Under the INCDPA, businesses must obtain clear affirmative consent before processing sensitive personal data—and this includes cookies that collect precise geolocation or biometric details. Consent must be documented, retractable, and tied directly to specific cookie purposes. Is your consent management aligned with best practices?
The Indiana Consumer Data Protection Act (INCDPA), signed on May 1, 2023, and effective from January 1, 2026, is a comprehensive state privacy law modeled after Virginia’s VCDPA. It establishes consumer data rights and controller/processor obligations.
Businesses targeting Indiana residents must assess applicability, update cookie banners, refine consent mechanisms, perform DPIAs, and put strong privacy notices in place—using tools like consent management platforms to streamline compliance and reduce risk.
To determine whether INCDPA applies, ask whether you do business in Indiana or target Indiana residents. If so, do you process personal data for ≥ 100,000 Indiana residents annually, or ≥ 25,000 residents while generating over 50% of revenue from selling their data?
If yes, compliance requires that you:
Review data practices:
Map all personal and sensitive data collected (including cookies).
Implement consent management:
Review consent banners and cookie notices.
Put opt-out measures in place:
Ensure opt-out options for data sales, profiling and targeted advertising.
Provision data security:
Implement data security measures and DPIAs for high-risk activities.
Controllers or processors must comply with INCDPA if:
They do business in Indiana or target its residents, and
Either process personal data of ≥ 100,000 residents/year or
Process ≥ 25,000 residents/year and derive >50% of revenue from selling personal data
Exemptions include:
Governmental bodies, nonprofits, educational institutions, utilities, GLBA- or HIPAA-covered entities, employment-related data, and riverboat casinos using state-approved facial recognition.
Indiana residents have the following rights:
Consumers can access and confirm processing of personal data
Consumers can request to correct inaccuracies
Consumers can request that their personal data be deleted
Consumers have a right to port/download/transmit their information in a usable format
Consumers can opt out of the sale of personal data, targeted advertising, and profiling that produces legal/significant effect
Requests must be handled within 45 days (extendable to 90 days) and denial must allow appeal.
Cookies that track sensitive or personal data (e.g., location, usage profiling) require explicit user consent. Even analytics cookies can fall under the law if they process personal data of enough Indiana residents.
Clear cookie banners, optouts, and granular consent controls are essential.
Organizations that fail to comply with INCDPA may face penalties for non-compliance. Enforced by the Indiana Attorney General, post-cure, civil penalties can reach 7,500 USD per violation.
To check your compliance INCDPA, organizations should:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third-party contracts:
Review third-party data-sharing practices
Applies to businesses targeting Indiana residents (or operating there) that process ≥ 100,000 consumers’ personal data, or ≥ 25,000 whose data revenue exceeds 50% of their gross revenue. Exclusions apply.
Any information that is linked or reasonably linkable to an identified or identifiable individual—like name, email, IP address, health info, browsing behavior.
Includes data revealing race, religion, sexual orientation, citizenship, health, biometrics, precise geolocation, and known children’s data. Requires explicit opt-in consent.
The Indiana Attorney General, with exclusive enforcement authority and power to issue penalties after a 30-day cure notice.
Exempt entities include government agencies, nonprofits, schools, utilities, GLBA or HIPAA-regulated institutions, employer-employee data, and riverboat casinos following facial recognition rules.
More information can be found by consulting Indiana Senate Bill 5 (Indiana Code § 24-15) and the Indiana Attorney General’s website for sample notices.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
