Indiana becomes the 7th state to pass a comprehensive privacy law

The Indiana Consumer Data Protection Act is set to take effect in 2026

Alexis Kateifides
Program Director, Centers of Excellence, OneTrust
May 4, 2023

Front entrance of government building

On May 2, 2023, Indiana Governor Eric Holcomb signed Senate Bill 5 into law – making it the 7th state in the US with a comprehensive state privacy law. The bill bears many similarities to other recent state laws, such as those in Virginia, Utah, and Iowa

Which businesses does this law apply to? 

The law applies to companies that do business in Indiana or produce products or services that are targeted to residents of Indiana and: 

  1. Control or process the personal data of 100,000 customers or more; or  
  2. Control or process personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.

What are the key highlights of the law?

As noted, Indiana’s Consumer Data Protection Act shares many similarities with Virginia’s Consumer Data Protection Act.  


Consent is defined as “a clear affirmative act that signifies a consumer’s freely given, specific, informed, and unambiguous agreement” to process their personal data. Indiana’s data privacy law operates on an opt-out mechanism. 

Sensitive Personal Information 

Under this law, SPI is considered to be any personal data that falls under the categories below. 

  1. Racial or ethnic origin 
  2. Religious beliefs
  3. Health data 
  4. Sexual orientation
  5. Citizenship status 
  6. Genetic / Biometric data
  7. Children’s data 
  8. Geolocation

Data controllers must receive additional consent from a consumer to process sensitive personal information. 

Consumer Rights

Indiana’s law affords the following privacy rights to consumers.  

  1. Right to access
  2. Right to correction 
  3. Right to deletion
  4. Right to obtain a copy of data 
  5. Right to opt out of targeted advertising, behavioral profiling, sale of personal data

The response period under Indiana’s privacy law entails that data controllers should respond to consumers within 45 days of a consumer rights request. This can be extended by an additional 45 days if “reasonably necessary”, depending on the complexity and volume of consumer requests – however, these extensions must be communicated to consumers within the initial 45-day period.  

Data Protection Impact Assessments

Controllers are required to conduct a DPIA when the following activities are taking place: 

  1. Personal data processed for targeted advertising
  2. Personal data sold 
  3. SPI is being processed
  4. Personal data processed for profiling with any “foreseeable” risk 
  5. Personal data processed with heightened risk to consumers

Privacy Notices 

The Indiana Consumer Data Protection Act states that data controllers must provide a “reasonably accessible, clear, and meaningful” privacy notice to its consumers. This notice has to include the following information:

  1. Categories of personal data processed 
  2. Purpose of processing personal data
  3. Mechanism for consumers to exercise their rights (e.g. right to appeal, correction, etc.) 
  4. Categories of personal data shared with third parties
  5. Categories of third parties that personal data is being shared with 

What does this mean for your organization? 

This latest comprehensive state privacy law is set to go into effect in 2026, so organizations will have time to prepare. Also, by this time organizations will have compliance measures for other state laws that come into effect this year in place, including Virginia’s CDPA, which shares many similarities with Indiana’s state privacy law.  

How can OneTrust help with compliance? 

OneTrust DataGuidance can help your organization stay compliant with the latest news and updates on privacy regulatory changes worldwide, with blogs, infographics, eBooks, and checklists – giving you the tools to understand new regulations and update your data processes to maintain compliance.  

Stay up to date on all the latest US privacy law updates with the DataGuidance US Privacy Law tracker, with effective dates, US privacy news, insights, and overviews all in one place. 

You may also like


Privacy Management

Managing data transfers

Register for this free webinar to learn how to effectively manage international data transfers in the wake of Schrems II.

July 18, 2023

Learn more


Privacy Management

New states, new dates: Preparing for Indiana, Montana, Tennessee and Florida state privacy laws

Join our expert panel where we examine upcoming privacy legislation in Indiana, Montana, Tennessee, and Florida and the key requirements of each law.

June 20, 2023

Learn more


Privacy Automation

US privacy laws on the horizon: Which states will be next?

Join our live webinar as OneTrust DataGuidence and privacy experts examine new privacy legislation in Indiana, Montana, Tennessee, Florida, and Texas.

June 15, 2023

Learn more