The Indiana ICDPA question usually hits at the worst possible time: right after you ship something, right before a launch, or while you’re already drowning in vendor dashboards. Today, in about 5 minutes, you’ll figure out whether Indiana’s thresholds likely pull your business in—and what to do if you’re “close enough to be nervous.” I’ll walk you through a simple 100k/25k test, the two counting mistakes that blow up spreadsheets, and a few real-world examples (Shopify, SaaS, lead gen, content sites) so you can stop guessing and start deciding.
Table of Contents
1) The 30-Second “Do I Qualify?” Gate (Before You Count Anything)
Before you open Google Analytics, Shopify, HubSpot, or whatever dashboard is currently judging you… do the gate test. This saves time, because threshold math doesn’t matter if you’re not in the “right universe” of businesses the law targets.
A. Do you “do business in Indiana” or target Indiana residents?
The common-sense version: if you sell to Indiana residents, ship into Indiana, market to Indiana, or operate there, you should at least run the threshold test. The Indiana Attorney General’s consumer-facing guidance describes coverage as businesses that do business in Indiana or target Indiana residents during the applicable year and meet the thresholds.
- Yes, likely: Indiana customers, Indiana service area, Indiana app users, Indiana marketing campaigns.
- Maybe: You’re out-of-state but run Indiana-specific targeting, promotions, or a strong Indiana customer base.
- Probably not: You have purely incidental Indiana visits and no targeting, no sales, no Indiana footprint.
B. Are you processing consumer data (not employees/B2B contacts)?
Indiana’s public “Bill of Rights” explanation frames the law around Indiana residents acting in a personal, family, or household capacity. That’s important: lots of businesses panic because they have 120,000 email addresses… but many are work contacts, vendors, or applicants. Those often get treated differently in state privacy laws. (Translation: your sales CRM is not automatically your “consumer count.”)
Quick personal confession: the first time I helped a team “count consumers,” we accidentally included every sales lead from trade shows. The number looked terrifying for about 20 minutes. Then we separated consumers vs business contacts and the spreadsheet calmed down like a startled cat.
C. Are you exempt (industry/entity carveouts) before thresholds even matter?
Indiana’s Attorney General guidance lists several common exemptions (even if thresholds are met), including certain nonprofits, financial institutions, HIPAA-covered entities, higher education institutions, public utilities, and government entities under municipal and public-law structures. Exemptions can be the “fast exit”… but they can also be a trap if you assume you’re exempt and stop reading.
- Don’t count anything until you know you’re counting the right population.
- Exemptions can apply at the entity level or only to certain data.
- “We’re small” is not an exemption; it’s a hypothesis you test.
Apply in 60 seconds: Write a one-sentence statement: “We do/do not target Indiana consumers because ___.” Save it with your compliance notes.
2) The Threshold Test, Plain English: 100k vs 25k+50%
Here’s the heart of the Indiana ICDPA applicability question. Indiana’s Attorney General consumer guidance summarizes it in two lanes: (1) 100,000+ Indiana residents’ personal data, or (2) 25,000+ plus 50%+ of gross revenue from the sale of personal data.
A. The 100,000 consumer path: when it’s easier than it sounds
This lane catches businesses with genuine scale: large apps, high-traffic platforms with logged-in Indiana users, big ecommerce brands, or services with broad Indiana adoption. If you’re a typical local business or a niche ecommerce store, you often won’t touch 100,000 Indiana consumers in a year.
- Feels realistic for: consumer apps, marketplaces, large SaaS with consumer accounts, major retailers.
- Often unrealistic for: local service businesses, boutique ecommerce, small agencies, niche newsletters.
B. The 25,000 + 50% revenue path: the “data seller” trigger
This lane is the one that scares lead-gen companies for a reason. The idea is simple: if half your money comes from selling personal data, the bar for “number of consumers” drops. In practice, many normal ad-supported sites won’t meet the 50% trigger because their revenue isn’t “from the sale of personal data” in the way the statute describes.
But if you’re paid based on lists, records, leads, or identity-enriched profiles, you should treat this lane like a flashing yellow light.
C. Open loop: You might be counting the wrong people (and missing the real number)
The fastest way to get the wrong answer is to use the wrong “unit.” Sessions are not people. Devices are not always people. Email subscribers are not always consumers. And Indiana consumers are not “all users.”
