The Indiana Consumer Data Protection Act (ICDPA) took effect on January 1, 2026, providing regulations handling the personal data of Indiana consumers. To help businesses navigate this legislation, Indiana Attorney General Todd Rokita released the Consumer Data Privacy Bill of Rights to help describe the workings of the ICDPA and clarify guidelines, providing insight into how businesses are expected to implement the law’s requirements.
ICDPA applies to entities that conduct business in Indiana or produce products or services targeted towards Indiana residents, and that fit into one of the following categories during the year:
The Bill of Rights serves as a practical compliance guide for businesses that fall under these classifications by outlining the ICDPA’s thresholds for applicability and scope and highlighting compliance obligations for controllers.
Now that Indiana’s Consumer Data Protection Act is in effect, it may be helpful for consumers to regularly review the contents of the Bill of Rights to familiarize themselves with their rights regarding personal data. Concurrently, organizations can refer back to this in-depth resource to ensure compliance as a data collector. Below is a quick summary of some of the key provisions in the document.
Within the first few pages of the text, you will find the formal definitions for several key terms, including controller, consumer, sensitive data, targeted advertising, and more.
Consumers are Indiana residents who are “acting in a personal, family, or household capacity.” Those acting as employees or in a commercial context are not considered consumers.
Controllers are the entities responsible for collecting data and making decisions about how it’s processed.
A list of 15 Rights afforded to consumers can be found on pages two and three of the Bill of Rights. AG Rokita and the Data Privacy and Identity Theft Unit prepared this resource to address consumer data protection in both brief and comprehensive formats. Section IV, Overview of Consumer Rights under the CDPA, boils it down to four main categories of Rights (listed below), while Section V, Understanding Consumer Rights, provides a more thorough breakdown of each of these categories.
Right to know
The two aspects of this Right are about making sure the consumer is informed about their data:
Right to control
This Right explains how Hoosiers can control what happens with their data in three parts:
Right to protect
In this context, the consumer’s ability to protect the sensitive data of themself and their children consists of:
Right to take action
Consumers have two primary protections when exercising their ICDPA rights:
The Bill of Rights also includes a step-by-step guide for consumers on how to exercise their ICDPA rights, an FAQ section for additional information, and instructions on how to report a business that you believe is violating the ICDPA to the Attorney General.
You can find detailed explanations of all the rights afforded to Indiana consumers in the ICDPA by reviewing the full text of the Data Consumer Bill of Rights here.
Personal data holds significant value in today’s market, and Indiana lawmakers determined that consumers in the Hoosier state deserve the ability to make informed decisions, knowing they are in control of their data and how it’s used. As one of the first states to grant residents control over their personal data in 2023, Indiana aims to help its organizations prevent data breaches and its consumers avoid identity theft by establishing guidelines for handling, editing, and deleting personal data. These directives are expected to benefit organizations and consumers by helping both parties understand proper handling of personal data under Indiana law.
This content is for informational purposes only and shall not constitute legal opinion or advice. Consult your legal counsel to ensure compliance.