🇺🇸
USA - Indiana

Applicability of the Indiana Consumer Data Protection Act (ICDPA) in USA - Indiana

Indiana's data protection framework is governed by state-level legislation that addresses consumer privacy rights and data handling obligations. The primary role of this legislation is fulfilled by the Indiana Consumer Data Protection Act, which establishes comprehensive data protection requirements for businesses operating within the state.

The Indiana Consumer Data Protection Act was adopted on May 1, 2023, and is scheduled to become effective on January 1, 2026.

Material Applicability

The ICDPA's material scope is determined by the following factors:

  • Number of Data Subjects
  • Revenue-Based Applicability
  • Government and Public Agency Exemption
  • Central Bank and Financial Institutions Exclusion
  • Sectoral Exceptions Regulated by Other Laws
  • Exemption for Specific Purposes of Processing

Threshold Requirements

ICDPA Ch.1(1)(a):

"This article applies to a person that conducts business in Indiana or produces products or services that are targeted to residents of Indiana and that during a calendar year:(1) controls or processes personal data of at least one hundred thousand (100,000) consumers who are Indiana residents; or(2) controls or processes personal data of at least twenty-five thousand (25,000) consumers who are Indiana residents and derives more than fifty percent (50%) of gross revenue from the sale of personal data."

The law applies to entities meeting either of these thresholds:

  • Processing data of 100,000+ Indiana residents
  • Processing data of 25,000+ Indiana residents while deriving over 50% of revenue from data sales

Exempted Entities

ICDPA Ch.1(1)(b):

"This article does not apply to any of the following:(1) The state, a state agency, or a body, authority, board, bureau, commission, district, or agency of any political subdivision of the state(2) Any financial institutions and affiliates, or data subject to Title V of the federal Gramm-Leach-Bliley Act(3) Any covered entity or business associate governed by HIPAA"

The law excludes:

  • Government entities and agencies
  • Financial institutions under GLBA
  • HIPAA-covered entities
  • Nonprofit organizations
  • Higher education institutions
  • Public utilities

Exempted Data Categories

ICDPA Ch.1(2):

"The following information and data are exempt from this article:(1) Protected health information under HIPAA(9) Personal information [...] regulated by the federal Fair Credit Reporting Act(10) Personal data [...] under the federal Driver's Privacy Protection Act(11) Personal data regulated by the federal Family Educational Rights and Privacy Act"

The law exempts data already regulated by:

  • HIPAA
  • FCRA
  • DPPA
  • FERPA
  • Farm Credit Act

Territorial Applicability

The ICDPA applies to entities that either:

  • Conduct business in Indiana
  • Produce products or services targeted to Indiana residents


🇺🇸

USA - Indiana

keyboard_arrow_down

Gavel Factors: (5)

🏛️ Government and Public Agency Exemption🏦 Central Bank and Financial Institutions Exclusion⚖️ Sectoral Exceptions Regulated by Other Laws🧮 Number of Data Subjects💵 Revenue-Based Applicability

globe_book Resources (4)

link USA - Indiana CDPAinfolink USA - Indiana CDPAinfolink USA - Indiana CDPAinfolink Office of the Indiana Attorney General
❖ Jurisdictions: ➤ USA - Indiana