The Indiana Consumer Data Protection Act (ICDPA) took effect on January 1, 2026, providing regulations handling the personal data of Indiana consumers. To help businesses navigate this legislation, Indiana Attorney General Todd Rokita released the Consumer Data Privacy Bill of Rights to help describe the workings of the ICDPA and clarify guidelines, providing insight into how businesses are expected to implement the law’s requirements.
ICDPA applies to entities that conduct business in Indiana or produce products or services targeted towards Indiana residents, and that fit into one of the following categories during the year:
- Controlling or processing the personal data of at least 100,000 Indiana consumers.
- Controlling or processing data of at least 25,000 Indiana consumers and deriving over 50% of gross revenue from selling personal data.
The Bill of Rights serves as a practical compliance guide for businesses that fall under these classifications by outlining the ICDPA’s thresholds for applicability and scope and highlighting compliance obligations for controllers.
Now that Indiana’s Consumer Data Protection Act is in effect, it may be helpful for consumers to regularly review the contents of the Bill of Rights to familiarize themselves with their rights regarding personal data. Concurrently, organizations can refer back to this in-depth resource to ensure compliance as a data collector. Below is a quick summary of some of the key provisions in the document.
What you can find in the Data Consumer Bill of Rights
Core Terms Defined
Within the first few pages of the text, you will find the formal definitions for several key terms, including controller, consumer, sensitive data, targeted advertising, and more.
Consumers are Indiana residents who are “acting in a personal, family, or household capacity.” Those acting as employees or in a commercial context are not considered consumers.
Controllers are the entities responsible for collecting data and making decisions about how it’s processed.
Consumer Rights Clarified
A list of 15 Rights afforded to consumers can be found on pages two and three of the Bill of Rights. AG Rokita and the Data Privacy and Identity Theft Unit prepared this resource to address consumer data protection in both brief and comprehensive formats. Section IV, Overview of Consumer Rights under the CDPA, boils it down to four main categories of Rights (listed below), while Section V, Understanding Consumer Rights, provides a more thorough breakdown of each of these categories.
Right to know
The two aspects of this Right are about making sure the consumer is informed about their data:
- The consumer’s right to confirm if a controller is processing their data, and
- To request and receive copies of, or a summary of, the personal data they have shared with a controller in the past.
Right to control
This Right explains how Hoosiers can control what happens with their data in three parts:
- The consumer’s right to correct inaccuracies in their personal data that is held by a controller,
- To delete any of their personal data held by a controller, and
- To receive their personal data in “an easily transferable form.”
Right to protect
In this context, the consumer’s ability to protect the sensitive data of themself and their children consists of:
- Opting out of having their personal data processed for targeted advertising, profiling and being sold.
- Requiring explicit opt-in from the consumer (or, in the case of children, their parent or guardian) before processing can occur.
Right to take action
Consumers have two primary protections when exercising their ICDPA rights:
- Consumers should not be treated differently for invoking their ICDPA rights against a controller, and
- They have the right to appeal an ICDPA request refused by a controller and receive a response within 60 days.
The Bill of Rights also includes a step-by-step guide for consumers on how to exercise their ICDPA rights, an FAQ section for additional information, and instructions on how to report a business that you believe is violating the ICDPA to the Attorney General.
You can find detailed explanations of all the rights afforded to Indiana consumers in the ICDPA by reviewing the full text of the Data Consumer Bill of Rights here.
Taking steps to improve data privacy in Indiana
Personal data holds significant value in today’s market, and Indiana lawmakers determined that consumers in the Hoosier state deserve the ability to make informed decisions, knowing they are in control of their data and how it’s used. As one of the first states to grant residents control over their personal data in 2023, Indiana aims to help its organizations prevent data breaches and its consumers avoid identity theft by establishing guidelines for handling, editing, and deleting personal data. These directives are expected to benefit organizations and consumers by helping both parties understand proper handling of personal data under Indiana law.
This content is for informational purposes only and shall not constitute legal opinion or advice. Consult your legal counsel to ensure compliance.
