← Back to Blog

Indiana Privacy Law (SB 5): New 2026 Law Explained for Online Businesses

Indiana's new consumer data protection law took effect January 1, 2026. Here's who it applies to, what it requires, and how to comply.

2026-03-05

Indiana Senate Bill 5 — Indiana's first comprehensive consumer data privacy law — took effect on January 1, 2026. It closely follows Virginia's VCDPA template, making compliance straightforward if you're already compliant with other state privacy laws. But if you're starting from scratch, here's what you need to know.

Who Does Indiana's Law Apply To?

The law applies to businesses that conduct business in Indiana or target Indiana residents and meet either threshold:

  • Control or process personal data of at least 100,000 Indiana consumers per year, OR
  • Control or process personal data of at least 25,000 Indiana consumers and derive more than 50% of gross revenue from selling personal data

These thresholds mirror Virginia's VCDPA. Small businesses that don't meet either threshold are exempt from most provisions.

Consumer Rights

Indiana consumers have the right to:

  • Access their personal data
  • Correct inaccurate data
  • Delete their personal data
  • Data portability — obtain a copy in a portable format
  • Opt out of sale, targeted advertising, and profiling

You must respond to requests within 45 days, with a possible 45-day extension.

Key Requirements

Privacy Notice

You must publish a clear, accessible privacy policy that discloses:

  • Categories of personal data you process
  • Purpose for processing
  • How consumers can exercise their rights
  • Categories of third parties you share data with
  • Whether you sell data or use it for targeted advertising

Sensitive Data

Opt-in consent is required before processing sensitive data:

  • Racial or ethnic origin
  • Religious beliefs
  • Health or mental health data
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data
  • Children's data (under 13)
  • Precise geolocation data

Data Protection Assessments

Required for:

  • Targeted advertising
  • Selling personal data
  • Profiling that presents a risk of harm
  • Processing sensitive data

Enforcement

Indiana's law is enforced by the Indiana Attorney General. There is no private right of action. The law includes a 30-day cure period — if you receive a notice of violation, you have 30 days to fix it before enforcement action. This cure period does not expire, which makes Indiana more lenient than states like Connecticut or Oregon where cure periods have already sunset.

Penalties can reach $7,500 per violation.

Indiana Compliance Checklist

  • Privacy policy covering all required disclosures
  • Cookie consent banner with opt-out for non-essential cookies
  • Consumer request process for access, delete, correct, and portability
  • Sensitive data consent — opt-in before processing
  • Data protection assessments for targeted advertising, data sales, and sensitive data processing
  • Vendor agreements with third-party data processors

How This Fits with Other State Laws

If you're already compliant with Virginia's VCDPA, you're largely covered for Indiana too — the requirements are nearly identical. The main difference is Indiana's permanent cure period, which gives businesses more runway to address violations.

If you're not yet compliant with any state privacy law, Indiana's effective date means your window for voluntary compliance is now closed.

Check Your Compliance

ClearConsent scans your website against all 19 active US state privacy laws — including Indiana's new law. It detects trackers, cookies, privacy policy gaps, and missing consent mechanisms in under 60 seconds.

Scan your site free — no signup required.

Ready to check your site's compliance?

ClearConsent scans your website against 21 privacy laws in under 60 seconds.

Scan Your Site Free