BlogLine

Indiana releases new Consumer Data Protection bill of rights

12/15/25

Human signing documents with pen, online business contract electronic signature, technology, e-signing, digital document management, paperless office, signing business contract concept

By: Jacob Berlinger & Jason G. Weiss

Indiana is preparing residents for the upcoming Indiana Consumer Data Protection Act (“CDPA”), which takes effect January 1, 2026, by releasing the Consumer Data Protection Bill of Rights (“CDPBR”). On November 25, 2025, Indiana Attorney General Todd Rokita announced the CDPBR, which summarizes 15 key rights that Indiana citizens will enjoy under the CDPA.

When Does the CDPA Apply to Businesses?

The CDPA, which was passed in 2023, applies to for-profit businesses in or outside of the state that target Indiana residents and in a year either (1) control or process the personal data of 100,000 or more Indiana consumers or (2) control or process the personal data of 25,000 or more Indiana consumers and procures 50% of its annual revenue from the sale of personal data. The CDPA does not apply to nonprofit organizations, higher education institutions, nor to entities or data regulated by HIPAA, meaning covered entities and their business associates are excluded.

Rights Given to Citizens  

The CDPBR provides many new legal rights for affected citizens, including, but not limited to:

  1. The right to confirm if a company is using personal data.
  2. The right to opt out if a company wants to use data for targeted ads, selling, or profit.
  3. The right to prevent processing of child data without consent, including data on health, beliefs, and identity.
  4. The right that your sensitive data will not be processed by a controller without your consent.
  5. The right to know how a company processes and shares your data through a clear privacy notice.

The CDPBR also requires companies to place a privacy notice or data-right links in a prominent spot on their website.

How Consumers Can Exercise Rights

Consumers can exercise their rights by submitting requests through a controller’s website. A parent or a legal guardian can invoke their child’s privacy rights by submitting a request with the controller. This process must be clearly outlined in the company’s privacy notice. Hoosiers must be given a response to their request within forty-five days. Companies can extend the response time by an additional forty-five days but must notify the consumer of the extension within the first forty-five days.

What are the Penalties for Non-Compliance?

Businesses who conduct business with Indiana Citizens need to strictly adhere to the CDPA as enforcement can lead to a maximum of $7,500 per violation, which is enforced by the Indiana Attorney General.  As of now there is no private right of action associated with this legislation. With the January 1, 2026, deadline to be compliant quickly approaching, businesses that conduct business in the state of Indiana should reach out to the attorneys at Freeman Mathis & Gary for guidance on compliance with the CDPA.

For more information, please contact Jacob Berlinger at jacob.berlinger@fmglaw.com, Jason G. Weiss at jason.weiss@fmglaw.com or your local FMG attorney.

Information conveyed herein should not be construed as legal advice or represent any specific or binding policy or procedure of any organization. Information provided is for educational purposes only. These materials are written in a general format and not intended to be advice applicable to any specific circumstance. Legal opinions may vary when based on subtle factual distinctions. All rights reserved. No part of this presentation may be reproduced, published or posted without the written permission of Freeman Mathis & Gary, LLP.

Share

Save Print