Indiana on Monday became the latest in a growing number of U.S. states with a comprehensive consumer data privacy law on the books.

The Indiana privacy bill (SB 5) was signed into law by Gov. Eric Holcomb. The bill, like its other state counterparts, gives consumers more rights to control how their personal data is collected and used by companies.

When the bill takes effect Jan. 1, 2026, Indiana residents will have the right to prohibit their data from being sold, to delete personal data that is collected by third parties, and to opt out of advertising that uses their personal data to tailor ads to them.

Under the law, businesses must conduct risk assessments regarding how well they are protecting the personal data they collect.

The law applies to businesses that gather data from 100,000 or more Indiana residents during a calendar year or that collect data from 25,000 or more Indiana residents and receive 50 percent or more of their revenue from selling consumer data.

Businesses will have 30 days to fix violations upon receiving a written notice. The law will be enforced by the state attorney general.

Businesses that don’t comply with the law might be subject to fines of up to $7,500 per violation.

Indiana follows California, Colorado, Connecticut, Iowa, Utah, and Virginia in enacting comprehensive privacy laws. Iowa’s law, passed in March, takes effect in 2025, while the other states’ respective laws—or amendments, in the case of California—take effect this year.

States have taken on the issue of consumer data privacy in the face of inaction by Congress. Most the laws are similar to each other, with the exception of the California Consumer Privacy Act (CCPA). The CCPA took effect in 2020 and is being significantly amended this year.

The CCPA stands apart because it creates a new agency to enforce much of the law, extends privacy rights to employees, and allows individuals to sue companies in some circumstances if their data is subjected to a breach.

Consumer Reports criticized the Indiana bill, saying it was not tough enough, and called on the legislature to strengthen the bill in its next session. The law’s privacy protections are “undercut by weak definitions of what constitutes a sale and targeted advertising,” the nonprofit said in a press release.