Indiana Consumer Data Protection Act

Learn about the Indiana Consumer Data Protection Act (ICDPA), its applicability to businesses operating in Indiana, exemptions, sensitive data, consumer rights, data protection assessments, and potential penalties. Ensure compliance to avoid fines of up to $7,500 per violation. Get all the details here.

Secure Privacy Team

July 18, 2023·6 min read

By enacting the Indiana Consumer Data Protection Act, Indiana became the seventh US state to pass a law dedicated to protecting consumer data privacy.

Continue Reading

Explore more privacy compliance insights and best practices

USA

CCPA vs. GDPR: What Businesses Need to Know

Businesses operating across international markets face complex data privacy obligations as both the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) impose significant compliance requirements. Understanding the difference between CCPA and GDPR is essential for organizations handling consumer data across jurisdictions.

HIPAA Privacy Policy: Essential Website Compliance for Healthcare Organizations

Your healthcare website could be violating federal law right now — and you might not even know it. If your site collects patient information through contact forms, operates patient portals, or processes any health-related data, your HIPAA privacy policy isn't just a legal formality, it's your first line of defense against costly violations and patient trust breaches.

Iowa Consumer Data Protection Act (ICDPA): Comprehensive Data Privacy Law Overview for Iowa Businesses

Learn everything about ICDPA compliance: coverage criteria, business obligations, consumer rights, and penalties. Essential guide for businesses handling Iowa residents' data.

If you operate in Indiana, it may create obligations for you, and you need to learn more about it.

What is the Indiana Consumer Data Protection Act (ICDPA)?

The Indiana Consumer Data Protection Act (ICDPA) protects the consumer data privacy of Indiana residents. It closely follows the provisions present in other US state laws regulating the same matter.

It was signed into law on May 1, 2023, but it won’t be enforced until January 1, 2026. You have enough time to learn about it and prepare for compliance.

Does the ICDPA apply to your business?

The ICDPA applies to your business if you operate in Indiana or target Indiana customers, and either:

Control or process personal data of at least 100,000 Indiana residents, or

Control or process personal data of at least 25,000 Indiana residents and derive over 50% of its gross revenue from the sale of personal data.

These criteria are similar to what we have seen in other US states’ laws. It won’t apply to many businesses.

However, keep in mind that processing IP addresses with Google Analytics or browsing behavior with Meta Pixel can easily allow you to control the data of more than 100,000 consumers and slide you into the applicability requirements.

Are some businesses or data exempt from ICDPA?

ICDPA exempts from its scope the same types of organizations and data that you’ll find in other privacy laws around the US, which include:

Government entities

Non-profits

HIPAA and HITECH-covered entities

Higher education entities

Utility companies

Financial institutions subject to the GLBA

The list of exempted data is long and includes, but is not limited to:

Data protected by industry-specific laws such as HIPAA, GLBA, FCRA, and others

Employment information

Research data for the public interest

What is ICDPA personal data?

ICDPA defines personal data as any information that identifies a person.

That includes a wide variety of data. Aside from obvious data categories, such as personal names, email addresses, and government-issued numbers, personal data also involves health history, fitness app data, purchase behavior, and other data that could point out an individual.

What is ICDPA sensitive data?

CDPA explicitly lists the categories of personal information considered sensitive. They include:

Data revealing an individual’s racial origin, ethnic origin, sexual orientation, citizenship or immigration status, or health diagnosis

Precise geolocation data

Child’s data

Biometric data for the purpose of identifying a person

Sensitive data must not be processed without obtaining explicit consent from the user.

What are the general duties of controllers and processors under the ICDPA?

Every controller that needs to comply with this law must:

Ensure data security by implementing adequate technical and organizational measures

Process the data only for the purposes it has been collected

Ensure that the categories of collected data are adequate for processing purposes

Obtain consent for the processing of sensitive data

Conduct data protection assessments if required

Provide consumers with a privacy notice

Honor consumer requests

Enter into data processing contracts with processors

Processors, on the other hand, are obliged to protect the data in their own work and help the controller to do the same. In particular, it means obligations to:

Implement adequate data security measures

Process data only based on the contract with the controller

Assist the controller in compliance with the law

What is a data processing contract?

