personal data. - **Right to access:** consumers can confirm if the controller is processing their personal data and can access their data, with some exceptions - **Right to correction:** consumers have the right to have any incomplete or inaccurate personal data that they previously provided to the controller corrected - **Right to deletion:** consumers can request the deletion of any of their personal data that the controller holds, with exceptions - **Right to data portability:** consumers can obtain a copy of personal data they previously provided to the controller, in a readily usable format, with some exceptions - **Right to opt out:** consumers can opt out of the processing of their personal data for the purposes of its sale, targeted advertising, or profiling Parents or legal guardians can exercise these rights on behalf of children. --- ## Controllers’ obligations under the Indiana Consumer Data Protection Act Controllers have several responsibilities under the Indiana data privacy law to safeguard consumers’ personal data. ### Consumer rights requests under the Indiana CDPA Controllers must notify consumers about their rights and how to exercise them. ### Purpose limitation under the Indiana CDPA The law requires controllers to disclose the purpose(s) for which they are collecting personal data. ### Data security under the Indiana CDPA Controllers are responsible for maintaining the confidentiality, integrity, and accessibility of personal data. ### Data protection impact assessments (DPIA) under the Indiana CDPA Controllers must conduct and document data protection impact assessments when they process personal data for certain purposes. ### Nondiscrimination under the Indiana CDPA Controllers must not engage in unlawful discrimination against consumers. ### Privacy notice under the Indiana CDPA The law requires controllers to provide consumers with a clear, accessible, and meaningful privacy notice. ### Data processing agreements (DPA) under the Indiana CDPA Controllers must enter into contracts with third-party processors that govern data processing procedures. ### Universal opt-out signal under the Indiana CDPA The Indiana privacy law does not explicitly mention universal opt-out mechanisms. --- ## Enforcement of the Indiana Consumer Data Protection Act The Indiana Attorney General is responsible for enforcing the Indiana CDPA. ### Fines and penalties under the Indiana CDPA Controllers or processors that violate the Indiana CDPA could face penalties up to USD 7,500 for each violation. --- ## Consent management and the Indiana Consumer Data Protection Act Like all other current US state-level data privacy laws, the Indiana data privacy law adopts the opt-out consent model. --- ## How to prepare for the Indiana Consumer Data Protection Act Businesses operating in Indiana have until 2026 to prepare for compliance with the Indiana CDPA. Solutions like Cookiebot CMP provide a centralized system for managing user consent or opt-out for cookie use. ## Scan your website for free with Cookiebot CMP to see what cookies and trackers it uses. [Scan now](https://www.cookiebot.com/en/cookie-checker/) --- ## Stay informed Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox. --- ## Download the CMP integration for your preferred CMS ## Usercentrics Cookiebot WordPress Plugin ## Usercentrics for Wix --- ## Product [Cookiebot™ Consent Solution](https://www.cookiebot.com/en/cookie-consent-solution/) · [Usercentrics for Wix](https://www.cookiebot.com/en/cookiebot-for-wix-by-usercentrics-app/) · [WordPress Plugin](https://www.cookiebot.com/en/new-wp-cookie-plugin/) · [Pricing](https://www.cookiebot.com/en/pricing/) ## Regulations [DMA (EU)](https://www.cookiebot.com/en/digital-markets-act-dma/) · [GDPR (EU)](https://www.cookiebot.com/en/gdpr/) · [CCPA (California)](https://www.cookiebot.com/en/what-is-ccpa/) · [VCDPA (Virginia)](https://www.cookiebot.com/en/virginia-vcdpa/) · [LGPD (Brazil)](https://www.cookiebot.com/en/lgpd/) · [TCF v2.3 (IAB)](https://www.cookiebot.com/en/tcf/) · [Google Consent Mode](https://www.cookiebot.com/en/cookiebot-cmp-google-consent-mode/) · [Microsoft UET Consent Mode](https://www.cookiebot.com/en/microsoft-consent-mode-cmp/) ## Partners [Become an affiliate](https://www.cookiebot.com/en/affiliates/) · [Become a partner](https://www.cookiebot.com/en/resellers/) · [Find a partner](https://www.cookiebot.com/en/cookiebot-reseller/) ## Resources [Blog](https://www.cookiebot.com/en/blog/) · [Digital Markets Act Hub](https://www.cookiebot.com/en/digital-markets-act-dma-resources/) · [Google Consent Mode Hub](https://www.cookiebot.com/en/google-consent-mode-resources/) · [Google Consent Mode V2 Certification](https://courses.usercentrics.com/course/google-consent-mode-v2) · [Google Consent Audit Fixes](https://www.cookiebot.com/en/google-consent-audit-fixes/) · [Developer documentation](https://www.cookiebot.com/en/developer/) · [Cookiebot vs CookieYes](https://www.cookiebot.com/en/cookiebot-best-cookieyes-alternative/) · [Cookiebot vs OneTrust](https://www.cookiebot.com/en/onetrust-alternative/) · [Cookie Banner Cost Calculator](https://www.cookiebot.com/en/cookie-banner-pricing-calculator/) ## Company [About us](https://www.cookiebot.com/en/about/) · [Careers](https://usercentrics.com/career/) · [Support](https://support.cookiebot.com/hc/en-us/) --- [Privacy Policy](https://www.cookiebot.com/en/privacy-policy/) · [Terms of Service](https://www.cookiebot.com/en/terms-of-service/) · [Cookie Declaration](https://www.cookiebot.com/en/cookie-declaration/) · [Data Processing Agreement](https://www.cookiebot.com/en/data-processing-agreement/) ©2026 Cookiebot™ by [Usercentrics](https://usercentrics.com/)