Ahead of implementation of Indiana's comprehensive data privacy law, Indiana’s Attorney General has released a Consumer Data Privacy Bill of Rights describing how the Indiana Consumer Data Protection Act ("ICDPA"), enacted in 2023, will operate when it takes effect on January 1, 2026. Although styled for consumers, the Bill of Rights functions as a practical compliance roadmap for businesses subject to the law. It reiterates the ICDPA’s scope and thresholds, articulates the core consumer rights, and underscores concrete controller obligations around transparency, data minimization, purpose limitation, sensitive data handling, and response timelines. 

The ICDPA applies to for-profit entities that conduct business in Indiana or target Indiana residents and either control or process personal data of at least 100,000 Indiana residents in a calendar year, or control or process personal data of at least 25,000 Indiana residents and derive more than 50% of gross revenue from the sale of personal data. The law excludes certain entities and data sets, including state and local government bodies, financial institutions, HIPAA-covered entities, nonprofit organizations, higher education institutions, and public utilities. “Consumer” is limited to Indiana residents acting in personal, family, or household contexts; data about individuals in employment or commercial contexts also falls outside the statute. 

The consumer rights detailed in the Bill of Rights align closely with other comprehensive state privacy regimes (such as California, Colorado, and Virginia). Indiana residents are granted as series of enforceable rights, including the ability to confirm whether a controller processes their personal data; to obtain a copy or representative summary of personal data they previously provided; correct inaccuracies in personal data they previously provided; to request deletion of personal data regardless of source; and receive personal data in a readily usable, portable format to enable transfer without hindrance. 

Consumers may also opt out of targeted advertising, the sale (but not necessarily the sharing) of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. Importantly, the Bill of Rights emphasizes opt-in consent for processing “sensitive data”—including precise geolocation, genetic/biometric identifiers, health diagnoses, sexual orientation, citizenship or immigration status, religious beliefs, and racial or ethnic origin—as well as all personal data of known children under 13, consistent with COPPA. The statute also embeds a right to non-discrimination for exercising these rights and a right to appeal denied requests. 

Controller obligations

For controllers, the Bill of Rights highlights operational obligations that will require advance build-out. Controllers must provide a privacy notice that is reasonably accessible, clear, and meaningful, describing the categories of personal data processed, purposes of processing, categories of personal data shared with third parties, and categories of those third parties. If a controller sells personal data or uses it for targeted advertising, that fact must be clearly and conspicuously disclosed along with a mechanism to opt out. 

The law adopts well-known data minimization and purpose limitation principles: collection must be adequate, relevant, and reasonably necessary for disclosed purposes, and any incompatible secondary use requires consumer consent. Controllers must provide at least one secure and reliable method for rights requests, verify identity appropriately without requiring account creation, and respond within 45 days, extendable once for an additional 45 days with notice within the initial window. Consumers denied a request must be provided an easy-to-access appeal process and, if the appeal is denied, information on contacting the Indiana Attorney General. The Bill of Rights reiterates that enforcement authority rests with the Attorney General, and it encourages consumers to file complaints where they believe the law has been violated. 

Compliance perspectives

From a compliance planning perspective, the Bill of Rights clarifies several recurring points of friction. Access is limited to data the consumer previously provided, whereas deletion extends to personal data held by the controller irrespective of source. Targeted advertising is defined to exclude contextual ads, measurement, and first-party advertising within a controller’s or affiliate’s domains. “Sale” is limited to exchanges for monetary consideration and excludes disclosures to processors, affiliates, service providers fulfilling consumer requests, and transfers in mergers. Profiling opt-outs focus on automated processing that informs consequential decisions in areas such as lending, housing, insurance, education, employment, and health care. Collectively, these contours help calibrate notice drafting, opt-out tooling, and the design of verification and appeals workflows.

Operationalizing

Businesses should use the period before January 1, 2026, to operationalize ICDPA-aligned capabilities. Key build tasks include mapping personal data and sensitive data across systems and vendors; confirming whether thresholds are met; updating privacy notices to match the ICDPA’s content and prominence expectations; implementing opt-out mechanisms for targeted advertising, sale, and profiling; instituting consent flows for sensitive data and for children consistent with COPPA; building intake, verification, and response processes for requests and appeals within statutory timelines; and aligning processor engagements, including data sharing practices that are not “sales,” with controller responsibilities. Because the Bill of Rights is explicit about transparency, data minimization, purpose limitation, and consumer choice, it provides concrete design criteria for products, data pipelines, and go-to-market operations involving Indiana residents.

Takeaways

The Consumer Data Privacy Bill of Rights is not a separate legal regime; it is a plain-language articulation of the rights and obligations embedded in the Indiana Consumer Data Protection Act that becomes effective on January 1, 2026. In practical terms, it previews how the Attorney General expects businesses to implement the law’s requirements. Companies that align their privacy notices, consent and opt-out mechanisms, sensitive data governance, and request-and-appeal operations with the Bill of Rights will be well-positioned for ICDPA compliance when the law takes effect. For organizations already building toward Virginia- and Colorado-style controls, the Bill of Rights confirms the familiar contours of Indiana’s framework and provides Indiana-specific details—particularly around notice content, portability scope, and opt-out design—that should be incorporated into 2026 readiness plans.