ICDPA: Indiana's approach to video privacy
The Indiana Consumer Data Protection Act (ICDPA) takes effect on January 1, 2026, introducing new compliance requirements for video surveillance and security managers. Its purpose:
To empower Indiana consumers with sovereignty over their data.
To align with other U.S. state laws.
To establish standards for data security and transparency for the state.
For organizations, managing video surveillance compliance requires understanding key requirements and implementing proper governance.
Key ICDPA requirements for video data
Following Utah and Virginia's approach, Indiana created business-friendly privacy regulations. It applies to Data Controllers—entities responsible for overseeing compliance, conducting risk assessments, and implementing security measures—and Processors, who must follow the Data Controller's instructions in handling personal data.
The law applies to organizations that control or process:
At least 100,000 Indiana residents, or
At least 25,000 Indiana consumers and more than 50% of gross revenue from selling data.
Like Virginia, Indiana's law defers to federal regulations for specific sectors. For instance, healthcare organizations must follow the Health Insurance Portability and Accountability Act (HIPAA) requirements first. However, Indiana has additionally excluded riverboat casinos that use facial recognition technology, as approved by the state’s gaming commission.
What rights do Indiana consumers have?
Like other states and the EU General Data Protection Regulations (GDPR), Indiana residents acting in a personal or household capacity have rights over their personal data—information that identifies or could reasonably be linked to them, directly or indirectly.
Consumers can:
Access and request a portable copy of their personal data.
Correct inaccurate personal information.
Ask for personal data deletion.
Require disclosure of data sharing and purchase by non-exempt third parties.
Opt-in or opt-out for personal data usage with disclosure of the mechanism used by the Data Controller.
The ICDPA requires non-discrimination when Indiana residents exercise their rights and the law applies. Additionally, Indiana, like other states, has special considerations. These include:
Sensitive data: Any personal information revealing specific attributes like ethnicity, religious beliefs, health diagnosis, citizenship, political beliefs, and geolocation data within a radius of 1,750 feet.
Children 13 or younger: Comply with the Children's Online Privacy Protection Act (COPPA) first. Children under 13 or their guardians must consent to video recordings.
What are the ICDPA compliance timelines?
For data controllers of video, they must:
Track video creation and access in production environments from January 1, 2026.
Take no more than 45 days to resolve a consumer query from the day of its receipt.
Appropriately notify the consumer if they need a 45-day extension due to reasonable circumstances.
A lack of compliance leads to a written notice from the Indiana Attorney General specifying a violation. Controllers have 30 days to remediate the alleged violations. Should this fail to happen, organizations may face an injunction or a civil penalty of up to $7,500 per violation.
A checklist for ICDPA privacy protection and security requirements
To identify if your organization meets ICDPA thresholds, organizations should:
Create and document policies around video data roles, procedures, and handling.
Develop and implement a strategic compliance roadmap to meet ICDPA needs.
Include and document:
The video creation purpose.
Video capture processes.
Storage and sharing processes.
Usage justification.
Decision-making rationale and issue resolution processes.
Schedule regular audits of privacy measures.
Train all data controllers and processors on the legal requirements.
When handling cross-state privacy requests, any Indiana residents in video footage must be de-identified to comply with multiple state laws.