Indiana Publishes Privacy Bill of Rights Ahead of New Law
An Indiana Data Consumer Bill of Rights released last week by Attorney General Todd Rokita (R) informs state residents about privacy rights that they will have under the comprehensive privacy law, which takes effect Jan. 1.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
“Protecting Hoosiers’ personal information has always been a priority for our office,” Rokita posted Wednesday on X. “We’ve been in this game a long time, whether [it's] suing Google over its use of location data, or consistently enforcing privacy rights under [HIPAA] over health data.” Starting Jan. 1, he said, “we will enforce Indiana’s new Consumer Data Protection Act.”
The bill of rights explains what’s in the privacy law, with a step-by-step guide and FAQ for consumers on how to exercise their rights and which organizations must comply.
“This law gives Hoosiers the right to understand how their data is used and make informed choices about how and with whom their data is sold or used,” the document said. “It also gives them the right to request its deletion or correction when necessary.”
“Data breaches, identity theft and financial loss are threats to Hoosiers and businesses alike,” it said. “Consumers have the right to exercise control over their personal data, reducing the odds their data falls into the wrong hands. At the same time, the law establishes requirements that help businesses avoid legal risks and cyberattacks. … The implementation of data privacy and security standards can significantly minimize the risk of a breach and its associated costs.”
While aimed at consumers, the document also provided businesses with a useful overview for Indiana Consumer Data Protection Act (ICDPA) compliance, Baker Botts privacy attorney Nick Palmieri blogged Wednesday. “It reiterates the ICDPA’s scope and thresholds, articulates the core consumer rights, and underscores concrete controller obligations around transparency, data minimization, purpose limitation, sensitive data handling, and response timelines.”
“Companies that align their privacy notices, consent and opt-out mechanisms, sensitive data governance, and request-and-appeal operations with the Bill of Rights will be well-positioned for ICDPA compliance when the law takes effect,” Palmieri said. “For organizations already building toward Virginia- and Colorado-style controls, the Bill of Rights confirms the familiar contours of Indiana’s framework and provides Indiana-specific details -- particularly around notice content, portability scope, and opt-out design -- that should be incorporated into 2026 readiness plans.”