Laws & Regulations

State Privacy Laws: Indiana

A summary of privacy laws in Indiana.

Overview

The Indiana Consumer Data Protection Act (INCDPA) establishes new privacy rights for Indiana residents and corresponding obligations for businesses that collect or process their personal data. Like many comprehensive state privacy laws, the INCDPA applies to organizations that meet certain volume or revenue thresholds and focuses on consumer data collected in a personal or household context, not employment or business-to-business activities. Overall, the INCDPA aligns closely with other state frameworks while adding to the growing patchwork of U.S. privacy requirements organizations must navigate.

Key Dates

  • Signed into law: May 1, 2023
  • Effective date: January 1, 2026

Thresholds

The INCDPA applies to a person that conducts business in Indiana or produces products or services that are targeted at Indiana residents, and during a calendar year either:

  • controls or processes personal data of at least 100,000 Indiana residents; or
  • controls or processes personal data of at least 25,000 Indiana residents and derives over fifty percent (50%) of gross revenue from the "sale" of any personal data.

Consumer Rights

  • The right to confirm if a business is processing their personal data.
  • The right to correct inaccuracies in their personal data.
  • The right to delete their personal data.
  • The right to obtain a copy of their personal data in a portable and readily usable format.
  • The right to opt out of processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling.

Sensitive Data

The law defines sensitive data to include personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • A mental or physical health condition or diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data
  • Personal data of a known child
  • Precise geolocation data

Penalties

Up to $7,500 per violation.

Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. INCDPA in Indiana). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like INCDPA in Indiana).

Based on the current laws, we recommend the following regional settings:

  • Consent Mode: Implied
  • Blocking Mode: Strict
  • Google Consent Mode V2: Advanced
  • Consent Duration: 12 months
  • Enable Limit Sensitive Information: Enabled
  • Enable Do Not Sell Consent: Enabled
  • Enable Global Privacy Control: Enabled

For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document Configure Your Consent Banner for Different Geographical Regions.

While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions, only adding additional regions for stricter states like California if needed). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.