When does data privacy rights apply?

Your data privacy rights kick in when:A company collects, stores, or sells your personal data — name, email, phone, location, browsing history, purchase history.You want to know what they have on you.You want them to delete it.You want to opt out of the sale or sharing.You're notified of a data breach that exposed your information.The state-by-state landscape, as of 2026:California (CCPA/CPRA): Still the strongest. Rights to know, delete, opt out of sale and sharing, correct, and limit use of sensitive personal information. Enforced by the California Privacy Protection Agency, the only standalone state privacy regulator. Applies to businesses with $25M+ revenue, data on 100,000+ consumers, or 50%+ revenue from selling data.Colorado, Connecticut, Virginia, Texas, Oregon, Montana, Delaware, Iowa, New Hampshire, New Jersey, Tennessee, Minnesota, and several more — comprehensive privacy laws, varying effective dates through 2026. Most cover access, deletion, correction, and opt-out.States without comprehensive laws: Your main backstop is the FTC's general authority to chase "unfair or deceptive" data practices under Section 5 of the FTC Act, plus the federal sector-specific laws (HIPAA, COPPA, GLBA, FERPA).Three myths:"No federal law means no rights." The state laws now cover roughly half of all Americans, and the federal sectoral laws cover health, financial, education, and kids' data nationwide."Free service means they can do anything." They still owe you a privacy policy disclosure and, in CCPA-and-similar states, opt-out rights regardless of whether you paid."Deleting my account deletes my data." Not automatically. Companies retain data for legal, business, and analytics reasons. To force deletion, you generally have to submit a specific deletion request under your state law.

You're reading the Indiana version.Change state →

Choose your state

Data Privacy Rights in Indiana

Q: What should I do if a company is misusing my personal data or had a data breach?

Step 1: Figure out which law covers you. Your residence usually controls. If you're in California, Colorado, Connecticut, Virginia, Texas, Oregon, or one of the newer states, you have specific statutory rights you can exercise.Step 2: Submit access requests. Most companies have a "Privacy" or "Do Not Sell My Information" link in the footer. California residents can use the phrase "right to know"; the company has 45 days to respond (extendable to 90).Step 3: Opt out of sale and sharing. Under CCPA-style laws, companies have to give you a clear opt-out mechanism. Look for "Do Not Sell or Share My Personal Information" links, and turn on Global Privacy Control in your browser — California-style laws now treat that signal as a binding opt-out.Step 4: After a breach, take the steps. Most states require notification and many require offered credit monitoring. Use it. Change passwords, enable two-factor authentication, freeze your credit.Step 5: Complain. State attorneys general enforce most state privacy laws. California has its dedicated CPPA. The FTC takes federal complaints at reportfraud.ftc.gov.

Q: What should you NOT do about data privacy rights?

Don't toss the breach notice. If a company tells you your data was compromised, the clock has already started. Change passwords, enable 2FA on the affected accounts and any account that reuses the password, and freeze your credit.Don't auto-accept cookie banners. Most are designed to look like accepting all is the easy path — and "Reject All" is hidden behind two clicks. Take the two clicks.Don't read privacy policies as protection. They're disclosures, not commitments. The interesting sections are usually "how we share your data with third parties," "data retention," and "your rights" — the rest is boilerplate.Don't pay data-removal services upfront without comparison. Many of them charge $10–$30 a month to send the same opt-out requests you can send yourself for free. Try DIY first; the requests for the major data brokers are mostly automated forms.

Researched by Ahmed Alsaedi, Lead Engineer

Primary sources cited; not legal advice.

Source: Federal: FTC Act § 5 (15 U.S.C. § 45), HIPAA (42 U.S.C. § 1320d), COPPA (15 U.S.C. §§ 6501–6506), FERPA (20 U.S.C. § 1232g), GLBA (15 U.S.C. §§ 6801–6809). State: California Consumer Privacy Act/CPRA (Cal. Civ. Code § 1798.100 et seq.), Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.), Connecticut Data Privacy Act (Conn. Gen. Stat. § 42-515 et seq.), Virginia Consumer Data Protection Act (Va. Code § 59.1-575 et seq.), Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Ch. 541).

About this article

Sourced from primary statutes (U.S. Code, CFR, state compiled statutes) and official government agency guidance. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Indiana Law

How Indiana differs from federal law

Indiana enacted the Indiana Consumer Data Protection Act (ICDPA), effective January 1, 2026:

The Indiana Consumer Data Protection Act (IC § 24-15, SB 5, 2023) provides comprehensive consumer data privacy rights
Consumer rights under the ICDPA include: the right to access, correct, delete, and obtain a portable copy of personal data, and the right to opt out of targeted advertising, sale of personal data, and profiling
The ICDPA applies to businesses that conduct business in Indiana and process personal data of at least 100,000 consumers, or 25,000 consumers if deriving over 50% of revenue from selling personal data
Enforcement is exclusively through the Indiana Attorney General — there is no private right of action
Indiana's data breach notification law (IC § 24-4.9) requires businesses to notify individuals of data breaches
Indiana also has the Deceptive Consumer Sales Act (IC § 24-5-0.5) which can apply to deceptive data practices

Additional Steps in Indiana

File data privacy complaints with the Indiana Attorney General at (317) 232-6330 or (800) 382-5516 or in.gov/attorneygeneral. Report data breaches to the AG. For identity theft, file a police report and contact the three major credit bureaus.

Relevant Law: Indiana Consumer Data Protection Act, IC § 24-15. IC § 24-4.9 (data breach notification). IC § 24-5-0.5 (Deceptive Consumer Sales Act).

Federal baseline: Data Privacy Rights nationwide

What is this right?