The data processing contract regulates the relationship between the controller and the processor. You need to have one to make your processing legal. Without such a contract, you violate the ICDPA.

Your contract must include provisions on:

The identity of both parties

Categories of personal data to be processed

The nature and purposes of processing

The duration of processing

Rights and duties of both parties

Requirement for the processor to prove compliance to the controller, upon request

Requirement for deletion of data upon the controller’s request

Confidentiality

Hiring subcontractors

What is a privacy notice according to the ICDPA?

Your ICDPA privacy notice is actually your privacy policy. It is the document where you provide transparency about your privacy practices to consumers.

Your notice must contain at least:

Processing purposes

Categories of processed data

The categories of data you sell, if applicable

The categories of third parties to whom you sell data, if applicable

Consumer rights and how to exercise them

Although not required by the law, you can always add more information to increase transparency.

Yes, explicit consumer consent is required for processing sensitive personal data. The consent should be freely given, specific, informed, and unambiguous.

In cases where you collect information from a known child for processing, you can follow the parental consent standards outlined in COPPA (Children's Online Privacy Protection Act).

Are we required to honor universal opt-out mechanisms?

The ICDPA does not explicitly address universal opt-out mechanisms, so there is no obligation to adhere to them. However, it is important to provide consumers with the ability to opt-out using the designated methods you have established with the privacy policy.

What is a Data Protection Assessment?

A Data Protection Assessment is a procedure in which the controller evaluates the potential risks associated with processing the personal data of consumers. This assessment helps identify the risks involved in your processing activities and determines the necessary measures to mitigate those risks.

It is not required by all businesses, but it is good practice. If you are not sure whether you need to conduct one, it is better to opt for it.

The law explicitly states that businesses must conduct and document a Data Protection Assessment in the following scenarios:

Sale of personal data

Processing of sensitive data

Processing data for targeted advertising

Processing of data for profiling

Any other processing that presents an elevated risk to consumers.

What are the ICDPA consumer rights and requests?

Consumers have the ability to exercise these rights by submitting requests to your organization, and it is essential for you to comply with these requests to avoid potential penalties.

Consumers have the right to:

Know about the processing

Access data

Have their data deleted

Data portability

Correction of data

Opt-out of the sale of data, targeted advertising, or profiling

Opt-in for the processing of sensitive data

You must respond to the request within 45 days. You can take an additional 45 days for complex requests, but keep in mind that it will rarely be justified.

How is ICDPA enforced, and what are the penalties?

Indiana has not established a data protection agency like California. It follows the trend of all the other US states that have given power to the Attorney General to enforce the law.

The Attorney General has the power to investigate violations and issue businesses a notice with a 30-day cure period.

If you don't remedy the violation within 30 days, you may be fined up to $7,500 per violation.

Sign up to our newsletter and get the latest news on data privacy

USA

Continue Reading

CCPA vs. GDPR: What Businesses Need to Know

HIPAA Privacy Policy: Essential Website Compliance for Healthcare Organizations

Iowa Consumer Data Protection Act (ICDPA): Comprehensive Data Privacy Law Overview for Iowa Businesses

What is the Indiana Consumer Data Protection Act (ICDPA)?

Does the ICDPA apply to your business?

Are some businesses or data exempt from ICDPA?

What is ICDPA personal data?

What is ICDPA sensitive data?

What are the general duties of controllers and processors under the ICDPA?

What is a data processing contract?

What is a privacy notice according to the ICDPA?

Is it necessary to obtain consumer consent for data processing?

Are we required to honor universal opt-out mechanisms?

What is a Data Protection Assessment?

What are the ICDPA consumer rights and requests?

How is ICDPA enforced, and what are the penalties?

Sign up to our newsletter and get the latest news on data privacy