Indiana Data Privacy Law: How to Respond to Consumer Requests

If your company has received a consumer data request from a Indiana resident, you need to understand what the law requires, how quickly you must respond, and what information must be redacted before you send the response. This guide covers the Indiana Consumer Data Protection Act (INCDPA) in practical terms — what it means for your business, not just what the statute says.

These requests are formally known as Data Subject Access Requests (DSARs) under European law, or consumer privacy requests under U.S. state law. Regardless of the terminology, the obligation is the same: locate the consumer's personal data, review it, redact third-party personal information, and respond within the statutory deadline.

For a comparison of all US state privacy laws, see our comprehensive comparison page. For state-specific guidance, see our guides for California, Virginia, Colorado.

Does this law apply to my business?

The Indiana Consumer Data Protection Act (INCDPA) (Ind. Code §§ 24-15-1 through 24-15-9) took effect on January 1, 2026.

Applicability thresholds: Conducts business in Indiana or produces products or services targeted to Indiana consumers, AND either: (a) controls or processes personal data of 100,000 or more Indiana consumers, OR (b) controls or processes data of 25,000 or more consumers and derives over 50% of gross revenue from the sale of personal data.

Exemptions: State and local government, nonprofits, HIPAA-covered entities, GLBA-covered entities, institutions of higher education.

Physical presence: No physical presence required.

What rights do consumers have?

Under the INCDPA, Indiana consumers have the following rights regarding their personal data:

• Right to confirm processing
• Right to access
• Right to correct
• Right to delete
• Right to data portability
• Right to opt-out of targeted advertising
• Right to opt-out of sale of personal data
• Right to opt-out of profiling

Indiana's law closely mirrors the Virginia VCDPA model. Sensitive data requires opt-in consent.

How long do I have to respond?

You have 45 calendar days from receipt of the request to provide a substantive response.

Extensions: One 45-day extension with notice.

When the clock starts: Upon receipt.

Standard 45-day response with appeal process.

What do I need to redact before responding?

When you compile documents for a consumer data request response, you will inevitably find personal information belonging to other people — colleagues, clients, family members, business contacts. This third-party data must be redacted before you send the response to the requesting consumer.

What to redact (third-party personal data)

• Names — full names of other individuals mentioned in emails, documents, chat transcripts, and records
• Email addresses — personal and work email addresses of third parties
• Phone numbers — mobile, landline, and work numbers of other people
• Physical addresses — home and work addresses of third parties
• Government identifiers — Social Security numbers, driver's license numbers, passport numbers belonging to others
• Financial information — bank account numbers, credit card numbers, salary figures of other individuals

What requires judgment

Some categories of information require case-by-case assessment:

• Salary figures and compensation data — if a document mentions another employee's salary in the context of the requester's own compensation review, you may need to redact the third party's figure while keeping the requester's
• Job titles and roles — generally not personal data on their own, but combined with a department name in a small team, they may identify an individual
• Performance reviews and manager comments — the requester's own performance data stays in, but comments that reveal personal information about colleagues or managers should be redacted
• Medical or health information — any health-related data about third parties must be redacted regardless of context

What to keep (the requester's own data)

The entire point of a consumer data request is to give the individual access to their own data. Do not redact the requester's personal information. This includes their name, email, phone number, address, employment records, transaction history, and any other data that relates to them specifically.

This is what makes data request redaction different from standard document redaction. You are performing selective redaction: keeping one person's data while removing everyone else's. Automated tools that simply blank out all PII will over-redact and produce an unusable response.

What happens if I miss the deadline or get it wrong?

Penalties: Up to $7,500 per violation.

Enforcement: Indiana AG (exclusive). No private right of action.

Cure period: 30-day cure period (does not expire — permanent).

Recently effective. No enforcement actions as of 2026.

How SafeRedact helps

SafeRedact automates the most time-consuming part of responding to consumer data requests: identifying and redacting third-party personal information across thousands of documents.

• AI-powered detection — a two-layer pipeline (deterministic regex + contextual AI) identifies names, emails, phone numbers, addresses, government IDs, financial data, and salary figures across 10+ document types including emails, PDFs, spreadsheets, and chat transcripts
• Selective redaction — in DSAR mode, the requester's own data is preserved while all third-party PII is flagged for redaction. Every detection is reviewed by a human before export.
• Zero data retention — documents are processed in the browser. No document content is stored on SafeRedact servers. Only job metadata (file names, detection counts, audit logs) is retained.
• Audit trail — every detection decision (accept, reject, manual add) is logged. A compliance report with reviewer sign-off is generated for your records.