Overview
The Delaware Personal Data Privacy Act (DPDPA) is a comprehensive consumer privacy law that grants Delaware residents new rights over their personal data while establishing strict compliance obligations for businesses. Signed into law on September 11, 2023, the DPDPA takes effect on January 1, 2025.
Delaware’s privacy law is considered one of the strongest consumer privacy laws in the U.S., closely resembling Connecticut’s CTDPA and Colorado’s CPA, while introducing lower applicability thresholds that cover more businesses than other state laws.
Who Must Comply?
The DPDPA applies to businesses that conduct business in Delaware or target Delaware residents and meet one of the following criteria:
✔ Process personal data of at least 35,000 Delaware consumers annually
✔ Process personal data of at least 10,000 Delaware consumers and derive over 20% of gross revenue from selling personal data
Exemptions:
The law does not apply to:
🚫 Government agencies
🚫 Nonprofits
🚫 Financial institutions subject to GLBA
🚫 HIPAA-covered entities
🚫 Higher education institutions
Key Consumer Rights Under DPDPA
✔ Right to Access – Consumers can request a copy of their personal data.
✔ Right to Correct – Consumers can request corrections to i
naccurate personal data.
✔ Right to Delete – Consumers can request the deletion of personal data.
✔ Right to Data Portability – Consumers can receive their data in a portable format.
✔ Right to Opt-Out – Consumers can opt out of:
- Targeted advertising
- Sale of personal data
- Automated profiling that affects legal or financial decisions
📌 Expanded Sensitive Data Protections – Delaware’s law includes additional protections for transgender/nonbinary status, citizenship, and immigration status, making it broader than most other state laws.
Business Compliance Requirements
✔ Universal Opt-Out Mechanism (Starting January 1, 2026) – Businesses must recognize Global Privacy Control (GPC) signals.
✔ Opt-In Consent for Sensitive Data – Businesses must obtain explicit consent before processing:
📌 Racial/ethnic origin
📌 Religious beliefs
📌 Biometric data
📌 Health conditions
📌 Sexual orientation
📌 Citizenship or immigration status
✔ Transparency & Privacy Notices – Companies must publish clear privacy policies detailing how they collect, use, and store personal data.
✔ Data Protection & Security – Businesses must implement reasonable security safeguards to protect consumer data.
✔ Risk Assessments for High-Risk Processing – Companies must conduct Data Protection Assessments (DPA) for:
📌 Targeted advertising
📌 Data sales
📌 AI-driven decision-making
Real-World Enforcement Cases
The Delaware Department of Justice enforces the DPDPA, with penalties of up to $10,000 per violation.
📌 Cure Period Ends in 2026 – Until January 1, 2026, businesses have 60 days to fix violations before penalties apply.
Since the law takes effect in January 2025, major enforcement cases are expected in 2026, likely focusing on ad tech firms, AI profiling, and companies failing to honor consumer opt-out requests.
📌 Comparison with Other State Privacy Laws
The Delaware DPDPA is one of the most consumer-friendly privacy laws in the U.S.:
✅ Lower Applicability Thresholds – Covers businesses processing only 35,000 consumers’ data, compared to 100,000 in most other states.
✅ Universal Opt-Out Signals Required (2026) – Businesses must honor automated privacy requests.
✅ Expanded Sensitive Data Protections – Includes immigration, transgender status, and citizenship, unlike many state laws.
Future of DPDPA Regulation
📌 Stronger enforcement actions expected in 2026 after the cure period ends.
📌 Possible expansion of consumer rights in future amendments.
📌 Potential updates to align with federal privacy laws if passed.
Delaware’s DPDPA sets a new standard for consumer privacy rights, with broad applicability, strong opt-out mechanisms, and strict enforcement measures.
