Indiana Privacy Law (INCDPA): What Small Businesses Need to Know

The Indiana Consumer Data Protection Act (INCDPA) takes effect January 1, 2026 and applies to any business processing the personal data of 100,000 or more Indiana consumers in a calendar year. There is no annual revenue threshold. A secondary trigger captures businesses processing data of 25,000 or more Indiana consumers and deriving 50% or more of revenue from data sales. The Indiana Attorney General is the sole enforcement authority. INCDPA closely follows the Virginia model and is one of the most recent state privacy laws to take effect — businesses with Indiana consumer reach should begin preparing compliance now to be ready for the January 2026 enforcement start.

Does INCDPA Apply to My Business?

INCDPA applies to any person that conducts business in Indiana or produces products or services targeted to Indiana residents AND meets one of two thresholds:

• Controls or processes personal data of 100,000 or more Indiana consumers during a calendar year, OR
• Controls or processes personal data of 25,000 or more Indiana consumers AND derives more than 50% of gross revenue from the sale of personal data.

The threshold logic is OR — only one needs to be met. Like Virginia, Texas, and Colorado, INCDPA has no revenue threshold under either qualifying path.

Indiana accounts for roughly 2.0% of the US population. A national e-commerce store with approximately 5 million annual unique US visitors would, on a population basis, reach 100,000 Indiana consumers. Stores with stronger Midwest or Big Ten regional distribution can hit the threshold at lower volumes.

What Does INCDPA Require?

INCDPA grants Indiana consumers a standard set of state privacy law rights and follows the Virginia model closely.

Consumer rights you must honor. Access, correction, deletion, portability, and opt-out of targeted advertising, sale of personal data, and profiling that produces legal or similarly significant effects. Response deadline is 45 days, with one possible extension. Consumers also have the right to appeal denied requests.

Disclosures you must publish. Privacy notice covering categories of data processed, purposes, third-party sharing categories, and instructions for exercising rights and appealing denials.

Operational practices you must implement. Conduct data protection assessments for high-risk processing activities. Obtain affirmative opt-in consent before processing sensitive personal data. Establish reasonable administrative, technical, and physical security practices. INCDPA does not currently mandate honoring universal opt-out signals like California, Colorado, and Connecticut do.

How INCDPA Affects Small Businesses

INCDPA's January 1, 2026 effective date gives businesses lead time to prepare — but the clock is short. Businesses currently in scope under Virginia, Texas, or other Virginia-model state privacy laws will find INCDPA familiar; the consumer rights, disclosure requirements, and operational practices are nearly identical. The compliance work for Indiana is largely an extension of work already done for other states.

For Shopify merchants and direct-to-consumer brands with national distribution, the practical takeaway is: if you are in scope under Virginia VCDPA, you are likely in scope under INCDPA on the same population basis. Indiana's population is similar in scale to Virginia's, and the threshold mechanics are identical.

The most efficient compliance approach is to extend an existing multi-state privacy program to include Indiana. A privacy notice that already meets Virginia, Texas, and Colorado requirements probably needs only minor updates to add Indiana-specific references. The consumer rights workflow that handles VCDPA requests can be extended to handle INCDPA requests.

The Indiana AG has not yet issued implementing regulations, and INCDPA does not delegate that authority. The statute is the primary source of binding obligations.

Key Differences from Other State Privacy Laws

INCDPA closely tracks the Virginia model and is structurally similar to VCDPA, Texas TDPSA, Iowa ICDPA, Kentucky KCDPA, and Nebraska NDPA. The key distinguishing features are administrative rather than substantive:

Effective date. INCDPA takes effect January 1, 2026 — making it one of the more recent state privacy laws to come online, alongside Kentucky, Rhode Island, and Maryland.

No universal opt-out signal mandate. Unlike California, Colorado, Connecticut, Delaware, and several other states, Indiana does not require businesses to honor GPC or other universal opt-out browser signals. This is a meaningful operational difference for businesses that have already implemented GPC handling for other states.

