ICDPA compliance is now a legal obligation for thousands of Indiana businesses, following the law’s effective date of January 1, 2026. The Indiana Consumer Data Protection Act gives Indiana residents new rights over their personal data and empowers the Attorney General to pursue fines of up to $7,500 per violation. Indiana ranked second in the nation for cybercrime complaints per capita in 2024, according to an FBI IC3 analysis, with 342 complaints per 100,000 residents — making a strong compliance posture more important than ever.
In this article, we’ll cover who the ICDPA applies to, what your core obligations are, and what happens if you fall short.
Does the ICDPA Apply to Your Business?
The ICDPA applies to for-profit entities that conduct business in Indiana and meet at least one of the following thresholds during a calendar year:
| Threshold | Requirement |
| Volume | Controls or processes personal data of 100,000 or more Indiana residents |
| Revenue | Controls or processes data of 25,000 or more Indiana residents AND derives more than 50% of gross revenue from selling personal data |
If you fall below both, you are not currently in scope. Nonprofits, state agencies, higher education institutions, and entities fully governed by HIPAA or GLBA are also exempt, as is employee and B2B data.
If you’re unsure whether your data operations meet these thresholds, a compliance assessment can help you map your exposure before committing to a full program.
ICDPA Compliance Checklist for 2026
The ICDPA organizes your obligations into four core areas.
Let’s look at each one:
1. Privacy Notice and Consumer Rights
Your website must display a clear, accessible privacy notice that covers: categories of personal data collected, purposes for processing, consumer rights, opt-out mechanisms, and third-party disclosures. Consumers have the right to access, correct, delete, and port their data. They can also opt out of targeted advertising, data sales, and profiling.
You must respond to verified consumer requests within 45 days (extendable by another 45 days when necessary). Denied requests require a reason and a path to appeal, with appeal responses due within 60 days.
2. Data Minimization and Retention
Here are the key data handling requirements:
- Purpose limitation. Collect only what you need for a stated purpose. Do not repurpose data without a legal basis.
- Data minimization. Limit collection to what is adequate and relevant to that purpose.
- Retention limits. Delete or de-identify personal data when it is no longer needed.
- Security safeguards. Implement reasonable technical and organizational measures to protect data from unauthorized access or disclosure.
3. Data Protection Assessments (DPIAs)
DPIAs are mandatory before engaging in high-risk processing activities, including targeted advertising, selling personal data, profiling with significant effects on individuals, and processing sensitive data categories. The ICDPA’s sensitive data definition covers: racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship status, biometric data, precise geolocation, and children’s data under 13. Each of these requires opt-in consent before processing.
4. Consumer Rights Request Process
Build and document an internal process to handle requests:
- A clear submission method (web form, email, or secure portal)
- An identity verification step to authenticate the requesting consumer
- Internal routing to meet the 45-day response window
- Denial and appeal workflows with the required timelines
- Records of requests received and actions taken
What Happens if You Don’t Comply?
The ICDPA is enforced solely by the Indiana Attorney General – consumers have no private right of action.
Here’s what can happen if you fail to meet these requirements:
- 30-day written notice. The AG must identify the specific violation in writing before pursuing penalties.
- Cure period. You have 30 days to fix the issue. Indiana’s cure period is permanent – it does not expire after a set number of uses.
- Civil penalties. If uncured, the AG may pursue up to $7,500 per violation, which can compound across consumers and data categories quickly.
How the ICDPA Fits with Other Indiana Laws
ICDPA compliance is one piece of a broader picture. Indiana’s Data Breach Notification Law (Indiana Code § 24-4.9) operates independently and requires businesses to notify affected individuals and the Attorney General within 45 days of discovering a breach — regardless of ICDPA applicability. Penalties for non-compliance can reach $150,000 per deceptive act.
Senate Enrolled Act 472, effective July 1, 2025, adds mandatory cybersecurity policies and incident reporting requirements for Indiana state agencies, political subdivisions, and school systems. If your business contracts with any of these entities, your vendor obligations now extend to SEA 472 as well. You can learn more in our guide to cybersecurity compliance in Indiana (cybergl.com/indiana/blog/cybersecurity-compliance-indiana/).
Frequently Asked Questions
What is the ICDPA?
The Indiana Consumer Data Protection Act is Indiana’s comprehensive state privacy law, effective January 1, 2026. It gives Indiana residents rights to access, correct, delete, and opt out of sales of their personal data, and it requires businesses meeting certain thresholds to build compliance programs around those rights.
Who does the ICDPA apply to?
The ICDPA applies to for-profit businesses that process personal data of 100,000 or more Indiana residents per year, or 25,000 or more if more than 50% of gross revenue comes from selling personal data. Nonprofits, HIPAA-covered entities, GLBA-covered financial firms, and government agencies are exempt.
What are the penalties for violating the ICDPA?
The Indiana Attorney General can pursue civil penalties of up to $7,500 per violation after providing a 30-day cure notice. If a business cures the violation within 30 days, the AG cannot continue with that specific action.
Are Data Protection Assessments required under the ICDPA?
Yes. DPIAs are required for high-risk activities, including targeted advertising, data sales, profiling with significant effects, and processing sensitive data. While no mandatory format is prescribed, assessments must document the purpose, risks, and safeguards for the activity.
Strengthen Your Compliance Program with CyberGlobal Indiana
The ICDPA is live, the AG’s office is active, and Indiana’s threat environment remains one of the most demanding in the country. Building a solid compliance program now is far less costly than responding to a violation later.
But you don’t have to figure it out alone. Behind our compliance frameworks, there are real people, professionals who understand Indiana’s regulatory landscape and the industries that power the state’s economy. CyberGlobal has helped organizations trusted by global brands like Mercedes-Benz and Red Bull build security and privacy programs that hold up under scrutiny. We’re ready to be your ally in this, every step of the way.
