Governor Eric Holcomb’s signature is inked, and Indiana is officially the seventh state to join the burgeoning list of states with comprehensive privacy legislation. The Indiana privacy law (Senate Bill 337) will take effect on July 1, 2026, applicable to any business that collects personal information of Indiana residents, regardless of whether the business is located in Indiana or not.

As the patchwork of states grows yet again, you might ask yourself, “Should I really care?” The answer is yes. Though Indiana’s effective date is a few years away and shares similarities with Virginia’s law (sans the GPC, 30-day right to cure sunset, and a narrower definition of sale) it still creates additional pressure on companies. In the larger context of the US privacy landscape, as more states join the patchwork, professionals like you are facing increased complexity in compliance requirements while also navigating ambiguity. The time may come when a shift towards erring on the side of caution and providing privacy rights to all US residents is potentially safest.

Here’s what you need to know about the latest privacy law to pass in Indiana.

Key Elements of Indiana’s Privacy Law

• Indiana’s law requires companies to implement reasonable data security measures to protect consumers’ personal information and to provide clear and conspicuous notice to individuals about their data collection and sharing practices.
• Companies will also be required to obtain explicit consent from individuals before collecting, using, or sharing their personal information, and to honor any opt-out requests.
• The definition of personal information is broad and includes any information that can be used to identify an individual, such as name, address, email address, social security number, driver’s license number, and biometric data.
• The law also recognizes sensitive categories of personal information, such as medical information, financial information, and information related to children.
• Gives Indiana consumers the right to access, correct, and delete their personal information, as well as the right to data portability.

Preparing for July 1, 2026

Businesses that collect the personal information of Indiana residents should begin preparing for the new law now, to ensure compliance by the July 1, 2026 effective date. As always, data minimization should be top of mind and an overall assessment of data handling practices will help identify any issues. Updates to privacy policies and notices, as well as implementing opt-out are essential. Failure to comply with the law could result in significant penalties, including fines and lawsuits.

While Indiana’s law will not take effect for several years, it’s an important piece of the patchwork of privacy laws that will hopefully inspire the successful passing of a federal privacy law to give US companies much-needed consistency in obligations.