Indiana’s Consumer Data Protection Act – Taking Effect January 1, 2026 

The Consumer Data Protection Act (the “Act”) was passed in 2023 and is set to go into effect on January 1, 2026. The purpose of the Act is to give consumers the right to exercise control over their personal data and to establish requirements that help businesses avoid legal risks and cyber-attacks. According to data compiled by the Office of the Indiana Attorney General, as many as 60% of small businesses fail within six months of a significant data breach. Here is what you should know about the Act before it goes into effect.  

The Act defines a controller as a person or a business that makes decisions about how personal data is processed. Consumers are defined as residents of Indiana acting in a personal, family, or household context. The Act generally applies to individuals and companies doing business in Indiana or producing products or providing services targeted to Indiana residents which (a) control or process the personal data of 100,000 or more Indiana residents; or (b) control or process the personal data of at least 25,000 Indiana residents and derive more than 50% of their gross revenue from the sale of personal data. The Act does not apply to the state, state agencies, political subdivisions, or any of their contractors, financial institutions, HIPAA covered entities, nonprofits, higher education institutions, or public utilities.  

The Act gives consumers the right to confirm if a controller is processing your personal data and obtain copies of a summary of the personal data previously provided to the controller. Consumers also have the right to correct inaccuracies in their personal data, delete their personal data, and obtain their personal data from a controller in an easily transferrable form. Deletion requests must be made directly to each individual company or organization holding consumer data. Consumers may opt out of processing personal data for targeted advertising, the sale of personal data, and profiling. The Act also protects sensitive data and children’s personal data by prohibiting it from being processed unless either the consumer or the parent of the child under the age of 13 opts in and allows this data to be processed. All consumers have the right to exercise their rights under the Act without discrimination.  

Controllers are required to provide easy access for individuals to exercise their rights and provide at least one safe and reliable way to submit a request to exercise privacy rights. The process must be clearly described in a controller’s privacy notice. A controller has 45 days to respond to a request made by a consumer. A controller may have an additional 45 days to respond if they provide notice to the consumer within the first 45 days. Controllers may deny a request by a consumer if it is manifestly unfounded, burdensome, excessive, or repetitive. A controller may also deny a request which restricts their ability to comply with federal, state, and local law or government investigations. Consumers have the right to appeal a denial by the controller.  

Consumers who believe that a controller is in violation of the Act should report the controller to the Office of the Attorney General. If you have questions about your duties as a controller under the Act or your rights as a consumer, please reach out to one of our experienced attorneys at McNeelyLaw LLP by calling (317) 825-5110. 

 This McNeelyLaw LLP publication should not be construed as legal advice or legal opinion of any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own lawyer on any specific legal questions you may have concerning your situation.