FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryprivacydata protectionINCDPA

Indiana Consumer Data Protection Act: The 2026 Surprise for Mid-Market Companies

By Basel IsmailMay 16, 2026

Indiana Consumer Data Protection Act: The 2026 Surprise for Mid-Market Companies

Indiana quietly signed SB 5 into law on May 1, 2023, and most compliance teams outside the state barely noticed. The Indiana Consumer Data Protection Act (INCDPA) takes effect on January 1, 2026, and it follows the Virginia/Connecticut model closely enough that it might seem like a copy-paste job. It is not. There are a few specific provisions, particularly around cure periods and the treatment of automated decision-making, that deserve careful attention from mid-market companies doing business with Indiana residents.

Applicability Thresholds

The INCDPA applies to persons that conduct business in Indiana or produce products or services targeted to Indiana residents, and that during a calendar year meet one of two thresholds:

Control or process personal data of at least 100,000 Indiana consumers, or
Control or process personal data of at least 25,000 Indiana consumers and derive more than 50% of gross revenue from the sale of personal data.

These thresholds mirror Virginia's VCDPA almost exactly. The word "consumers" here excludes individuals acting in a commercial or employment context, which narrows the scope more than you might initially think. If your company processes data primarily in a B2B capacity (employee records, business contact information), you may fall below the threshold even with significant Indiana operations.

But here is where mid-market companies get caught off guard. Indiana has roughly 6.8 million residents. If you run a consumer-facing SaaS product, a patient portal, a financial services app, or an edtech platform with any meaningful Indiana user base, hitting 100,000 consumers is not a stretch. Companies in the 500 to 5,000 employee range, the ones that often lack dedicated state privacy compliance teams, are exactly the ones most likely to trip over this threshold without realizing it.

Core Obligations

The substantive requirements will feel familiar if you have already operationalized compliance with the VCDPA or the Connecticut Data Privacy Act (CTDPA). Controllers must:

Limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purpose.
Establish, implement, and maintain reasonable administrative, technical, and physical data security practices.
Not process sensitive data without obtaining consumer consent (opt-in).
Conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers.
Provide a reasonably accessible, clear privacy notice that includes the categories of data processed, the purpose, how consumers can exercise their rights, and whether data is shared with third parties.

Consumer rights under the INCDPA include the right to confirm, access, correct, delete, and obtain a portable copy of personal data. Consumers also have the right to opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

That last category, profiling, is where things get interesting for companies deploying AI.

The 30-Day Cure Period

Indiana included a 30-day right to cure, and unlike some other state laws, this cure period does not sunset. Under the CTDPA, for example, the cure provision expired on January 1, 2025. Oregon's cure period sunsets on January 1, 2026. Indiana's cure period, as written in the statute (Ind. Code 24-15-9), has no expiration date.

The Indiana Attorney General must provide written notice of an alleged violation and give the controller 30 days to cure it before bringing an enforcement action. If the controller cures the violation and provides a written statement that the violation has been cured and that no further violations will occur, the AG cannot proceed.

This is a meaningful enforcement buffer, but it should not breed complacency. The AG retains the ability to seek damages of up to $7,500 per violation if the cure is inadequate or the controller fails to comply within the window. And the "no further violations" attestation creates a paper trail. If you cure once and then repeat the same violation, you have essentially handed the AG a documented pattern of noncompliance.

Also worth noting: there is no private right of action under the INCDPA. Enforcement rests exclusively with the Attorney General's office. This reduces litigation risk from class actions but concentrates enforcement discretion in a single office that may choose to make examples of specific sectors or violations.

AI Processing and Profiling Implications

The INCDPA defines "profiling" as any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. This definition is broad enough to capture a significant range of AI and machine learning applications.

If your company uses AI models that process personal data of Indiana consumers to make or inform decisions about credit, insurance underwriting, hiring, healthcare treatment recommendations, or educational outcomes, you are profiling under the statute. Consumers have the right to opt out of this profiling when it produces "decisions that produce legal or similarly significant effects concerning the consumer."

The practical challenge here is implementing the opt-out mechanism in a way that actually works. If your AI pipeline ingests consumer data at multiple points, the opt-out has to propagate through the entire processing chain. A front-end toggle that does not actually suppress downstream model inference is not compliance; it is a liability.

Data protection assessments are required for profiling activities that present a heightened risk of harm. The statute does not specify a particular format for these assessments, but it does require that they identify and weigh the benefits of the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the consumer. If you are already conducting DPIAs under GDPR Article 35, the framework translates reasonably well, though the balancing test under the INCDPA is somewhat less prescriptive.

What Makes Indiana Different in Practice

On paper, the INCDPA looks like another entry in the Virginia-model family of state privacy laws. In practice, three things distinguish it for compliance planning purposes:

The permanent cure period gives controllers more room to remediate, but the attestation requirement creates long-term accountability.
The January 1, 2026 effective date places it in a cluster with several other state laws taking effect that year, including Delaware (January 1, 2025, already live), Nebraska (January 1, 2025, already live), New Hampshire (January 1, 2025, already live), Iowa (January 1, 2025, already live), and the new batch for 2026 itself. Compliance teams managing multi-state programs will need to account for Indiana's specific nuances rather than assuming a single compliance framework covers everything.
Indiana's economic profile includes significant healthcare (Eli Lilly, major hospital systems), financial services, defense contracting, and higher education sectors. Companies in these verticals with Indiana operations or customer bases should assume they are in scope.

One more practical note: the INCDPA does not recognize universal opt-out mechanisms (like the Global Privacy Control) as a required method for consumers to exercise opt-out rights. This contrasts with Colorado and Connecticut, which do require recognition of such signals. You still need to provide an opt-out method, but you have more flexibility in how you implement it.

How FirmAdapt Addresses INCDPA Compliance

FirmAdapt's platform maps state-specific privacy obligations, including the INCDPA's profiling and data protection assessment requirements, directly into operational workflows. For companies running AI processing pipelines that touch consumer data across multiple states, FirmAdapt tracks which obligations apply at the state level and flags where opt-out mechanisms, consent requirements, or assessment documentation fall short of the applicable standard.

The platform also maintains a current inventory of cure period provisions, sunset dates, and enforcement parameters across all active state privacy laws. For Indiana specifically, FirmAdapt's compliance architecture helps teams document cure responses and attestations in a way that creates a defensible record, which matters significantly given the INCDPA's permanent cure framework and the per-violation penalty exposure.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free