Show me the nerdy details
A practical counting approach many teams use is “unique Indiana consumers whose personal data we controlled or processed during the calendar year.” That typically maps to unique customer records, unique user accounts, or unique profiles in your systems. If you only have anonymous web traffic, it’s often harder to argue you “control or process” a specific Indiana consumer’s personal data at scale—unless your vendors and identifiers create linkable profiles. The key is consistency: pick a counting method, document it, and use it year-over-year.
Money Block: Eligibility checklist (quick yes/no)
- Indiana connection? We do business in Indiana or target Indiana residents. (Yes/No)
- Consumer personal data? We handle Indiana residents’ data for personal/household purposes. (Yes/No)
- Threshold lane 1: We control/process personal data of ~100,000+ Indiana consumers/year. (Yes/No/Not sure)
- Threshold lane 2: We control/process ~25,000+ Indiana consumers/year and 50%+ of gross revenue is from selling personal data. (Yes/No/Not sure)
- Major exemption likely? (Nonprofit types, HIPAA covered entity, financial institution, higher ed, public utility, government) (Yes/No/Not sure)
Neutral next step: If you hit “Not sure” twice, move to the vendor + counting section before you declare yourself “out.”
3) Who Counts as a “Consumer” (The Quiet Trap in Your Spreadsheet)
If the ICDPA were a concert hall, “consumer” is the ticket type. Get it wrong, and you’re either standing outside in the rain (overcomplying) or slipping into a seat you didn’t pay for (undercomplying). Neither feels good.
A. Consumers ≠ employees, job applicants, contractors (usually)
Indiana’s consumer-facing guidance frames “consumers” as Indiana residents acting in a personal, family, or household capacity. That suggests an important boundary: employee HR files and job applicant tracking aren’t the same bucket as consumer purchase histories. (This is a common theme across many state privacy laws.)
- Likely “consumer”: customers, app users in personal mode, newsletter subscribers who sign up for personal interest.
- Often not counted the same way: employees, applicants, business-to-business contacts acting in a commercial role.
Tiny lived-experience moment: I once watched a founder’s face change color because their “records” count included every internal Slack user. It wasn’t a privacy law problem. It was an “I need coffee” problem.
B. B2B contacts: what most teams assume—and where it breaks
The risk in B2B is assuming “none of this applies” while running highly consumer-like tracking on your marketing site. Your sales prospect in a work role may not be a “consumer,” but your website visitor reading your blog from their couch at 10:30 PM? That’s a consumer context. Mixed contexts happen all the time.
C. Households/devices/repeat visitors: what not to double-count
Don’t let your analytics tool bully you into counting “people” as sessions. If you’re estimating, aim for a conservative method that avoids double-counting:
- Use unique customer records or unique accounts where possible.
- If you only have email, count unique deliverable emails (and dedupe aliases).
- If you have app installs, consider unique users tied to an identifier you actually control.
D. Let’s be honest… your “users” metric is not your “consumers” metric
“Users” is a product metric. “Consumers” is a legal category. They overlap, but they’re not the same. The moment you treat them as identical, you’ll either inflate your risk or miss it entirely.
Money Block: Mini calculator (rough Indiana consumer estimate)
Use this when you need a fast “are we even close?” sanity check.
- Indiana customers/accounts (last 12 months): ____
- Indiana newsletter subscribers (deduped): ____
- Indiana support tickets tied to unique profiles: ____
Estimated unique Indiana consumers: Add (1) + (2) + (3), then subtract obvious duplicates.
Neutral next step: If your estimate is above 20,000, treat the rest of this article as operationally relevant.
4) What Counts as “Personal Data” in Real Operations (Not Just Theory)
You don’t need a spy thriller. Personal data is usually boring: email addresses, shipping labels, support chats, cookie IDs. It becomes “a thing” when it’s linked or linkable to a person. Indiana’s Attorney General guidance also notes that publicly available info and de-identified/aggregate info generally aren’t treated as personal data in the same way.
A. The obvious: names, emails, phone, shipping, IDs
If you can email someone, ship to them, charge them, or verify them, you’re handling personal data. Most businesses know this. The surprise is rarely the checkout page—it’s the ecosystem around it.
B. The sneaky: persistent identifiers, cookies, ad IDs, precise location
Persistent identifiers (cookies, device IDs, mobile ad IDs) are the “glitter” of data: once they’re in your stack, they show up everywhere. Indiana’s consumer guidance flags precise geolocation and other categories as sensitive, where consent expectations can be stricter.
