Delaware enacted its Personal Data Privacy Act in September 2023, joining the growing number of states with consumer privacy legislation. The law took effect on January 1 2025 and includes some of the lowest applicability thresholds of any state privacy law.
What Is the DPDPA?
The Delaware Personal Data Privacy Act (DPDPA) grants Delaware residents rights over their personal data and establishes obligations for businesses that collect and process that data. Like Oregon and Colorado, Delaware’s law applies to most nonprofit organizations, expanding its reach beyond the typical for-profit focus.
Enforcement is handled by the Delaware Department of Justice. There is no private right of action.
Does It Apply to Your Business?
The DPDPA applies to entities that conduct business in Delaware or produce products or services targeted to Delaware residents. To be covered, an entity must also meet at least one of two thresholds during the preceding calendar year:
Threshold 1: Control or process the personal data of at least 35,000 Delaware residents. Personal data processed solely to complete payment transactions is excluded.
Threshold 2: Control or process the personal data of at least 10,000 Delaware residents AND derive more than 20% of gross revenue from selling personal data.
The 35,000-consumer threshold is among the lowest of all state privacy laws, reflecting Delaware’s smaller population.
Nonprofits and Higher Education
Unlike most state privacy laws, the DPDPA applies to nonprofit organizations and institutions of higher education that meet the applicability thresholds.
Key Consumer Rights
Delaware residents have the following rights:
- Right to confirm whether a business is processing their personal data
- Right to access their personal data
- Right to correct inaccuracies
- Right to delete their personal data
- Right to obtain a portable copy of their data
- Right to opt out of targeted advertising
- Right to opt out of the sale of personal data
- Right to opt out of profiling for decisions with legal or significant effects
Business Obligations
Covered entities must:
- Limit data collection to what is adequate, relevant, and reasonably necessary
- Implement reasonable data security measures
- Obtain opt-in consent before processing sensitive data
- Provide clear privacy notices
- Maintain agreements with data processors
- Conduct data protection assessments for high-risk processing (from July 2025)
- Honor universal opt-out mechanisms (from January 2026)
Data Protection Assessment Requirements
Controllers that process data of at least 100,000 consumers must regularly conduct data protection impact assessments on processing activities that present heightened risk to consumers. This requirement applies to processing activities created on or after July 1 2025.
Sensitive Data
The DPDPA uses an expanded definition of sensitive data that includes:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health condition or diagnosis (including pregnancy)
- Sex life or sexual orientation
- Status as transgender or non-binary
- Citizenship or immigration status
- Genetic data
- Biometric data
- Personal data of known children under 13
- Precise geolocation data
The inclusion of pregnancy, transgender/non-binary status, and immigration status reflects a broader approach to sensitivity than some other state laws.
Enforcement and Penalties
The Delaware Department of Justice has exclusive enforcement authority.
The law included a 60-day cure period for violations where the Department determines a cure is possible. However, this cure period expired on December 31 2025. The Attorney General can now pursue enforcement immediately.
Penalties can reach up to $10,000 per violation. The Attorney General can also seek injunctive relief, restitution, and disgorgement.
Key Dates
- September 11 2023: DPDPA signed into law
- January 1 2025: DPDPA took effect
- July 1 2025: Data protection assessment requirements took effect
- December 31 2025: 60-day cure period expired
- January 1 2026: Universal opt-out mechanism requirement takes effect
Where to Find Official Resources
- Delaware Department of Justice Privacy Portal: attorneygeneral.delaware.gov/fraud/personal-data-privacy-portal
- FAQs: attorneygeneral.delaware.gov/fraud/personal-data-privacy-portal/frequently-asked-questions
- Full legal text: legis.delaware.gov – HB 154
Getting Started
Delaware’s low thresholds mean more businesses are covered than in many other states. The 35,000-consumer threshold can be met by relatively modest web traffic from Delaware residents.
With the cure period now expired, businesses should ensure compliance is complete. Review your sensitive data processing against Delaware’s expanded categories, implement consent mechanisms where required, and prepare for the January 2026 universal opt-out requirement.