The United States is one of the only major economies without a single comprehensive federal data privacy law. Congress has come close several times — the American Data Privacy and Protection Act died in committee in 2022, and APRA stalled in 2024 — but never gotten over the line. The result is a patchwork: federal sector-specific laws (HIPAA for health data, FERPA for education records, COPPA for kids under 13, GLBA for financial data) plus a fast-growing list of state laws that look more like the EU's GDPR.

California led with the CCPA in 2018 (strengthened by the CPRA in 2020). Colorado, Connecticut, Virginia, Texas, Oregon, Montana, and a dozen other states have followed with their own comprehensive privacy laws, all with rolling effective dates through 2026. The rights vary, but the core is consistent: you can ask what data a company has, ask them to delete it, and opt out of the sale or sharing of it. Where you live decides what you can demand.

When does it apply?

Your data privacy rights kick in when:

A company collects, stores, or sells your personal data — name, email, phone, location, browsing history, purchase history.
You want to know what they have on you.
You want them to delete it.
You want to opt out of the sale or sharing.
You're notified of a data breach that exposed your information.

The state-by-state landscape, as of 2026:

California (CCPA/CPRA): Still the strongest. Rights to know, delete, opt out of sale and sharing, correct, and limit use of sensitive personal information. Enforced by the California Privacy Protection Agency, the only standalone state privacy regulator. Applies to businesses with $25M+ revenue, data on 100,000+ consumers, or 50%+ revenue from selling data.
Colorado, Connecticut, Virginia, Texas, Oregon, Montana, Delaware, Iowa, New Hampshire, New Jersey, Tennessee, Minnesota, and several more — comprehensive privacy laws, varying effective dates through 2026. Most cover access, deletion, correction, and opt-out.
States without comprehensive laws: Your main backstop is the FTC's general authority to chase "unfair or deceptive" data practices under Section 5 of the FTC Act, plus the federal sector-specific laws (HIPAA, COPPA, GLBA, FERPA).

Three myths:

"No federal law means no rights." The state laws now cover roughly half of all Americans, and the federal sectoral laws cover health, financial, education, and kids' data nationwide.
"Free service means they can do anything." They still owe you a privacy policy disclosure and, in CCPA-and-similar states, opt-out rights regardless of whether you paid.
"Deleting my account deletes my data." Not automatically. Companies retain data for legal, business, and analytics reasons. To force deletion, you generally have to submit a specific deletion request under your state law.

What to Do If a Company Is Collecting or Selling Your Personal Data

Step 1: Figure out which law covers you. Your residence usually controls. If you're in California, Colorado, Connecticut, Virginia, Texas, Oregon, or one of the newer states, you have specific statutory rights you can exercise.

Step 2: Submit access requests. Most companies have a "Privacy" or "Do Not Sell My Information" link in the footer. California residents can use the phrase "right to know"; the company has 45 days to respond (extendable to 90).

Step 3: Opt out of sale and sharing. Under CCPA-style laws, companies have to give you a clear opt-out mechanism. Look for "Do Not Sell or Share My Personal Information" links, and turn on Global Privacy Control in your browser — California-style laws now treat that signal as a binding opt-out.

Step 4: After a breach, take the steps. Most states require notification and many require offered credit monitoring. Use it. Change passwords, enable two-factor authentication, freeze your credit.

Step 5: Complain. State attorneys general enforce most state privacy laws. California has its dedicated CPPA. The FTC takes federal complaints at reportfraud.ftc.gov.

What should you NOT do?

Don't toss the breach notice. If a company tells you your data was compromised, the clock has already started. Change passwords, enable 2FA on the affected accounts and any account that reuses the password, and freeze your credit.

Don't auto-accept cookie banners. Most are designed to look like accepting all is the easy path — and "Reject All" is hidden behind two clicks. Take the two clicks.

Don't read privacy policies as protection. They're disclosures, not commitments. The interesting sections are usually "how we share your data with third parties," "data retention," and "your rights" — the rest is boilerplate.

Don't pay data-removal services upfront without comparison. Many of them charge $10–$30 a month to send the same opt-out requests you can send yourself for free. Try DIY first; the requests for the major data brokers are mostly automated forms.

You shouldn't have to hire a lawyer to assert your rights.

Answer a few questions. We generate a personalized letter citing your state's exact statutes, deadlines, and penalties — ready to print and send in minutes.

Lawyers charge $350+. Your letter: $19.

Privacy Deletion$19 Debt Collector C&D$19 Debt Validation$19 Credit Dispute$19

See all 20 letter types →

Data Privacy Rights in other states

Same topic, different jurisdiction. Pick the one that applies to you.

Legal Resources

We may earn a commission if you use these services — at no extra cost to you. This supports our mission to make legal information free for everyone.

Credit KarmaFree credit monitoring, dispute tools, and alerts. Know when your credit report changes.Check Your Credit Free →IdentityGuardIdentity theft protection and monitoring. Get notified if your personal information is misused.Protect Your Identity →

Every reference below links to its primary source — the statute book, regulator, or court — and carries a verification date. See our citation methodology for how this works.

Indiana

Federal

StatuteGramm-Leach-Bliley Act, 15 U.S.C. § 6801
Imposes privacy and safeguarding duties on financial institutions handling consumer data.
StatuteChildren's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq.
Federal consent and disclosure rules for online services collecting data from children under 13.
StatuteFTC Act § 5, 15 U.S.C. § 45
Bars unfair or deceptive practices — the FTC's core authority over consumer privacy enforcement.
Agency guidanceFTC — Privacy and Security Enforcement
FTC portal collecting consent decrees, data-breach guidance, and enforcement actions.