Skip to main content

Delaware Personal Data Privacy Act

The Delaware Personal Data Privacy Act grants residents broad rights, including access, correction, deletion, and opt-outs, with low thresholds and coverage of many nonprofits. It requires consent for sensitive data and recognition of universal opt-out signals, enforced by the state DOJ.

Jurisdiction
Delaware

Delaware Personal Data Privacy Act

The Delaware Personal Data Privacy Act (DPDPA), enacted as House Bill 154, is Delaware's comprehensive consumer privacy statute. It took effect on January 1, 2025. The DPDPA is among the more protective state laws, with low applicability thresholds and coverage of many nonprofits and institutions of higher education.

Who It Applies To

The DPDPA applies to persons conducting business in Delaware or targeting products or services to Delaware residents that, during the preceding year, controlled or processed the personal data of either 35,000 or more consumers (excluding data used only to complete a payment), or 10,000 or more consumers while deriving more than 20 percent of gross revenue from the sale of personal data. Unlike many state laws, it covers most nonprofits, with limited exceptions. It exempts HIPAA-covered data and financial institutions or data covered by the Gramm-Leach-Bliley Act.

Key Requirements

Controllers must publish a clear privacy notice, practice data minimization, and maintain reasonable security. Consumers have rights to confirm processing, access, correct, delete, obtain a portable copy, opt out of targeted advertising, sale, and profiling with significant effects, and to obtain a list of the categories of third parties to which their data was disclosed. Opt-in consent is required for sensitive data, including data revealing certain status and the data of known children. Controllers must recognize universal opt-out signals and conduct data protection assessments for high-risk processing.

Penalties for Non-Compliance

The Delaware Department of Justice enforces the law; there is no private right of action. Violations are treated as unlawful practices under Delaware consumer protection law. A 60-day cure period was available until December 31, 2025, after which the cure period is discretionary.

How to Comply

Assess whether the low thresholds apply, including any nonprofit operations. Publish an accurate privacy notice and stand up reliable consumer-request workflows with a 45-day response window. Build opt-in consent for sensitive data and recognize universal opt-out preference signals. Maintain documented data protection assessments for targeted advertising, sales, sensitive data, and significant profiling. Ensure processor agreements meet statutory requirements.

Relationship to Other Laws

Delaware's combination of very low thresholds and broad nonprofit coverage means many organizations excluded elsewhere are in scope here. Higher-education institutions should pay particular attention. Because Delaware grants the right to a list of specific third parties and requires universal opt-out recognition, controls built for Oregon and Connecticut map closely. Multistate operators should fold Delaware into a single rights-handling and assessment pipeline rather than maintaining a separate process.

Operational Mechanics

Like its sibling state statutes, this law sets concrete operational requirements that engineering and operations teams must implement. Controllers must respond to a verified consumer rights request without undue delay and within 45 days of receipt, with a single 45-day extension permitted where reasonably necessary given the complexity and volume of requests, provided the consumer is notified of the extension and the reason. Where a controller declines to act, it must inform the consumer of the reason and provide instructions for appealing the decision; the law requires an internal appeal process, and if an appeal is denied the controller must give the consumer a method to contact the state Attorney General to submit a complaint. Controllers may not charge a fee for the first request in a defined period and must establish a secure, reliable means for consumers to submit requests, taking into account the ways consumers normally interact with the controller. Relationships with processors must be governed by a binding contract that sets out processing instructions, confidentiality duties, deletion or return of data at the end of the engagement, and the duty to assist the controller with security, breach response, and assessments. Treating these mechanics as shared platform services, rather than rebuilding them per state, is the most efficient path to durable, multistate compliance.