Indiana’s new Consumer Data Protection Act (CDPA) takes effect on January 1, 2026. It follows other state consumer privacy laws by providing consumers with rights related to the collection and processing of their information. On November 25, 2025, Indiana’s Attorney General issued a Consumer Data Protection Bill of Rights as “a tool to educate Hoosiers on how the new law works, the rights offered to consumers and the obligations placed on applicable businesses.”

The Bill of Rights details core consumer rights under the CDPA and adds specific clarity, examples, and expectations for how businesses should operationalize them. Though the guide is intended to clarify the law for consumers, it also puts businesses on notice about the Indiana Attorney General’s compliance expectations under the privacy law.

Rights Summarized in the Bill
The Bill of Rights outlines 15 protections for Indiana consumers, including rights to delete personal data held by companies, opt out of targeted advertising and data sales, and request a copy of their information in a portable format. Amongst other guidelines:

  • Consumers can find out if a business is processing their data and request one free copy of their personal data each year;
  • Consumers can request corrections to inaccurate data, or have their personal data deleted, regardless of its source;
  • Customers can opt out of targeted advertising, profiling, and sale of their personal data.
  • Businesses may not discriminate if a consumer exercises their rights, including by changing services, pricing, or quality;
  • Requests must be addressed within 45 days, with one possible 45-day extension; and
  • Sensitive data, including health, biometric, immigration, religious, and precise location data, and all data on children under 13, cannot be processed unless the consumer or parent/guardian gives opt-in consent.

A Step-by-Step Consumer Guide
Unlike statutes or regulations, the Bill of Rights gives consumers step-by-step instructions for determining if a business is a “controller” subject to the CDPA, how to exercise their rights, and what to do if their request is denied. Consumers are advised to first confirm whether the CDPA even applies, checking for coverage, exemptions, and whether the business meets the relevant data thresholds. Next, they are encouraged to use the methods described in the company’s privacy notice (such as an online form, email, or mailing address) to submit requests to access, correct, or delete their data. For opt-out requests, such as stopping targeted advertising or the sale of personal data, the Bill of Rights instructs consumers to use specifically provided mechanisms, like opt-out buttons or forms.

If a business denies a request, the Bill outlines how to appeal through the company’s process and reminds consumers that if a company does not comply, the consumer can file a formal complaint with the Attorney General’s office. The document also highlights the need for timely responses and requires companies to provide appeal instructions and reasons for denials.

Takeaways

  • Make your privacy notice easy to find and understand. Given its ease of use and accessibility, consumers are likely to use this document to evaluate companies’ websites for CDPA compliance. Privacy notices should clearly detail what data is collected, with whom it is shared, and how customers can exercise their rights; and
  • Build user-friendly request and appeal processes. The Bill of Rights expects companies to provide a clear, practical mechanism for requests. Companies should test their processes to determine whether they are accessible and available in the way consumers are likely to make requests. Companies should also train legal and compliance teams on timely responses to consumer requests.

Indiana’s Consumer Data Protection Bill of Rights is likely to drive public understanding, customer expectations, and regulator priorities. As January 2026 approaches, companies should review and update their privacy practices, notices, and response procedures accordingly.