California lawmakers have passed a critical update to the CCPA, making support for privacy opt-outs mandatory for web browsers and mobile operating systems.
Indiana has become the seventh U.S. state to pass its own data privacy law. Like the other state laws (with the exception of California’s CCPA), it is closely modeled on the Virginia Consumer Data Protection Act. However, like other state laws, it is not quite identical to any its counterparts.
Here is a quick introduction to the major components of Indiana’s privacy law.
Indiana’s privacy law will go into effect on January 1, 2026, giving businesses plenty of time to prepare.
For-profit businesses must comply with the Indiana law if they do business in the state (or target Indiana residents for their products/services), and meet at least one of the following conditions:
Indiana consumers now have the following privacy rights:
Indiana’s definition of personal data mirrors that of other privacy laws, and includes all information that is “linked or reasonably linkable to an identified or identifiable individual.” This covers everything from IP addresses to shopping habits.
Personal data does not include: de-identified data, aggregate data, and publicly available information.
As is the case with several other states, Indiana’s privacy law requires businesses to perform data protection impact assessments for certain types of processing activities. A DPIA is required for:
These assessments must weigh the benefits of a particular processing activity against any potential risks to the consumer, and consider any mitigating safeguards that might be employed.
Each violation of the Indiana privacy law is punishable by civil penalties of up to $7,500, plus payment of the Attorney General’s expenses in investigating and prosecuting the case.
The Indiana privacy law does not grant a private right of action to consumers, meaning they cannot sue a business over alleged violations.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.