Indiana Attorney General Todd Rokita on Tuesday released the state’s new Consumer Data Protection Bill of Rights, saying the document is intended to help Hoosiers understand and exercise their rights under the Indiana Consumer Data Protection Act before it takes effect in January.
“Every click, every purchase, every search, every doctor visit, every dollar you spend, is tracked, packaged and sold, often without you even knowing,” Rokita said at a news conference in Indianapolis. “Your personal data is your personal property, and for years now, decades now, it’s been taken from you.”
Indiana’s General Assembly passed the privacy law unanimously in 2023. Rokita said it is “a huge first step, not a complete solution by any means,” but marks the first time Hoosiers will be able to force companies to show what data they hold, correct inaccuracies or “most importantly, delete the data.”
The new bill of rights outlines 15 protections for Indiana consumers, including rights to delete personal data held by companies; opt out of targeted advertising and data sales; and request a copy of their information in a portable format.
It also prohibits companies from discriminating against consumers who use those rights.
Sensitive information — like health, biometric, immigration, religious, or precise location data, as well as all children’s data — also can’t be processed without explicit consent.
The Republican attorney general said companies must place a clearly marked privacy notice or data-rights link “in a prominent spot on their website,” and once a request is filed, the companies will have 45 days from the date of your request to comply.
Still, Rokita criticized exemptions in the law for nonprofits, utilities, banks and entities covered by the Health Insurance Portability and Accountability Act, or HIPAA.
“Some have no sense whatsoever,” he said. “Some of our nonprofits are the biggest takers of our private, personal data … They’re exempted from this law. Why? Who knows.”
Rokita said he expects to make recommendations to lawmakers during the upcoming 2026 session but will begin enforcing the statute as written, for now.
Consumer Protection Division Chief Scott Barnhart called the law “a good first step” that lets consumers “recapture some of their privacy” and gain “transparency into the system.”
Doug Swetnam, data privacy and identity theft section chief, added that the law provides a long-sought remedy for inaccurate information, noting that, previously, “there was no means for a consumer to make sure the data was accurate or to ask companies to delete the data they’ve been accumulating.”
Swetnam said the office will enforce requirements for “simple-to-understand” privacy notices and will rely on consumer complaints as well as staff reviews of company practices.
Rokita emphasized that violators could face injunctions and fines of $7,500 an incident.
“Where we had no power to control our property rights, our data right before as consumers,” Rokita said, “now we do.”
Indiana Capital Chronicle is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Indiana Capital Chronicle maintains editorial independence. Contact Editor Niki Kelly for questions: info@indianacapitalchronicle.com.