Indiana INCDPA AI Compliance 2026: The Highest Consumer Threshold in the Country
Indiana's Consumer Data Protection Act became enforceable January 1, 2026, and it was written to be the friendliest state privacy law on the books — a 100,000-consumer floor, no attorney general aggressiveness track record yet, and a cure period with no expiration date. None of that means AI companies with meaningful Indiana traffic can skip it.
Does INCDPA Apply to Your AI Product?
INCDPA applies to a business that conducts business in Indiana or produces products or services targeted at Indiana residents, and that during a calendar year controls or processes the personal data of at least 100,000 Indiana consumers, or controls or processes the data of at least 25,000 consumers while deriving over 50% of gross revenue from selling personal data.
That 100,000-consumer floor is notably higher than most peer statutes — Virginia, Colorado, and Connecticut all use 100,000 as well, but several newer laws (Texas, Oregon, New Jersey) drop the floor much lower or remove it entirely for data sellers. For an early- stage AI product with a smaller but growing Indiana user base, that means INCDPA may not yet apply even when the same product is already in scope in a neighboring state — worth tracking as usage grows rather than assuming permanent exemption.
Consumer Rights and AI Profiling
Profiling opt-out
Consumers can opt out of profiling in furtherance of decisions that produce legal or similarly significant effects — credit, employment, housing, healthcare, insurance, and education outcomes.
Targeted advertising opt-out
Consumers can opt out of personal data being used for targeted advertising, including AI-driven ad personalization and lookalike-audience models.
Sale of data opt-out
Consumers can opt out of the sale of their personal data to third parties, including data-licensing arrangements with AI model developers or data brokers.
Data Protection Assessments
Processing that presents a heightened risk of harm — including profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment — requires a documented data protection assessment before the processing begins.
The Permanent Cure Period Is Unusual
Several states that adopted a 30-day right-to-cure provision built in a sunset date, after which the attorney general can enforce without giving businesses a chance to fix a violation first — Colorado's cure period expired in 2025, for example. Indiana's statute as enacted does not include a sunset clause for its cure provision, which as of INCDPA's January 1, 2026 effective date makes it one of the more forgiving enforcement postures currently in force. That said, "no sunset yet" is a legislative choice, not a permanent guarantee — track future amendments before treating this as a long-term compliance buffer.
INCDPA Compliance Checklist for AI Companies
- ☐Track Indiana consumer counts against the 100,000 threshold as your user base grows
- ☐Separately check the 25,000-consumer / 50%-revenue-from-data-sales alternate trigger
- ☐Reassess quarterly rather than assuming a one-time exemption determination holds
- ☐Build opt-out flows for profiling, targeted advertising, and data sale
- ☐Document which AI-driven decisions fall into the legal-or-significant-effect category
- ☐Support access, correction, deletion, and portability requests within statutory timelines
- ☐Complete a data protection assessment before deploying profiling that carries a foreseeable risk of unfair treatment
- ☐Retain assessments in case the Attorney General requests them during an inquiry
- ☐Update assessments when the AI model or its training data materially changes
- ☐Monitor Indiana AG enforcement activity as the law matures past its first year
- ☐Retain records supporting your scope and threshold determinations
- ☐Respond to any AG cure notice within the 30-day window and document the remediation
See where your AI product is exposed
RatedWithAI helps SaaS and platform teams surface compliance and trust gaps across their web properties. Start with a free scan to understand how your product presents to users and regulators alike.
Scan Your Product for Free →Frequently Asked Questions
How does INCDPA's threshold compare to Kentucky's or Rhode Island's new laws?
Indiana's 100,000-consumer floor is higher than Kentucky's, which also uses 100,000 but pairs it with a lower 25,000/50%-revenue alternate trigger similar to Indiana's own structure. Rhode Island's RIDTPPA sets its standard threshold at 35,000 consumers, making it reach smaller businesses than Indiana does. AI companies operating across all three states should track thresholds separately rather than assuming a single national compliance bar.
Does INCDPA apply retroactively to AI models trained before 2026?
INCDPA regulates ongoing processing and disclosure of personal data, not the historical training event itself. If a covered business continues to process, use, or profile with data collected from Indiana consumers after the law's January 1, 2026 effective date, that processing is in scope regardless of when the underlying model was originally trained.
What counts as a 'significant effect' triggering the profiling opt-out?
INCDPA follows the standard state-law definition: decisions that result in the provision or denial of financial or lending services, housing, insurance, education enrollment, criminal justice outcomes, employment opportunities, or healthcare services. AI-driven scoring, ranking, or eligibility tools that feed into any of these outcomes should be treated as triggering the opt-out right.