McCarter & English, LLP | Contents of this website may contain attorney advertising. | Results may vary depending on your particular facts and legal circumstances.

Share

Alternative Dispute Resolution & Mediation
Artificial Intelligence
Bankruptcy, Restructuring & Litigation
Blockchain, Smart Contracts & Digital Currencies
Business Litigation
Cannabis
Corporate
Crisis Management
Cybersecurity & Data Privacy
Delaware Corporate, LLC & Partnership Law
Design, Fashion & Luxury
E-Discovery & Records Management
Energy & Utilities
Environment & Energy
Financial Institutions
Food & Beverage
Government Affairs
Government Contracts & Global Trade
Government Investigations & White Collar Defense
Healthcare
Hospitality
Immigration
Impact Investing
Insurance Recovery, Litigation & Counseling
Intellectual Property
Labor & Employment
Latin America
Life Sciences
Manufacturing
Products Liability, Mass Torts & Consumer Class Actions
Public Finance
Real Estate
Renewable Energy
Sports & Entertainment
Tax & Employee Benefits
Technology Transactions
Transportation, Logistics & Supply Chain Management
Trusts, Estates & Private Clients
Venture Capital & Emerging Growth Companies
Search By:

2.9.2026

Enforcement of the Indiana Consumer Data Protection Act (CDPA) has begun, and its penalties can add up quickly. The CDPA was signed in 2023 and became effective January 1, 2026. The law governs how covered businesses collect, use, disclose, store, and analyze “personal data,” i.e., nonpublic information linked or reasonably linkable to an identified or identifiable “consumer” (under the CDPA, a “consumer” is an Indiana resident acting for an individual, family, or household purpose).

The Indiana attorney general, which will be enforcing the CDPA, has indicated it will be pursuing enforcement under two paths: consumer complaints and proactive investigations. The CDPA does not provide a private right of action; however, the attorney general may seek injunctive relief, impose civil penalties of up to $7,500 per violation, and recover investigation costs and attorneys’ fees. Although the statute contemplates a 30-day cure period, the Indiana attorney general’s office has indicated this safe harbor is only available for violations that can be cured, meaning some violations—those deemed incurable—may be subject to immediate enforcement.

So how should your business approach compliance?

The first step, of course, is to determine whether the law applies—both to your business and to the data it processes. Even if your business is not incorporated or located in Indiana, the CDPA may apply if you (1) “conduct[] business in Indiana” or produce products or services targeted to Indiana residents and (2) meet one of the following thresholds during a calendar year:

  • Control or process personal data of at least 100,000 consumers
  • Control or process personal data of at least 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data

Even if a business meets these criteria, the law exempts certain categories of entities, regardless of the data they process. While not exhaustive, notable exemptions include financial institutions regulated under the Gramm-Leach-Bliley Act, covered entities and business associates subject to the Health Insurance Portability and Affordability Act, public utilities, and nonprofit organizations. Other exemptions may also apply to the type of data processed.

CDPA requirements depend to some extent on whether a business is acting as a data “controller” (determines how and why personal data is processed) or as a data “processor” (processes personal data on a controller’s behalf), but the focus is always on transparency and consumer control.

In plain language, what are the key requirements of the CDPA? While this list is not exhaustive, the points below highlight some of the most significant requirements and areas for enforcement of which businesses should be especially mindful. 

Provide a Privacy Notice. Controllers must provide consumers a clear and accessible privacy notice that describes, among other things, what personal data is collected, how it is used, and with whom it is shared or to whom it is sold. Best practices dictate that the privacy notice be more than a simple template form. To create a transparent privacy notice that allows consumers to exercise meaningful choice, a controller must understand both the categories of personal data it processes and the specific processing operations it performs.

Understand Consumers’ Rights. Under the CDPA, consumers have the right to:

  1. Confirm whether a controller is processing their personal data
  2. Correct inaccuracies in personal data the consumer has provided to a controller
  3. Delete their personal data, subject to certain limitations
  4. Obtain a portable copy or summary of personal data the consumer has provided to a controller (once per each 12-month period)
  5. Opt out of processing for targeted advertising, the sale of their personal data, and certain profiling activities

Receive and Respond to Consumer Requests. A controller must have a secure process for consumers to submit requests to exercise their rights, and it must respond to a request “without undue delay” but in no case more than 45 days after receipt. Controllers should understand that they do not necessarily have 45 days to respond to a consumer request, because the response standard is always “without undue delay.” Extensions are possible, albeit in limited circumstances. Responding to consumer requests can be nuanced and complex.

Maintain Agreements with Processors (e.g., vendors, service providers, and others processing personal data on behalf of a controller). The CDPA requires a controller to enter a binding written contract with each processor that “clearly set[s] forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.” The statute describes other requirements for processors that must be included in these contracts.

Conduct Data Protection Impact Assessments. Controllers that, among other things, process personal data for targeted advertising, sell personal data, or process statutory “sensitive data” must conduct and document a data protection impact assessment(DPIA). The DPIA must identify and weigh the benefits from the processing against the potential associated risks, as mitigated by implementable safeguards. A variety of factors must be considered. DPIAs need not be public but should be readily producible if requested by the Indiana attorney general.

Collect and Process Only Reasonably Necessary Personal Data. As part of the CDPA,a controller must collect and process only the personal data reasonably necessary for the purposes disclosed to consumers. For example, a controller that operates an e-commerce website may collect customers’ names, email addresses, shipping addresses, and payment information at checkout, as these data points are reasonably necessary to complete purchases. If, however, the business also requires customers to provide or otherwise collects date of birth and precise geolocation despite neither data point being needed for the transaction, the controller would likely violate the CDPA’s data minimization requirements.

This overview highlights several key requirements of the CDPA, but it is not exhaustive. Businesses should evaluate their specific data processing practices to determine whether and how the law applies to them. We can help. If you have questions about the CDPA or need assistance assessing compliance, please contact a member of the McCarter & English Cybersecurity & Data Privacy team.