The Delaware Personal Data Privacy Act took effect on January 1 2025. With the 60-day cure period expiring at the end of 2025, the Delaware Department of Justice now has full discretion to pursue enforcement immediately upon discovering violations.
How DPDPA Enforcement Works
The Delaware Department of Justice has exclusive enforcement authority under the DPDPA. Consumers cannot bring private lawsuits for violations.
The law originally included a 60-day cure period for violations where the Department determined a cure was possible. This cure period expired on December 31 2025, meaning enforcement can now proceed immediately.
Penalties can reach up to $10,000 per violation. The Attorney General can also seek injunctive relief, restitution, and disgorgement of profits obtained through violations.
Enforcement Status
As of January 2026, the Delaware Department of Justice has not publicly announced enforcement actions or fines under the DPDPA. The law has been in effect for one year, with the cure period recently expiring.
During the cure period, potential violations were likely addressed through notice and remediation rather than formal enforcement proceedings. With the cure period now ended, public enforcement actions may become more common.
Enforcement Expectations
Based on the DPDPA’s requirements and patterns in other states, businesses should anticipate attention in these areas:
Low threshold violations. Delaware’s 35,000-consumer threshold is among the lowest of any state. Businesses that may not be covered by other state laws could still fall under Delaware’s requirements. Non-compliance by entities unaware they are covered is a likely enforcement focus.
Sensitive data consent. The DPDPA requires opt-in consent for sensitive data processing. Delaware’s expanded sensitive data definition includes pregnancy, transgender/non-binary status, and immigration status. Processing these categories without proper consent creates enforcement risk.
Nonprofit compliance. Unlike most state laws, Delaware covers nonprofits that meet the thresholds. Nonprofits may be less prepared for privacy compliance, making this sector a potential focus.
Universal opt-out mechanisms. From January 1 2026, controllers must honor universal opt-out signals like Global Privacy Control. Failure to implement this requirement is easily detectable and enforceable.
Penalty Structure
Delaware’s $10,000 per-violation penalty is higher than many other states, which typically cap per-violation fines at $7,500. Each affected consumer can constitute a separate violation, so exposure can accumulate quickly.
The ability to seek disgorgement of profits is notable. This allows the Attorney General to pursue not just fines but also the revenue a business obtained through non-compliant data practices.
What This Means for Your Organization
Delaware’s combination of low thresholds, higher per-violation penalties, and the expired cure period creates meaningful enforcement risk.
Businesses should:
- Verify whether they meet Delaware’s 35,000 or 10,000 consumer thresholds
- Implement consent mechanisms for all sensitive data categories
- Ensure data protection assessments are documented for high-risk processing
- Prepare for universal opt-out requirements effective January 2026
The end of the cure period means violations discovered now will not receive a warning period. Proactive compliance is the appropriate approach.
