Indiana Consumer Data Protection Act (INCDPA)

Indiana's comprehensive privacy law, one of the most recent to take effect (January 2026). Follows the VCDPA template with one notable carve-out — portability may be fulfilled in summary format rather than as full raw-data export.

Overview

The Indiana Consumer Data Protection Act (INCDPA), codified at Ind. Code § 24-15-1 et seq. and enacted as SB 5 (2023), became effective January 1, 2026. Indiana closely follows the Virginia template — standard set of consumer rights, standard thresholds, standard exemptions — with a single meaningful carve-out: portability may be fulfilled in summary format rather than as a full raw-data export. This reduces implementation burden on controllers but provides less utility to consumers.

Applicability: (a) 100,000+ Indiana consumers processed per year, or (b) 25,000+ consumers AND 50%+ of gross revenue from data sales — identical to Virginia's thresholds.

Exemptions follow the VCDPA template: HIPAA, GLBA, non-profits, higher-ed, FCRA/DPPA/FERPA/COPPA-regulated data, employee/B2B.

Consumer Rights

Right to confirm and access
Right to correct
Right to delete
Right to data portability — in summary format, not necessarily raw data export
Right to opt out of sale, targeted advertising, and profiling
Right to appeal

Sensitive data (race, religion, health diagnosis, sexual orientation, citizenship, genetic/biometric identifiers, minors under 13, precise geolocation) requires opt-in consent.

Compliance Requirements

Controllers must publish privacy notices, perform DPIAs for high-risk processing, and execute processor contracts per § 24-15-6. GPC/UOOM is not required — Indiana is in the no-UOOM camp along with Virginia, Utah, Iowa, Tennessee, and Kentucky.

Because INCDPA took effect recently (January 2026), enforcement is expected to be moderate in the early months, though the cure period is relatively short.

Cure Period + Enforcement

The Indiana AG holds exclusive enforcement authority. Penalties reach $7,500 per violation. The 30-day cure period is active.

How Inori Addresses This

Notice: src/content/legal/privacy.mdx v1.2 satisfies INCDPA disclosure requirements.
DSAR: /api/dsar serves access, correction, deletion, and portability with a 30-day SLA. Inori provides structured JSON exports that satisfy both raw-data and summary-format interpretations — Indiana residents receive the richer format by default.
GPC: Honored via middleware.ts:respectGpc even though Indiana does not require it — part of Inori's multi-state posture.
Hard purge: 90-day cron deletes tenant data after account closure.
Sensitive data: Not collected.
Deferred: Formal DPIA register ships in a later sprint. Because INCDPA mirrors VCDPA, the compliance stack for Virginia automatically covers Indiana.

See CCPA/CPRA for the California baseline, VCDPA for the template Indiana follows, and CTDPA, TDPSA, MCDPA for sister-state laws. DSAR describes the unified request pipeline. GPC covers the opt-out signal Indiana does not require but Inori honors.

See how Inori handles indiana consumer data protection act (incdpa)

Try our free COI checker first, or start a free trial of the full platform.

Free COI Checker Start Free Trial

Indiana Consumer Data Protection Act (INCDPA)

Overview

Applicability: (a) 100,000+ Indiana consumers processed per year, or (b) 25,000+ consumers AND 50%+ of gross revenue from data sales — identical to Virginia's thresholds.

Exemptions follow the VCDPA template: HIPAA, GLBA, non-profits, higher-ed, FCRA/DPPA/FERPA/COPPA-regulated data, employee/B2B.

Consumer Rights

Right to confirm and access
Right to correct
Right to delete
Right to data portability — in summary format, not necessarily raw data export
Right to opt out of sale, targeted advertising, and profiling
Right to appeal

Sensitive data (race, religion, health diagnosis, sexual orientation, citizenship, genetic/biometric identifiers, minors under 13, precise geolocation) requires opt-in consent.

Compliance Requirements

Because INCDPA took effect recently (January 2026), enforcement is expected to be moderate in the early months, though the cure period is relatively short.

Cure Period + Enforcement

The Indiana AG holds exclusive enforcement authority. Penalties reach $7,500 per violation. The 30-day cure period is active.

How Inori Addresses This

Notice: src/content/legal/privacy.mdx v1.2 satisfies INCDPA disclosure requirements.
DSAR: /api/dsar serves access, correction, deletion, and portability with a 30-day SLA. Inori provides structured JSON exports that satisfy both raw-data and summary-format interpretations — Indiana residents receive the richer format by default.
GPC: Honored via middleware.ts:respectGpc even though Indiana does not require it — part of Inori's multi-state posture.
Hard purge: 90-day cron deletes tenant data after account closure.
Sensitive data: Not collected.
Deferred: Formal DPIA register ships in a later sprint. Because INCDPA mirrors VCDPA, the compliance stack for Virginia automatically covers Indiana.

See how Inori handles indiana consumer data protection act (incdpa)

Try our free COI checker first, or start a free trial of the full platform.

Free COI Checker Start Free Trial

Indiana Consumer Data Protection Act (INCDPA)

Overview

Consumer Rights

Compliance Requirements

Cure Period + Enforcement

How Inori Addresses This

Related Concepts

See how Inori handles indiana consumer data protection act (incdpa)

Indiana Consumer Data Protection Act (INCDPA)

Overview

Consumer Rights

Compliance Requirements

Cure Period + Enforcement

How Inori Addresses This

Related Concepts

See how Inori handles indiana consumer data protection act (incdpa)