On May 1, 2023, Indiana became the latest state to enact a consumer data protection law. It joined a growing list of states taking steps to protect consumers' personal information. The new law, known as the Indiana Consumer Data Protection Act (CDPA), requires certain for-profit businesses to implement specific data protection measures, safeguarding personal information.
The law goes into effect on January 1, 2026.
Who Is Subject to This New Law?
The CDPA applies to any business that:
- Conducts business in Indiana, and
- Meets at least one of the following thresholds:
- Controls or processes personal data of at least 100,000 Indiana residents
- Controls or processes personal data of at least 25,000 Indiana residents while also deriving more than 50% of its annual revenue from selling personal data
The law specifically excludes a number of organizations, including:
- Non-profits
- Public Utilities
- Higher education institutions
- State agencies and those acting on their behalf
- HIPAA-covered entities and their business associates
- Financial institutions and affiliates under the purview of the GLBA
What Consumer Protections Does the Law Require?
Some of the key requirements include:
- Privacy Policy Notice
Businesses must provide consumers with a clear, concise notice of their data collection along with the use and sharing of this data. Policies must also inform consumers about exercising their consumer rights under the Act. - Consumer Rights
Businesses must provide consumers certain rights over their personal information, such as:- Deleting data
- Accessing data
- Transferring data
- Correcting data (applies to personal data supplied by the consumer)
Businesses will have 45 days to respond to consumer rights requests
- Consumer Opt-Outs
Businesses must give consumers the ability to opt out from:- Profiling
- Targeted advertising
- The sale of their personal data
- Sensitive Personal Data
Businesses must obtain consent before processing sensitive consumer data. - Service Contracts
Businesses utilizing third-party data processors must have binding agreements governing how personal data will be processed including:- The type of data used
- The processing purpose
- The duration of processing
What Are the Costs of Non-Compliance With the CDPA?
The law provides civil penalties of up to $7,500 for each violation.
Additionally, non-compliance can result in reputational harm and loss of consumer trust. This penalty is difficult to quantify, but it may have significant, long-term consequences for businesses.
There is no private right of action under the CDPA. All actions are pursued by the Indiana Attorney General. Before the AG can pursue an action, they must provide written notice to companies and give them 30 days to cure the violation.
Conclusion
The Indiana Consumer Data Privacy Act follows the growing trend of states protecting the personal information of their residents. Indiana’s Act contains some similarities with comparable laws in other states. Businesses subject to the Indiana law should conduct a thorough analysis of this law and make sure their procedures comply by January 1, 2026.
If your business needs assistance with complying with the CDPA, Blatt Law Group, LLC is ready, willing, and able to help. Our experienced cybersecurity and privacy lawyers can provide guidance and support. We want to help your business meet its compliance obligations and avoid costly penalties. Don't hesitate to reach out to us for assistance with navigating this new legal landscape. You can contact us online or call us directly at (317) 733-5781.