Support Centre



Law: Consumer Data Protection Act (CDPA)

Regulator: The Indiana Attorney General (AG)

Summary: The Indiana Governor signed Senate Bill 5 on consumer data protection on 1 May 2023, thereby enacting the CDPA, which will enter into effect on 1 January 2026. The CDPA introduces obligations for data controllers and processors, including transparency obligations, such as the requirement to provide privacy notices, data security obligations, as well as a requirement to conduct and document Data Protection Impact Assessments ('DPIAs') in specific circumstances. Additionally, the CDPA contains provisions that govern controller/processor relationships as well as data subject rights to confirm whether or not the controller is processing the consumer's personal data, the rights of access, deletion, correction, and the right to opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling. Furthermore, the CDPA provides the AG with enforcement powers, but does not provide a private right of action.

In regard to data breaches, §24-4.9-1 et seq. of the Indiana Code, database owners must notify Indiana residents and the AG in case of a data breach, as well as nationwide consumer reporting agencies, when the breach involves the information of more than 1,000 residents. In addition, the Indiana Wiretap Act, under §35-33.5-5-4 of the Indiana Code, prohibits intercepting or recording a telephone or electronic communication without the consent of at least one party. Finally, a Class C infraction is committed under §24-4-14 of Indiana Code when a person disposes unencrypted or unredacted personal information of a customer without shredding, incinerating, mutilating, erasing, or otherwise rendering it illegible.


The Consumer Data Protection Act (CDPA) was introduced to the Indiana State Senate on January 9, 2023. After passing both Houses of the Indiana General Assembly, the CDPA was signed by the Governor on May 1, 2023.

The CDPA will now enter into effect on January 1, 2026.

The Consumer Data Protection Act (CDPA) was introduced, on January 9, 2023, to the Indiana State Senate. Since then, the Act has passed both the State Senate, as well as the House of Representatives, and was signed by the Governor of Indiana, Eric Holcomb, on May 1, 2023. The Act introduces obligations for both data controllers and data processors, as well as consumer rights, and will enter into effect on January 1, 2026. OneTrust DataGuidance Research gives an overview of the provisions under the Act.