An Overview of Indiana Consumer Data Protection Act (Updated)

Posted in Guide Posted on
An Overview of Indiana Consumer Data Protection Act (Updated)

Summary

The Indiana Consumer Data Protection Act (INCDPA), signed on May 1, 2023, will become effective on January 1, 2026. It aims to safeguard the privacy of Indiana residents.

Failure to comply with INCDPS can result in fines and penalties up to $7,500. This guide aims to provide you with a detailed overview of the law’s guidelines and how your business can comply with the law without any challenges.

Are you running a business in the Indiana region? If so, your business must comply with the Indiana Consumer Data Protection Act.

Indiana Governor Eric Columb signed the Indiana Consumer Data Protection Act, or INCDPA, on 1st May 2023.

It is an important privacy legislation that dictates guidelines to safeguard Indiana citizens’ right to privacy and obliges businesses that operate in Indiana, USA, to abide by them.

If your business operates in Indiana and you are concerned about complying with the law, do not worry—you have landed in the right place.

The law will take effect on January 1, 2026, and this guide will give you all of the information you need to make your business compliant before then.

So, let’s start and remember to read through to the end!

Table Of Contents

What is the Indiana Consumer Data Protection Act?

To begin with, let’s begin with the first question about what the law is about.

The Indiana Consumer Data Protection Act, or INCDPA, is similar to other state privacy legislation, differentiated mainly by scope and applicability.

Who Must Comply With the Indiana Consumer Data Privacy Act

Sec.1.(a) of the Indiana Consumer Data Protection Act applies to businesses operating in Indiana or producing products or services targeted to Indiana residents. 

However, ICDPA applies to:

  • Businesses or websites that control the personal data of at least 100,000 Indiana residents or,
  • Processes the data of over 25000 Indiana residents and generates a gross income of over 50% from the data sale.

If the legal terminology sounds quite confusing to you, let’s simplify it. 

Assume that you have an Indiana local eCommerce business and gather any personal data (e.g., name, mailing address, or phone number) of over 1,00,000 Indiana residents. Then, your business must comply with the law. However, the law applies to eCommerce businesses and businesses that operate similarly.

In addition, the law will also apply to you if you run a business that collects the personal details of more than 25000 Indiana users and generates a total income of more than 50% from selling collected data.

Who Are Exempted from Complying with the Indiana Consumer Data Privacy Act

While the Data Protection Act aims to protect Indiana citizens’ privacy rights, specific organizations are exempted under Sec..1 (b) of the law.

The ICDPA is not applicable on:

  • Government agencies, a board authority, or bureau of any political subdivision of the state.
  • Any third party commissioned by the government mentioned above, while in its capacity as representative of the said entity. This provision does not exclude data in the possession or under the control of third parties outside the contract with the said entity.
  • Any financial institutions, affiliates, federal banking agencies, and other regulators are to issue regulations under the Gramm-Leach Bliley Act.
  • Any business associate or covered entity under the privacy, security, and breach notice regulations published by the United States Department of Health and Human Services under HIPAA.
  • Non-profit organizations.
  • Institutions of higher education.
  • Any public utility or service company related to a public utility as herein defined. For this subdivision, “service company” shall refer to an associate company of a holding company system mainly formed to provide goods or services to a public utility of the same holding company system.

Key Requirements of the Indiana Consumer Data Protection Act

Now that we have a clear idea of INCDPA’s applicability, let’s explore some core requirements businesses must follow under this law.

1. Privacy Notices

To comply with ICDPA, businesses must provide a clear and readable privacy notice.

Businesses must present users with clear privacy notices that explain

  1. What personal data is being gathered and why.
  2. Who will the data be shared with?
  3. How can a user enforce his or her rights?

This information must be clear and should be easily understood by the users.

Limitations on Data Processing

The INCDPA also specifies strict guidelines for the processing of personal data. The law states that businesses should collect and process personal information only when it is reasonably necessary and appropriate.

In addition, it should be limited to a specific purpose and should collect sufficient, relevant information within statutory limits.

Moreover, businesses must also employ security measures to protect consumer information from theft or misuse.

Data Protection Impact Assessments (DPIAs)

Data Protection Impact Assessments (DPIAs) are a critical requirement under the INCDPA for businesses engaged in high-risk data operations.

This includes businesses that process personal data for:

  • Targeted advertising
  • Personal data sales
  • Process sensitive information (race, health information, or biometric data) and
  • Other activity that poses a significant threat to consumer privacy.

These assessments examine possible data threats and must be performed for all new data processing activities from January 1, 2026.

However, suppose you are in business operations that require DPIAs to comply with other laws like for CCPA or VCDPA and have previously conducted similar assessments; in that case, you may use them to comply with the INCDPA as well.

Controller-Processor Contracts

If a business processes data with a third-party processor, it should have a written contract outlining the purpose and scope of the processing.

The Controller-processor agreements should:

  • Clearly state what data is being processed and why
  • Create proper instructions to process data
  • Take measures for security and confidentiality to safeguard user data
  • Make sure that any sub-processors follow the same security and privacy requirements

Additionally, processors must help business fulfill their regulatory requirements, including answering consumer questions and informing companies of data breaches.

If the Indiana CDPA’s scope and applicability are clear, let’s explore the rights available to consumers under the law.

What are the Consumer Rights Under Indiana CDPA Law?

Like other state privacy laws, the Indiana CDPA law provides consumers with rights they might use.

According to Sec.1 of ICDPA, a user can use one or more rights established by requesting a data controller.

