One Month of Indiana’s Consumer Data Privacy Law . . . Where Do You Stand on Compliance? | McCarter & English, LLP
https://www.jdsupra.com/legalnews/one-month-of-indiana-s-consumer-data-2950834/
Publish Date: 2026-02-10 12:10:00
Source Domain: www.jdsupra.com
Enforcement of the Indiana Consumer Data Protection Act (CDPA) has begun, and its penalties can add up quickly. The CDPA was signed in 2023 and became effective January 1, 2026. The law governs how covered businesses collect, use, disclose, store, and analyze “personal data,” i.e., nonpublic information linked or reasonably linkable to an identified or identifiable “consumer” (under the CDPA, a “consumer” is an Indiana resident acting for an individual, family, or household purpose).
The Indiana attorney general, which will be enforcing the CDPA, has indicated it will be pursuing enforcement under two paths: consumer complaints and proactive investigations. The CDPA does not provide a private right of action; however, the attorney general may seek injunctive relief, impose civil penalties of up to $7,500 per violation, and recover investigation costs and attorneys’ fees. Although the statute contemplates a 30-day cure period, the Indiana attorney general’s office has indicated this safe harbor is only available for violations that can be cured, meaning some violations—those deemed incurable—may be subject to immediate enforcement.
So how should your business approach compliance?
The first step, of course, is to determine whether the law applies—both to your business and to the data it processes. Even if your business is not incorporated or located in Indiana, the CDPA may apply if you (1) “conduct[] business in Indiana” or produce products or services targeted to Indiana residents and (2) meet one of the following thresholds during a calendar year:
- Control or process personal data of at least 100,000 consumers
- Control or process personal data of at least 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data
Even if a business meets these criteria, the law exempts certain categories of entities, regardless of the data they process. While not exhaustive, notable exemptions include…
