Indiana residents now have more control over how their personal data is collected and stored by for-profit companies.
The Indiana Consumer Data Protection Act, which went into effect Thursday, gives Hoosiers the right to obtain a copy of their personal data, as well as correct inaccuracies, opt out of targeted ads, profiling, and data sales, and even have their personal data deleted.
Personal data is defined under the law as “information that is linked or reasonably linkable to an identified or identifiable individual.”
The law was passed in 2023 but gave businesses a three-year runway to ensure compliance.
The law applies to most larger businesses that control or process Hoosiers’ personal data, but excludes many mid-size businesses as well as nonprofits, government agencies, utilities, financial institutions, higher education institutions, and healthcare providers.
Attorney General Todd Rokita’s office released a Consumer Data Bill of Rights two months ago to explain the new law and how his office will enforce it. He said that while the law doesn’t completely guarantee data privacy, it’s a good first step.
“Every click, every purchase, every search, every doctor visit, every dollar you spend is tracked, packaged and sold, often without you even knowing,” Rokita said. “Your personal data is your personal property, and for years now, decades now, it's been taken from you.”
If a company denies or doesn’t reply to a consumer data request within 45 days, Indiana residents will be able to file complaints that will be processed by the Attorney General’s office.
Indiana joins California, Utah, Colorado, Connecticut, Virginia, and Iowa as states with consumer data privacy laws. There is currently no comprehensive federal data privacy law.