The INCDPA rights allow users to:

  • Write directly to the data controller and access businesses’ data about them.
  • Users can also ask the controller to delete or obtain a copy of their data.
  • If inaccurate data is present with the controller, a user can request to make changes or update the data previously provided.
  • In addition, the guidelines also allow users to write to and ask the data controller to opt out of sharing or selling their data and targeted advertising.
  • Moreover, if your business deals with data of children (any user under 13 years of age), the law also enforces specific guidelines similar to COPPA that permit parents to exercise legal rights on behalf of their children.

Response Process Under the INCDPA 

The INCDPA requires businesses to respond to consumer requests within 45 days of exercising their rights. If the request is difficult or there are too many requests, the term can be extended by another 45 days (for a total of 90 days).

However, they must notify the consumer of the delay and explain why it is necessary.

If a business declines a user’s request, it must explain why and provide directions on how to appeal the decision. These instructions should be simple to discover and follow, and they should follow the same steps as making the initial request.

If a consumer files an appeal, the business must answer within 60 days, detailing what action was taken or why it did not act. If the appeal is denied, the consumer may submit a complaint with the Indiana Attorney General online or by other means.

INCDPA Enforcement: Fines and Penalties

When a user approaches the Indiana Attorney General, the regulatory authorities investigate the problems and give the data controller 30 days to resolve the allegations.

In addition, during these 30 days, the controller or data provider is also supposed to provide the attorney general (AG) with a written statement confirming the resolution and assuring it will not be repeated.  

However, if the issue remains unresolved, the AG can investigate further, granting relief based on the investigation or imposing a fine of up to $7500 on the business.

Moreover, the imposition of such allegations also hampers businesses’ reputations, which may lead to a loss of credibility.

How Businesses Can Comply With Indiana CDPA Regulations

Now that you have a clear idea of almost everything about and around the Indiana Consumer Data Protection Act, you might wonder how to make your business compliant.

Well, the method is quite simple. You can create legal pages and cookie banners on your website that inform users about your business’s compliance with INCDPA.

Privacy Policy

Privacy policy sample

A privacy policy generally gives users a clear guideline that ensures they have a clear idea of whether your website complies with the INCDPA.

You can either generate a new privacy policy or update your existing policy to align with the INCDPA guidelines.

This measure will effectively guide your users about their rights and your compliance with the law.

Another effective method is to obtain users’ consent when they land on your website through cookie banners or notices.

You can add to your cookie notice the details your website tracks or records when users surf on your website.

How Can You Comply with INCDPA?

As mentioned previously, an updated privacy policy or a cookie notice banner can be among the most effective measures to ensure compliance with the INCDPA.

If you have a WordPress website, the WPLP Compliance platform can be a robust solution for complying with INCDPA and other global privacy laws.

It is a suite of WordPress tools that features two powerful plugins,

  • WP Legal Pages, and 
  • WP Cookie Consent

The WP Legal Pages platform is IAB TCF v 2.2 certified and a registered Google CMP partner.

WP Legal Pages

WP Legal Pages helps you generate legal pages for your website that adhere to global laws, including INCDPA.

It boasts a library of over 35 essential legal pages, including a free privacy policy that users can create using their intuitive wizard.

Moreover, the plugin has a user-friendly interface, multi-language support, and plenty of customization options in the legal page templates.

To learn how to create a privacy policy with the plugin, refer to:

How to Create Privacy Policy
WP Cookie Consent

WP Cookie Consent is another powerful plugin that helps users quickly create cookie notices for their website that comply with data privacy regulations. It enables them to obtain user consent for cookies before placing them on visitors’ devices.

The plugin helps your business stay compliant with legal requirements and provides business owners with insights and analytics of user behaviour.

Moreover, the plugin, similarly to WP Legal Pages, offers a guided wizard with various customization options to edit and style the cookie notice appearance. 

Cookie consent Wizard

Learn How to Add a Cookie Pop-up to Your WordPress Website.

FAQ 

What is Indiana CDPA Law?

The Indiana Consumer Data Protection Act, or INCDPA, is a state privacy legislation that applies to businesses operating in Indiana or producing products or services targeted to Indiana residents. 

Who Does the Indiana CDPA Law Apply To?

The  Indiana Consumer Data Protection Act applies to businesses or websites that control the personal data of at least 100,000 Indiana residents or processes the data of over 25000 Indiana residents and generate a gross income of over 50% from the data sale.

What are the Penalties for Non-Compliance with the Indiana CDPA law?

Non-compliance with the Indiana CDPA law can result in fines and penalties up to $7500.

How Can Businesses Comply With the Indiana Consumer Data Protection Act?

To comply with the Indiana Consumer Data Protection Act (INCDPA), businesses operating in Indiana can generate a new privacy policy or update an existing one according to the law’s guidelines.

In addition, businesses can add about the data they track and take from users through cookie notices.

To create a privacy policy or cookie notice banner for your website, consider using the WPLP Compliance Platform, an all-in-one solution for all its legal requirements.

Conclusion

The Indiana Consumer Data Protection Act (INCDPA), signed in May 2023, is an instrumental legislative policy that will take effect in January 2026.

Built to ensure the dignity and integrity of Indiana consumers’ privacy rights, the law will prevent businesses from misuse of users’ data.

If your business or website operates in Indiana and the law applies to you, tools like WP Legal Pages and WP Cookie Consent are your ideal solution to comply with the law.

If you find this article valuable, you can also consider reading:

Don’t forget to check out the WPLP Compliance platform today!