Following closely behind Iowa’s new privacy law, on April 20, Indiana passed its consumer privacy act (SB 5) (Privacy Act), making the state the seventh to adopt what is generally considered a comprehensive consumer privacy law. The Privacy Act takes effect January 1, 2026, giving companies over two-and-a-half years to comply with provisions, which are similar to the privacy bills that have come before it, particularly the Virginia Consumer Data Protection Act (VCDPA).

Who is Covered?

Indiana’s Privacy Act applies to entities (known as controllers) that conduct business in Indiana or produce products or services that are targeted to residents of Indiana, and that during the preceding calendar year:

  • Control or process the personal data of 100,000 or more Indiana residents (consumers), or
  • Control or process the personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.

There are some notable exclusions from who is covered under the law, including public utility companies.

What Rights are Granted?

The law takes a middle path in its treatment of companies and consumers, adopting some provisions that are consumer-friendly and others that are more business-friendly. Some of the consumer-specific rights include:

  • The right to know whether a controller is processing the consumer’s personal data.
  • The right to delete personal data provided by or obtained about the consumer.
  • The right to a copy of personal data or a “representative summary” of personal data previously provided to the controller, provided in a form within the discretion of the controller.
  • The right to correct inaccuracies in personal data that the consumer previously provided to the controller.
  • The right to opt out of the use of consumer’s personal data for targeted advertising, the sale of personal data, and profiling in furtherance of automated decisions that produce legal or other significant effects concerning the consumer.
  • The right to appeal a controller’s refusal to take action on one of the above requests by a consumer.

As noted, the Indiana Privacy Act largely tracks the VCDPA and, therefore, is more business-friendly than the Colorado and Connecticut laws but more consumer-friendly than the Utah and Iowa laws. Many of the same protective provisions found in other states’ privacy laws are included in the Indiana Privacy Act, including controllers’ obligations to: correct inaccuracies in personal data, conduct data protection assessments, maintain privacy notices, and practice data minimization. Additionally, the consumer must opt in for a controller to process their sensitive data.

Some of the rights above, however, are modified in a business-friendly way compared to other states’ laws. For example, the right to a copy of personal data is limited insofar as it can be provided in a form chosen by the controller. Also, the right to correct only applies to information provided by an individual and not to information collected from other sources. There is no right to use of personal data for targeted advertising, and sale or profiling does not require consent, but rather is subject to an opt out after the fact.

How Can it be Enforced?

The Privacy Act does not provide for a private right of action and the Indiana Attorney General (AG) is granted exclusive authority to enforce a violation of the law. The AG will provide the controller with notice of the specific violation and allow 30 days to cure before the AG can take action. To cure the violation, the controller must fix any problematic activity and then provide the AG with an express written statement that the alleged violation has been cured and actions have been taken to ensure that the same violation will not re-occur. This right does not sunset, and Indiana has not provided the AG with any rulemaking authority. If an enforcement action follows a cure period, violations of the law are subject to fines of up to $7,500 per violation.

The Privacy Act’s 2026 effective date may prove to be an interesting twist in compliance. With two future legislative sessions during this period, the potential for the Privacy Act to undergo further changes is significant as the legislature considers changes in technology and the political environment. If such amendments are made ahead of the Privacy Act’s effective date, they could create operational difficulties for companies similar to those faced because of the delayed delivery of privacy rules in California and Colorado. The cure provision, however, should help companies in their compliance efforts, assuming the provision remains.

On the brighter side, if a company is complying with other state privacy laws and extends its privacy practices to activities in Indiana, the company will likely be in compliance (or at least close to compliance), as these provisions are generally required by other states’ privacy laws.

If you have questions about the Indiana consumer privacy law and how it could affect you or your business, please contact the authors.