C. Sensitive data and kids’ data: when risk spikes even below thresholds
Indiana’s published consumer rights summary explicitly calls out sensitive data categories (like certain health-related information, biometric/genetic identifiers, and precise geolocation) as requiring consent. It also addresses children’s data: for children under 13, controllers generally need parental consent consistent with COPPA requirements. (And if your product touches biometrics or “identity-adjacent” signals, it’s worth understanding why thought privacy and biometric inference are becoming real pressure points.)
D. Open loop: Your forms aren’t the problem—your vendors might be
If you collect a simple email, you know where it goes. If a dozen vendors see a dozen identifiers, the map gets fuzzy fast. That fuzziness is where “we didn’t realize…” stories come from. We’ll solve that later with a vendor audit that doesn’t require a PhD in tag management—especially if you have cross-border data flows that can complicate breach and notice expectations.
- Personal data includes identifiers that are linkable to a person.
- Sensitive data and kids’ data raise the stakes.
- Vendors can multiply your data footprint quickly.
Apply in 60 seconds: List your top 5 tools that touch user data (analytics, email, CRM, ads, chat). That’s your starting map.
5) “Sale of Personal Data”: The 50% Revenue Trigger Most Sites Never Hit
“Sale” is the word that makes everyone glance nervously at their ad stack. Take a breath. For many businesses, the 50% revenue trigger is not remotely close. But for others—especially lead gen, list rentals, and data brokerage—it’s the whole ballgame.
A. “Sale” vs “sharing” vs “processing”: why definitions matter
The statute’s definition controls, not the vibe of your revenue model. A good rule of thumb: if money changes hands because personal data changed hands, you should treat it as potentially “sale-ish” and verify against the law’s wording. If money changes hands for services (hosting, email delivery, fraud prevention), that’s typically a different relationship.
B. Typical revenue models that do not equal “sale” (often)
- Subscription revenue for a product or service.
- Direct ecommerce sales of goods.
- Service fees (consulting, coaching, repairs) where data is incidental.
- Vendor processing where the vendor is acting on your behalf (think “processor”).
C. Scenarios that can look like “sale” (data brokerage, list rentals, resale deals)
If you monetize by transferring consumer data to third parties for their own use—especially at a per-record price—this is where the 25k lane starts to matter. Lead gen businesses sometimes discover the uncomfortable truth that their “product” is, effectively, the data. If you want a clean mental model for this, read what “ethical data brokering” looks like in practice (and what crosses the line).
D. Open loop: If you’re paid “per record,” you’re already in the danger zone
If your contract language includes “lead price,” “list price,” “data license,” “per match,” or “per profile,” don’t guess. Pull the agreement and read it like a detective. We’ll also cover a “don’t do this” section later, because the fastest way to create legal pain is to say “we don’t sell” while your contracts quietly disagree.
Money Block: Decision card (Are you “selling data” or using vendors?)
- You pay a vendor to provide a service (email, hosting, analytics).
- The vendor acts on your instructions and doesn’t use data for its own independent purpose.
- The contract looks like a typical services agreement with privacy terms.
Time/cost trade-off: Faster to document; still requires vendor inventory.
- You’re paid because personal data is transferred or licensed.
- Third parties can use the data for their own purposes.
- Pricing references leads, lists, records, matches, or profiles.
Time/cost trade-off: Slower to untangle; may need counsel review.
Neutral next step: Pull your top 3 revenue contracts and highlight every clause that mentions data transfer, licensing, or resale.
6) Exemptions & Carveouts: The Shortcut (and the False Comfort)
Exemptions feel like finding an unlocked door when you thought you’d have to climb the building. But you still want to confirm it’s your door.
A. Entity-level exemptions: when you’re fully out (and when you’re not)
Indiana’s Attorney General consumer materials describe several categories that the law generally does not apply to, including certain nonprofit organizations (like 501(c)(3), 501(c)(6), or 501(c)(12)), certain financial institutions, HIPAA covered entities, higher education institutions, public utilities, and government entities. If you’re clearly in one of those categories, you may be largely out of scope.
B. Data-level exemptions: when only certain datasets are exempt
Some businesses are mixed: you might run a consumer app and a health-adjacent program, or you might serve consumers and process regulated data types. In many privacy regimes, certain data sets get special treatment even when the broader business remains covered. If you’re mixed, don’t rely on “we’re HIPAA-ish” as a blanket shield.
C. Mixed-model businesses: one line of business can pull others into scope
This is the most common exemption mistake I see: a company is exempt in one program, then launches a second program that is very much not exempt. Six months later, their privacy policy is a stitched quilt of contradictions. (Beautiful craftsmanship. Terrible compliance.)
