Class Action U Logo
Check Your Eligibility

Indiana Privacy Policy: Requirements, Best Practices & Compliance

In Indiana, the newly effective Indiana Consumer Data Protection Act grants consumers certain rights over their personal data. These include the right to access personal data held by businesses, to request the correction of inaccurate data, to request the deletion of their data, and to opt out of the sale of their personal data.

Check Your Eligibility
electric cables
  • February 10, 2026
  • Key Takeaways
  • The Indiana Consumer Data Protection Act (INCDPA), which took effect on January 1, 2026, is designed to safeguard the privacy rights of individuals in the state and regulate how businesses handle consumers’ personal data.
  • Under the INCDPA, Indiana consumers can confirm whether a business is collecting and processing their data, as well as correct it, delete it, obtain a copy of it, or opt out of the collection process.
  • Victims of data breaches in Indiana may have the right to seek compensation, often through a class-action lawsuit.

At the start of 2026, Indiana joined several other states that provide comprehensive consumer data rights and protections to residents through the Indiana Consumer Data Protection Act (INCDPA), which the state legislature passed in 2023. The Act grants Indiana residents privacy protections and some control over how corporations use their data. Additionally, the INCDPA sets some guidelines for how businesses should respond in the event of a data breach.

Overview of Data Privacy in Indiana

Indiana’s main data privacy law is the Indiana Consumer Data Protection Act (INCDPA), which grants Indiana residents rights over their personal data, effective January 1, 2026. The Act requires businesses to be transparent and provide access, correction, deletion, and opt-out rights for data sold or used for targeted advertising. It mandates clear privacy notices and limits data collection to what’s necessary for the services provided. In combination with federal data breach laws, the INCDPA works to protect consumers from identity theft, fraud, and other consequences arising from unsafe data practices.

Indiana Consumer Data Protection Act (INCDPA)

Though it passed through the Indiana state legislature in May 2023, the Indiana Consumer Data Protection Act (INCDPA) did not take effect until January 1, 2026. The Act gives Indiana consumers the following rights:

  • The right to confirm whether a business is processing their personal data.
  • The right to correct inaccuracies in the personal data they provide to a business.
  • The right to delete their personal data that a business has access to.
  • The right to obtain a copy or summary of their personal data that the business has access to.
  • The right to opt out of the processing of personal data for certain purposes.

Who Must Comply

The INCDPA applies to any individual or entity that owns, licenses, or maintains computerized data containing personal information of Indiana residents. This includes businesses operating in Indiana or collecting data from Indiana residents, but does not apply to financial institutions, nonprofits, higher education institutions, public utility companies, or government agencies.

Entities must also comply with the INCDPA if they control or process the personal data of 100,000 or more consumers in Indiana, or 25,000 consumers or more if the entity derives more than 50% of its gross revenue from the sale of personal data. Under the new Indiana law, the sale of data is defined as the exchange of personal data for monetary compensation from a controller to a third party.

Timing and Content of Notifications

A “security breach” is defined under Indiana law as the unauthorized acquisition of unencrypted or unredacted personal information. In the event of a data breach, businesses must notify affected individuals (and, in some cases, relevant regulatory authorities) without unreasonable delay, taking into account law enforcement needs and the progress of breach investigations. The notification must include information about the nature of the breach, the types of data affected, and steps individuals can take to protect themselves.

Experienced a BREACH?
Get Help Now
CAU logo

Types of Personal Information Covered by Indiana Law

Under the Indiana Consumer Data Protection Act (INCDPA), “personal data” is broadly defined as any information that is linked or reasonably linkable to an identified or identifiable individual, excluding de-identified data, publicly available info, and aggregate data. Businesses may need to get consumer consent before collecting, processing, or disclosing personal data, especially for sensitive categories of data.

Certain types of data are categorized as “sensitive” and receive stronger protections under Indiana law. This includes genetic, biometric, precise geolocation, and health data, as well as any data revealing race, ethnicity, religion, health diagnoses, sexual orientation, or citizenship/immigration status. It also includes personal data collected from a known child.

Business Obligations Under Indiana Law

Under Indiana law, businesses must provide consumers with clear and understandable information about their data processing practices, including disclosing the type of data collected, the purposes for which the data is processed, and any third parties with whom the data is shared. Businesses must also implement reasonable security measures to protect the personal data they collect/process from unauthorized access, disclosure, alteration, or destruction.

It’s also important for businesses to plan for the detection, investigation, internal escalation, notification obligations, and documentation necessary to comply with Indiana law in the event of a security breach.

What Indiana Consumers Should Do After a Data Breach

After a data breach, Indiana residents whose personal information was compromised can take several steps to protect their personal information, financial security, and identity.

  • Verify What Data Was Compromised: Review the breach notice to determine what personal information was accessed.
  • Credit Monitoring, Freezes & Identity Protections: Use credit monitoring services, place free credit freezes or fraud alerts, and regularly review financial statements.
  • File a Legal Claim: While Indiana’s breach notification law does not provide a private right of action, victims may still pursue claims under other legal theories or by joining data breach class actions.

Class Action U Can Help

Under Indiana’s new Indiana Consumer Data Protection Act, consumers in the state have more rights regarding the protection and privacy of their personal information. In the event of a data breach, consumers have the right to seek restitution for their losses, often by filing or joining a class-action lawsuit.

At Class Action U, we simplify the process for individuals joining ongoing data breach lawsuits, connecting them with our legal partners who are ready to handle their cases. If you’ve been affected by a breach that could potentially lead to a class action lawsuit but hasn’t yet, we encourage you to share your information with us. We’ll evaluate the situation to see if it warrants a class action filing. For those eligible to participate in an existing class action, our site offers a straightforward way to sign up.

Contact Class Action U today to be connected with a data breach lawyer experienced in class action lawsuits, and to learn more about your legal options if you were part of a data breach.

Start Your Data Breach Claim
Were you recently affected by a data breach? 
Contact Us Today
Related Pages
Latest Data Breach News