How to comply with the Indiana data privacy act
Controllers must practice transparency and provide consumers with an “accessible, clear and meaningful” privacy notice. The notice should include:
- categories of personal data processed
- purpose for processing personal data
- categories of personal data the controller shares with third parties, if any
- categories of third parties the controller shares consumers’ personal data with, if any
- an explanation of how consumers may exercise their rights
- disclosure of the controller’s use or sale of personal data to third parties for targeted advertising, if applicable
- a method to opt out of targeted advertising data use or sale
To exercise their rights, consumers must submit a verifiable request to the controller (company). After a consumer request is received, the controller has 45 days to respond. There are some limited reasons that they can decline, including if the consumer’s identity cannot be reasonably verified. The consumer can appeal such a decision, and the controller has 45 days to respond to the appeal.
If there are extenuating circ*mstances preventing a controller from fulfilling a consumer request, once the consumer has been notified, that response period can be extended by 45 days if reasonably necessary.
Purpose limitation
Controllers can process personal information for the purpose(s) that they have communicated, as long as the processing is “adequate, relevant, and reasonably necessary” and proportional to those purposes.
Data security
Controllers must protect personal information by establishing, implementing and maintaining reasonable administrative, technical, and physical security measures. These measures should be appropriate to the nature and volume of personal information being processed.
Data protection impact assessments (DPIA)
Controllers must conduct and document data protection assessments when they:
- process personal data for targeted advertising purposes
- sell personal data
- process personal data for profiling purposes if that profiling creates a foreseeable risk of unfair or deceptive treatment or impact on consumers
- process sensitive data
- process any personal data in a way that heightens the risk of harm to consumers
These assessments apply to processing activities occurring after December 1, 2025, which is seven months before the law’s effective date of July 1, 2026.
Consent requirements
Like other US states that have passed privacy laws, Indiana uses an opt-out model, so user consent is not required before collecting and processing information in many cases. The exception is that consent must be obtained before collecting or processing sensitive personal information. Consumers must be given clear notice about processing and be able to opt out of sale, targeted advertising, or profiling.
Where children are concerned, like a number of other states, the INCDPA follows the federal Children’s Online Privacy Protection Act (COPPA). Consent from any known child’s parent or guardian must be obtained before processing of any personal information of any user known to be under 13 years of age. This would include all children’s personal information, as under Indiana’s data privacy regulation data of children under 13 is classified as sensitive by default.
Nondiscrimination
Controllers are prohibited from unlawful discrimination against consumers, and from processing personal information if doing so is in violation of state or federal laws governing discrimination. Additionally, controllers cannot discriminate against consumers for exercising their rights. For example, a consumer cannot be blocked from accessing a website if they opt out of allowing personal information collection.
However, there are often website features or functions that will not work without certain cookies being active, so if a consumer does not opt in to their use because they collect personal information, the site may not work optimally. This is not discriminatory.
Controllers can offer voluntary incentives like discounts for consumers’ voluntary participation in operations like an organization’s loyalty program or signing up for a newsletter, where these operations collect and process personal data. Such offers have to be reasonable, as data protection authorities tend to frown on disproportionate incentives as they start to look like bribes.
Transparency
Controllers must provide consumers with clear and accessible information about data processing. Commonly this appears on the company’s website in a privacy notice or policy. Under the INCDPA, this information must include:
- categories of personal information processed by the controller
- purpose(s) for processing personal information
- how consumers may exercise their rights and/or appeal a controller’s decision (e.g. if a request for access is denied)
- categories of personal information that the controller sells to third parties, if any
- categories of third parties to whom the controller sells personal information, if any
- notice about the right to opt out of the sale of personal information to third parties, targeted advertising, or profiling for decisions that produce legal or similarly significant effects to the consumer
Third party data processing contracts
Controllers must have contracts in place with third-party processors (vendors and other service providers) with clear information about:
- instructions for processing personal data
- nature and purpose of the processing
- type of data subject to processing
- duration of processing
- rights and obligations of both parties
Third-party data processors are also expected to assist controllers in meeting duties related to security, transparency, retention, deletion, assessment, and reporting. The Indiana Attorney General can request a DPIA from a controller for the purposes of a civil investigation.
Universal opt-out signal
Like with the Virginia Consumer Data Protection Act (VCDPA), Iowa Consumer Data Protection Act (ICDPA), and Utah Consumer Privacy Act (UCPA), the Indiana Consumer Data Protection Act does not make any specific reference to the Global Privacy Control (GPC) “universal opt-out” or similar mechanism.
California’s laws do reference this signal, which is intended to standardize user consent online. Using it enables consumers to create a single set of their own personal data privacy consent preferences. These settings can then be communicated to all websites or apps that consumers visit, so users don’t have to set new preferences on every site. Use of this mechanism also helps ensure compliance with consumer privacy laws relevant to each user.
