Indiana Consumer Data Protection Act
Indiana's Consumer Data Protection Act, with obligations applying from 1 January 2026, closely follows the Virginia VCDPA template. It grants residents rights to access, correct, delete, and obtain personal data and to opt out of targeted advertising, sale, and certain profiling, and it requires data protection assessments for higher-risk processing. Analytics on Indiana visitors can touch these rights. This is educational, not legal advice.
What this means
Indiana's law tracks the Virginia model: consumer rights to access, correct, delete, and port data, plus opt-outs of sale, targeted advertising, and profiling with legal or similarly significant effects. Controllers must conduct and document data protection assessments for higher-risk processing such as targeted advertising and the sale of personal data. It has a comparatively long lead time before obligations apply.
Why it touches analytics
First-party analytics confined to measuring your own site usually avoids the sale and targeted-advertising triggers. The opt-out and assessment duties matter when measurement feeds cross-context behavioural advertising or shares identifiers with third parties for value. Honouring access and deletion still requires being able to find and remove a person's data. Minimised, first-party measurement keeps exposure low.
Confirm thresholds and effective dates against the statute.
- Virginia-style rights and opt-outs
- Data protection assessments for higher-risk processing
- Obligations apply from 1 January 2026
How it appears in analytics and logs
If your analytics feeds targeted advertising or sale for Indiana visitors, the act's opt-out applies; first-party measurement is lighter-touch.
Diagnostic use case
Check whether analytics supports Indiana residents' opt-out of sale, targeted advertising, and profiling, plus access, correction, and deletion rights.
What WebmasterID can help detect
WebmasterID's first-party, minimised model avoids selling data or building cross-context ad profiles, narrowing the Indiana rights analytics must service.
Common mistakes
- Assuming first-party measurement is a 'sale' by default.
- Skipping assessments for targeted advertising or sale.
- Overlooking access and deletion obligations.
Privacy and accuracy notes
This page is educational, not legal advice. First-party, aggregated measurement that avoids sale and targeted ads reduces Indiana exposure.
Related pages
- US state privacy laws overview
In the absence of a single federal privacy statute, several US states have enacted comprehensive consumer privacy laws with overlapping but non-identical rules. Most grant access, deletion, and correction rights and require opt-outs for targeted advertising and 'sale'. This page gives an educational overview of the common pattern and how it touches analytics.
- Virginia VCDPA and analytics
Virginia's Consumer Data Protection Act (VCDPA) was an early comprehensive US state privacy law and a template many others followed. It uses controller and processor roles, grants access/deletion/correction/portability rights, and requires opt-outs for targeted advertising, sale, and certain profiling. This page explains, educationally, how it intersects with analytics.
- Data protection impact assessment (DPIA)
A Data Protection Impact Assessment (DPIA) is a structured analysis the GDPR requires before processing that is likely to result in a high risk to people's rights — for example large-scale profiling or systematic monitoring. Some analytics and tracking setups meet that bar. This page explains when a DPIA is required and what it documents.
- Privacy-first analytics
First-party measurement avoids Indiana sale and ad triggers.
Sources and verification notes
- Indiana General Assembly — SB 5 (Consumer Data Protection)Official bill record. Educational, not legal advice.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.