7) Real-World Examples: Quick “Would This Business Be Covered?”
Examples are where the fog lifts. Let’s do quick sketches—because you don’t need another theoretical definition; you need a decision.
A. Local service business (plumber/dentist studio): lots of leads, low scale
A typical local service business might collect names, phone numbers, appointment notes, and payment information. That’s personal data, yes—but the threshold question is scale. Many won’t have anywhere near 25,000 Indiana consumers in a year.
- Likely outcome: Often below thresholds.
- Still smart to do: Basic privacy notice, data minimization, vendor list.
B. Shopify brand: 30k customers + email marketing + analytics
This is where it gets interesting. If you have 30,000 unique Indiana customers (not total customers), you’re already flirting with the 25k lane. But the 25k lane only becomes “applicable” if 50%+ of gross revenue comes from selling personal data. Most product brands don’t hit that.
The bigger risk for Shopify brands is inconsistent disclosures: you say one thing in the privacy policy, your marketing stack does another.
C. App/SaaS with freemium users: user accounts vs MAUs vs “consumers”
If you have consumer accounts and can link data to individuals, your counting is easier (and your exposure is clearer). If you have mostly anonymous traffic, you might be tempted to shrug. Don’t. Vendors can create linkable identifiers even when your app feels anonymous.
D. Publisher/blog with ads: traffic ≠ covered (usually)—but here’s when it changes
A content site can have huge traffic but very few identifiable consumers it controls—especially if it collects minimal data. The “but” is when the site runs sophisticated profiling, email capture, membership accounts, or data-sharing relationships that make data linkable and transferable.
Personal anecdote: I once helped a content site that swore it collected “nothing.” Then we looked at their tag manager. It was… a small galaxy of digital identifiers and vendor calls.
E. Data reseller/lead gen: the 25k + 50% scenario in plain sight
If your revenue depends on transferring leads or personal data to third parties—especially if pricing is per lead—this is the classic “25k + 50%” profile. You may meet the lower consumer count and the revenue trigger at the same time.
- Local service businesses are often below thresholds.
- Big consumer apps can hit 100k sooner than expected.
- Lead gen and list-based monetization deserve a closer look.
Apply in 60 seconds: Identify which example you resemble most, then jump to the matching “mistakes” section.
8) Common Mistakes That Trigger “Accidental Noncompliance”
If you want a grimly useful truth: most compliance failures aren’t evil. They’re messy. They’re “we thought the vendor did it.” They’re “the intern changed the cookie banner.” They’re “we never updated the policy after the new tool.”
A. Mistake #1: Treating website sessions as consumer counts
Sessions inflate. Devices inflate. Returning visitors inflate. If you use these numbers, you’ll either panic unnecessarily or rationalize incorrectly. Count unique consumer profiles you can reasonably link to individuals in your systems.
B. Mistake #2: Ignoring the sale-of-data definition in partner deals
The moment you’re paid for a list, lead, record, or profile, your legal exposure changes. The fastest way to “accidentally” step into the 25k lane is to treat data transfer as a simple marketing partnership.
C. Mistake #3: Assuming “small = exempt”
Being small helps. It does not automatically exclude you. The law is threshold-based and exemption-based—not “vibes-based.” (If only.)
D. Mistake #4: Copy-pasting a privacy policy that doesn’t match your actual flows
A mismatch between reality and disclosure is where trust dies. It’s also where regulators start asking follow-up questions—especially once you understand how U.S. consumer-protection enforcement actually works in practice. Keep your policy boring, accurate, and aligned with your systems.
9) Don’t Do This: The 5 Moves Regulators (and Plaintiffs) Love
This section is uncomfortable on purpose. If you avoid these, you avoid a lot of preventable pain.
A. Saying “we don’t sell data” while running contradictory ad/affiliate setups
Don’t declare absolutes you can’t defend. If you share identifiers with third parties, be precise. If you don’t know, find out before your policy does improv theater.
B. Offering rights requests… but having no way to verify or fulfill them
Indiana’s consumer guidance explains rights like access, deletion, correction, opt-out, and appeals. If your privacy policy invites requests, you need an intake process that doesn’t collapse the moment someone asks for deletion.
C. Collecting more data “just in case” (and never deleting it)
Data minimization isn’t just ethics. It’s cost control. Every extra field is future work: retention, security, breach exposure you may later be forced to investigate, and request fulfillment.
