Indiana § 24-15-3-1 Personal data; consumer rights; consumer's request to controller;
compliance by controller; consumer's right to appeal

Indiana Statutes

§ 24-15-3-1 — Personal data; consumer rights; consumer's request to controller; compliance by controller; consumer's right to appeal

Indiana § 24-15-3-1

Art. 15CONSUMER DATA PROTECTION

Ch. 3Personal Data; Consumer Rights

This text of Indiana § 24-15-3-1 (Personal data; consumer rights; consumer's request to controller; compliance by controller; consumer's right to appeal) is published on Counsel Stack Legal Research, covering Indiana primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook

Ind. Code § 24-15-3-1 (2026).

Text

Effective 1-1-2026. Sec. 1.

(a)A consumer may invoke one (1) or more rights set forth in subsection (b) by submitting to a controller a request specifying the rights the consumer wishes to invoke. A known child's parent or legal guardian may invoke on behalf of the child one (1) or more rights set forth in subsection (b) with respect to the processing of personal data belonging to the known child by submitting to a controller a request specifying the rights the consumer wishes to invoke on behalf of the child. Except as provided in IC 24-15-7-1(c) and IC 24-15-7-2, and subject to any limitations or conditions set forth in subsections (b) and (c), a controller shall comply with an authenticated consumer request to exercise a right set forth in subsection (b).

(b)A consumer has the followi

Free access — add to your briefcase to read the full text and ask questions with AI

Effective 1-1-2026.
Sec. 1. (a) A consumer may invoke one (1) or more
rights set forth in subsection (b) by submitting to a controller a request
specifying the rights the consumer wishes to invoke. A known child's
parent or legal guardian may invoke on behalf of the child one (1) or
more rights set forth in subsection (b) with respect to the processing of
personal data belonging to the known child by submitting to a
controller a request specifying the rights the consumer wishes to invoke
on behalf of the child. Except as provided in IC 24-15-7-1(c) and IC 24-15-7-2, and subject to any limitations or conditions set forth in
subsections (b) and (c), a controller shall comply with an authenticated
consumer request to exercise a right set forth in subsection (b).
(b) A consumer has the following rights:
(1) To confirm whether or not a controller is processing the
consumer's personal data and, subject to the limitations set forth
in subdivision (4), to access such personal data.
(2) To correct inaccuracies in the consumer's personal data that
the consumer previously provided to a controller, taking into
account the nature of the personal data and the purposes of the
processing of the consumer's personal data. Upon receiving a
request from a consumer under this subdivision, a controller shall
correct inaccurate information as requested by the consumer,
taking into account the nature of the personal data and the
purposes of the processing of the consumer's personal data.
(3) To delete personal data provided by or obtained about the
consumer.
(4) To obtain either:
(A) a copy of; or
(B) a representative summary of;
the consumer's personal data that the consumer previously
provided to the controller. Information provided to a consumer
under this subdivision must be in a portable and, to the extent
technically practicable, readily usable format that allows the
consumer to transmit the data or summary to another controller
without hindrance, in any case in which the processing is carried
out by automated means. The controller has the discretion to send
either a copy or a representative summary of the consumer's
personal data under this subdivision, taking into account the
nature of the personal data and the purposes of the processing of
the consumer's personal data. A controller is not required to
provide a copy or a representative summary of a consumer's
personal data to the same consumer under this subdivision more
than one (1) time in a twelve (12) month period.
(5) To opt out of the processing of the consumer's personal data
for purposes of:
(A) targeted advertising;
(B) the sale of personal data; or
(C) profiling in furtherance of decisions that produce legal or
similarly significant effects concerning the consumer.
(c) Except as otherwise provided in this article, a controller shall
comply with a request by a consumer to exercise a consumer right set
forth in subsection (b) as follows:
(1) A controller shall respond to the consumer without undue
delay, but in any case not later than forty-five (45) days after
receipt of the consumer's request under this section. The response
period prescribed by this subdivision may be extended once by an
additional forty-five (45) days when reasonably necessary, taking
into account the complexity and number of the consumer's
requests, as long as the controller informs the consumer of any
such extension within the initial forty-five (45) day response
period, along with the reason for the extension.
(2) If a controller declines to take action regarding the consumer's
request, the controller shall inform the consumer without undue
delay, but in any case not later than forty-five (45) days after
receipt of the consumer's request under this section, of the
justification for declining to take action, and shall provide
instructions for how to appeal the decision under subsection (d).
(3) Information provided in response to a consumer request shall
be provided by a controller free of charge, up to one (1) time
annually per consumer. If requests from a consumer are
manifestly unfounded, excessive, or repetitive, the controller may
charge the consumer a reasonable fee to cover the administrative
costs of complying with the request or decline to act on the
request. The controller bears the burden of demonstrating the
manifestly unfounded, excessive, or repetitive nature of the
request.
(4) If a controller is unable to authenticate the request using
commercially reasonable efforts, the controller shall not be
required to comply with a request to initiate an action under this
section and may request that the consumer provide additional
information reasonably necessary to authenticate the consumer
and the consumer's request.
(5) A controller that has obtained personal data about a consumer
from a source other than the consumer is considered to comply
with a request by the consumer under subsection (b)(3) to delete
the consumer's personal data if the controller:
(A) retains:
(i) a record of the consumer's request for deletion; and
(ii) the minimum data necessary to ensure that the consumer's
personal data remains deleted from the controller's records;
and
(B) does not use the data retained under clause (A)(ii) for any
other purpose.
(d) A controller shall establish a process for a consumer to appeal,
within a reasonable period of time after the consumer's receipt of a
decision by the controller under subsection (c)(2), the controller's
refusal to take action on a request by the consumer under this section.
The appeal process shall be conspicuously available and similar to the
process for submitting requests to invoke a right under this section. Not
later than sixty (60) days after receipt of an appeal, a controller shall
inform the consumer in writing of any action taken or not taken in
response to the appeal, including a written explanation of the reasons
for the decisions. If the appeal is denied, the controller shall also
provide the consumer with an online mechanism, if available, or other
method through which the consumer may contact the attorney general
to submit a complaint.