Indiana Privacy & Security Compliance Guide

🚨 Indiana Consumer Data Protection Act (ICDPA) - Effective January 1, 2026 (ACTIVE)

January 1, 2026 (ACTIVE)

ACTIVE ENFORCEMENT - Applies to businesses processing 100,000+ Indiana consumers' data or 25,000+ with 50%+ revenue from data sales

🚨 INDIANA: NEW COMPREHENSIVE LAW ACTIVE JAN 1, 2026

CRITICAL UPDATE: Indiana Consumer Data Protection Act went live January 1, 2026. Businesses processing Indiana resident data must comply immediately.

Who Must Comply:
• Businesses processing 100,000+ Indiana consumers' data per year
• OR processing 25,000+ consumers with 50%+ revenue from data sales
• Applies regardless of physical presence in Indiana

Key ICDPA Requirements:
Consumer Rights: Access, deletion, correction, data portability, opt-out of sales
Privacy Notices: Clear disclosure of data collection, processing purposes
Data Protection Assessments: Required for sensitive data processing
Opt-Out Mechanisms: Universal opt-out signal recognition
30-Day Cure Period: AG provides cure opportunity for good-faith violations

Pharmaceutical Industry Alert: Eli Lilly headquarters means massive pharma data concentration. Clinical trial data, patient information, and research data require enhanced ICDPA protections.

Racing Industry Data:
• Indianapolis Motor Speedway fan databases
• NASCAR team telemetry and analytics
• Racing participant personal information
• Ticket sales and hospitality data

Enforcement Timeline: Indiana AG establishing enforcement priorities Q1 2026. Expect early enforcement actions targeting obvious violations (no privacy policy, no opt-out mechanism). Good-faith compliance efforts will receive cure period.

Indiana by the Numbers

6.8 million

Population

150,000+

Businesses Affected

95

Recent Data Breaches

$$7,500 per violation

Per Violation Fine

Who Must Comply in Indiana?

Indiana Consumer Data Protection Act (ICDPA) applies to businesses that:

  • Process personal data of Indiana residents
  • Meet revenue or data volume thresholds
  • Sell products/services to Indiana consumers
  • Have physical or digital presence in Indiana

Indiana-Specific Requirements

ICDPA effective Jan 1, 2026 includes consumer rights (access, deletion, correction, portability, opt-out), data protection assessments, and enhanced pharmaceutical manufacturing requirements. 30-day cure period for good-faith violations.

Recent Indiana Privacy & Security Cases

Eli Lilly data incident (2024) - Research information

Indiana University Health breach (2023) - Patient records

Purdue University hack (2024) - Academic data

ICDPA enforcement expected Q1 2026 - AG establishing enforcement priorities

Major Indiana Business Centers

Key cities where privacy compliance is critical for business success:

  • Indianapolis
  • Fort Wayne
  • Evansville
  • South Bend
  • Carmel

Test Your Indiana Website's Privacy & Security Compliance

Don't wait for regulators or hackers. Check your compliance status now.

Free Privacy & Security Scan →