D. Treating opt-outs as a banner problem instead of a system problem
A banner can collect signals. It can’t magically enforce them across tools unless your systems are wired to honor the choices.
E. Here’s what no one tells you… “We’re compliant” is a process, not a page
A privacy notice is a summary of your behavior. If the behavior isn’t stable, the notice won’t stay true. Build a small, repeatable process. That’s the boring secret.
- Avoid absolute claims you can’t verify.
- Don’t offer consumer rights without an intake workflow.
- Opt-outs require system wiring, not just a banner.
Apply in 60 seconds: Search your privacy policy for “sell” and “share.” If you see absolutes, validate them against vendor reality.
10) If It Applies: Minimum Compliance Checklist (Practical, Not Performative)
If the ICDPA likely applies, your goal is not perfection. Your goal is operational truth: you can explain what you collect, why you collect it, who gets it, and how a consumer can exercise rights—without spinning.
A. Map your data: collection → use → sharing → retention
A simple map beats a fancy one. Start with your top 10 data sources: checkout, account signup, newsletter, support, analytics, ads, CRM, payment processor, shipping, and logs. Then list where the data goes.
Show me the nerdy details
A useful mapping format is “system → data categories → purpose → recipients → retention.” If you can export this as a single page, you’ll thank yourself later when a consumer request arrives or when your team adds a new vendor. It also aligns nicely with the kind of privacy risk management approach described in NIST’s Privacy Framework materials.
B. Update your privacy notice: rights, categories, purposes, disclosures
Indiana’s consumer guidance emphasizes a clear privacy notice describing categories of personal data processed, purposes, categories shared with third parties, and categories of third parties. Keep it readable. Keep it true.
C. Build an intake pipeline: access/delete/correct/opt-out requests
Indiana’s consumer guidance describes response timelines as 45 days, with a possible additional 45-day extension if you notify the consumer within the original window—up to 90 days total. Your process needs to handle requests, verify identity appropriately, and track outcomes.
| Timeline item | What it means operationally | Practical note |
|---|---|---|
| 45 days | Standard window to respond to a valid consumer request | Create a ticket SLA so requests don’t vanish into inbox limbo |
| +45 days | Extension allowed if you tell the consumer within the original window | Use when requests are complex; document why you extended |
| 90 days total | Maximum response time under the consumer summary guidance | Don’t live here unless you must—speed builds trust |
D. Contract hygiene: DPAs, processor clauses, subprocessor visibility
The Attorney General’s guidance distinguishes controllers (decide how data is processed) from processors (process on behalf of controllers). That relationship needs contract clarity. If you can’t explain who is controller vs processor, you’re not ready for the hard questions yet—and this is exactly where AI/SaaS contract terms and data-processing clauses can quietly decide your real-world obligations.
E. Track decisions: a lightweight evidence file you can actually maintain
Build a tiny “compliance binder” (digital is fine): your threshold estimate, your vendor list, your privacy notice version, and a log of consumer requests. The point is continuity—so the next person doesn’t restart from zero.
11) When to Seek Help (High-Risk Triggers)
You don’t need a lawyer for every cookie. But you do need help when the stakes are high and the facts are messy. Here are the “don’t white-knuckle this alone” moments.
A. You’re near 100k consumers (or rapidly scaling)
If your Indiana user growth is steep, threshold uncertainty is not a comfort blanket. It’s a countdown. Bring in someone who can stress-test your assumptions before you hit the line.
B. You have revenue tied to data sharing/resale/list deals
If 50% of revenue might plausibly be linked to personal data transfers, get a careful read of your contracts. This is where “we didn’t mean it like that” is not a strategy.
C. You process sensitive data, kids’ data, or precise location
Indiana’s published consumer rights summary treats sensitive data and children’s data as consent-heavy areas. If your product touches health-related data, biometrics, or precise geolocation, don’t DIY your way into a corner.
D. You can’t explain your data flows end-to-end in one whiteboard session
If your answer to “where does this data go?” is “uh… vendors?” you don’t need shame—you need a map. That’s fixable. But it’s also the sign you should ask for help if you’re under time pressure.
12) Next Step: One Concrete Action You Can Do Today
Here’s the simplest “get unstuck” move: run a 1-hour Threshold + Vendor audit. Not a full privacy program. Just enough to stop guessing.
A. Run a 1-hour “Threshold + Vendor” audit
- Export the last 12 months of unique Indiana consumer records you can actually link to a person (accounts, customers, subscribers with addresses).
- List every vendor that touches personal data: analytics, ads, email, CRM, chat, forms, payments, shipping, fraud tools.