Cure period. INCDPA includes a permanent 30-day cure period before AG enforcement. This is more protective than the discretionary cure regimes in California, Colorado, and Connecticut.

Compared to California CCPA/CPRA, INCDPA is significantly narrower. California has a dedicated enforcement agency, a private right of action for breaches, GPC requirements, and broader sensitive data protections. Indiana relies on the AG, has no private right of action, and does not require GPC handling.

How to Comply with INCDPA

If INCDPA will apply to your business when it takes effect in January 2026, the following steps establish a baseline.

1. Confirm scope. Calculate annual Indiana consumer count from analytics, customer records, and email lists. If you reach 100,000, or 25,000 with significant data sale revenue, you will be in scope.
2. Update your privacy notice to include Indiana-specific references and disclosures. If you already have a multi-state privacy notice for Virginia, Texas, or Colorado, the work is largely additive.
3. Add opt-out mechanisms for targeted advertising, sale of personal data, and profiling.
4. Build a consumer rights request workflow with the 45-day response deadline tracked.
5. Build a denial appeals process with timely written response.
6. Implement opt-in consent for sensitive data, including the categories enumerated in the statute.
7. Conduct data protection assessments for high-risk processing activities. Document and retain.
8. Document reasonable security practices appropriate to the volume and nature of data you process.
9. Plan for the January 1, 2026 effective date. Have your compliance program documented and operational before the enforcement start date.

INCDPA Enforcement and Penalties

The Indiana Attorney General has exclusive enforcement authority for INCDPA. There is no private right of action — Indiana consumers cannot sue businesses directly. The AG may seek civil penalties of up to $7,500 per violation, plus the reasonable costs of investigation.

INCDPA includes a permanent 30-day cure period before formal enforcement. The AG must provide written notice of the alleged violation, and the business has 30 days to fix the issue and provide a written statement to the AG. If cured within 30 days, the AG may not bring an action for that specific violation. This permanent cure period is more protective than the discretionary or sunset-based regimes in some other states.

Because INCDPA does not take effect until January 1, 2026, there is no enforcement history yet. Businesses should treat the upcoming effective date as a hard deadline for compliance readiness.

Frequently Asked Questions

When does Indiana's privacy law take effect?

Indiana's Consumer Data Protection Act (INCDPA) takes effect January 1, 2026. Now is the time to prepare if Indiana consumers are part of your customer base — the law applies based on consumer count, with no revenue threshold.

Does INCDPA have a revenue threshold?

No. INCDPA applies based on consumer data volume only: 100,000 or more Indiana consumers annually, or 25,000 or more consumers if 50% or more of revenue comes from selling personal data. There is no annual revenue minimum.

Does INCDPA require honoring universal opt-out signals?

No. Unlike California, Colorado, Connecticut, and several other states, Indiana does not currently require businesses to honor the Global Privacy Control browser signal or other universal opt-out mechanisms. Standard opt-out links are sufficient.

What are the penalties for INCDPA violations?

The Indiana Attorney General can seek civil penalties of up to $7,500 per violation, plus reasonable investigation costs. There is no private right of action. INCDPA includes a permanent 30-day cure period — if the business fixes the violation within 30 days of notice, the AG cannot bring an action for that violation.

Is INCDPA similar to other state privacy laws?

Yes. INCDPA closely follows the Virginia VCDPA model. The consumer rights, disclosure requirements, and operational practices are nearly identical to Virginia, Texas, Iowa, Kentucky, and Nebraska. Businesses already complying with VCDPA will find INCDPA largely additive.

Should I start preparing for INCDPA now?

Yes. With a January 1, 2026 effective date and a 30-day cure period that only protects you after notice, the most efficient path is to extend existing multi-state privacy compliance work to cover Indiana before the law takes effect. Last-minute compliance is risky because enforcement can begin on day one.

Check if INCDPA applies to your business → Take the free 5-minute quiz

This guide is for informational purposes only and does not constitute legal advice. Last updated: April 2026.