Indiana is set to become the 7^th US state to enact a comprehensive data protection law, after its legislature has passed Indiana’s Consumer Data Protection Act. The new act, modeled after the privacy legislation in Virginia, Utah, and Iowa is expected to be approved by the Governor shortly and extend privacy protections in the US.

The new act, once enacted, will take effect on 1 January 2026. It would include the following key requirements:

• Scope: The act applies to businesses operating in Indiana that meet specific thresholds, such as processing personal data of more than 100,000 Indiana consumers or processing personal data of at least 25,000 Indiana consumers while deriving 50 percent or more of their income from the “sale” of personal data. Certain organizations and activities are exempt.

• Exclusions: Indiana’s new act does not cover personal data related to job applicants, employees, agents, or independent contractors of a business, as long as the data is collected and used within the context of their professional role. In addition, the act exempts several entities, such as state entities, third-party contractors working on behalf of state entities, financial institutions under the federal Gramm-Leach-Bliley Act, HIPAA-covered entities, nonprofit organizations, institutions of higher education, and public utilities with affiliated service companies.

• Consumer rights: the act provides consumers the right to opt-out of the sale of personal data and targeted advertising. The term “sale” refers to the exchange of personal data for monetary consideration between a controller and a third party. “Targeted advertising” is defined as displaying ads to consumers based on their personal data, collected from their activities over time and across non-affiliated websites or applications, in order to predict their preferences or interests. In addition, the act includes privacy rights commonly found in other state privacy laws, such as the right to access, delete, and correct personal data.

• Sensitive data: the act requires consent to process sensitive data, which includes information such as racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, genetic or biometric data for identifying an individual, personal data collected from a known child, precise geolocation data and health diagnosis, as long as is has been made by a healthcare provider.

• Processors obligation: The act mandates specific contractual provisions between controllers and processors relating to personal data handling and audit rights, similar to the Virginia and Colorado laws, and, to some extent, similar to the requirement of the European GDPR. Such contracts must include, among other things, provisions requiring the processor to ensure confidentiality for individuals processing personal data, delete or return personal data to the controller upon request (unless legally required to retain it), provide information demonstrating compliance with Indiana’s data protection act, allow and cooperate with reasonable assessments by the controller or its designated assessor, and engage subcontractors under a written contract that requires them to meet the processor’s obligations concerning personal data.

• Enforcement: Businesses would have a 30-day right to cure violations. If a business fails to cure a violation, the Attorney General may initiate an action for injunctive relief and civil penalties of up to $7,500 per violation. Unlike the privacy law in California (but similarly to all other US state privacy laws so far), the act does not provide a private right of action.

Companies providing services to consumers in the United States should evaluate their exposure to this additional data protection regulatory regime in Indiana. Feel free to contact us if you have any questions regarding the new act ‎and its practical implications.