- Flag revenue relationships that involve data transfer, licensing, resale, “per lead,” or “per record.”
- Label your outcome: likely in scope / likely out / uncertain.
Money Block: Quote-prep list (what to gather before you ask for help)
- Your best estimate of unique Indiana consumers in the last 12 months (and how you counted).
- Your top 10 vendors that touch personal data (including analytics and ads).
- Top 3 revenue agreements that might involve data transfer or lead resale.
- A copy of your current privacy notice and any consent/cookie settings pages.
- Any existing process for consumer requests (even if it’s “support@ inbox”).
Neutral next step: Put these in one folder so you can move fast if you decide to get counsel or a privacy consultant involved.
If your result is “uncertain,” that’s not failure. It’s a useful outcome. It means you’re close enough that precision matters—and you’re smart enough to notice.
Lane B: 25,000+ Indiana consumers/year and 50%+ gross revenue from sale of personal data
How to use: If you’re “uncertain” in any box, your next move is the 1-hour Threshold + Vendor audit—not guessing.
FAQ
1) Does Indiana’s ICDPA apply to businesses outside Indiana that sell into Indiana?
It can. Indiana’s consumer-facing guidance describes coverage for businesses that do business in Indiana or target Indiana residents, and meet the threshold requirements. If you’re out-of-state but actively sell to or target Indiana consumers, you should run the gate + threshold test.
2) Are employee or job applicant records counted toward the 100k/25k threshold?
Indiana’s published consumer guidance frames “consumers” as residents acting in a personal, family, or household capacity, which generally points away from employment contexts. But edge cases exist, especially for mixed systems. If your systems blend HR and consumer data, separate the datasets before you count.
3) Does website traffic count as “consumers” under ICDPA?
Not automatically. Website sessions are not people, and traffic isn’t the same as unique Indiana consumer profiles you control or process. If you can link activity to identifiable individuals (accounts, emails, persistent profiles), counting becomes more relevant. If you’re unsure, use the “mini calculator” approach and then review your vendor identifiers.
4) What qualifies as a “sale of personal data” for the 50% revenue test?
The statute’s definition controls. As a practical business signal, if compensation is tied to transferring personal data (lists, leads, per-record pricing, licensing data for third-party use), you should treat it as potentially within “sale” territory and confirm against the law text.
5) If I use Google Analytics or ads, does that mean I “sell” personal data?
Not necessarily. Many businesses use analytics and advertising tools without deriving revenue from selling personal data. The risk comes from how data is shared, what’s linkable, and whether the relationship resembles a data transfer for value. If your privacy policy uses absolute language (“we never…”) while your tools share identifiers, align the two.
6) What consumer rights must a covered business support under ICDPA?
Indiana’s Attorney General consumer materials summarize rights such as confirming processing, accessing a copy/summary, correcting inaccuracies, deleting personal data, opting out of targeted advertising/sale/profiling, receiving portable data and data-ownership aligned exports, and appealing denials. If the law likely applies to you, build an intake process that can handle these reliably.
7) Are small businesses automatically exempt from ICDPA?
No. The structure is thresholds + exemptions, not “small business = exempt.” Many small businesses will be below thresholds in practice, but it’s still a test you run—not a label you assume.
8) How do I calculate “100,000 consumers” (unique users vs accounts vs households)?
Use a consistent, documentable method: unique Indiana consumer profiles you can link to individuals in your systems during the calendar year (accounts, customers, subscribers). Avoid sessions and raw device counts. Document your methodology so you can repeat it next year without reinventing your logic.
9) What should I do if I’m close to the threshold but not sure?
Treat “close” as a reason to improve your measurement and vendor map. Run the 1-hour audit: export unique Indiana consumer records, inventory vendors, and review any revenue agreements involving data transfer. If you still can’t confidently answer, that’s when targeted professional help is worth the cost.
Wrap-Up: Your 15-Minute Finish
Let’s close the loop from the beginning: the reason this feels hard isn’t because you’re “bad at compliance.” It’s because the answer is hidden in counting and contracts, not in a single definition paragraph. Once you run the gate, estimate your unique Indiana consumers, and scan your revenue relationships for data-transfer language, the fog lifts.
If you only do one thing in the next 15 minutes, do this: open a document titled “ICDPA Threshold Notes” and paste (1) your counting method, (2) your estimate, and (3) your top 10 vendors. That tiny file becomes your anchor the next time someone asks, “Are we covered?”
Last reviewed: 2026-01