Overview
The Delaware Personal Data Privacy Act (DPDPA) establishes the lowest data volume threshold of any comprehensive U.S. state privacy law, applying to businesses processing personal data of just 35,000 Delaware consumers.
Full Name and Description
Delaware Personal Data Privacy Act (DPDPA): Signed into law on September 11, 2023, the DPDPA becomes effective January 1, 2025. It provides Delaware consumers with comprehensive data rights and imposes obligations on businesses processing their personal data.
Enforcement Date
- Effective Date: January 1, 2025
- Cure Period Expires: December 31, 2025
Governing Body
- Delaware Attorney General: Exclusive enforcement authority
- Delaware Department of Justice: Primary enforcement unit
- No Private Right of Action: Consumers cannot sue directly
Primary Purpose
The DPDPA aims to:
- Extend privacy protections to Delaware's residents
- Establish the most accessible threshold for consumer privacy coverage
- Grant consumers comprehensive rights over their personal data
- Require transparency in data processing practices
Applicability
Who Needs to Comply?
The DPDPA applies to persons that conduct business in Delaware or target products/services to Delaware residents AND:
- Control or process personal data of 35,000+ Delaware consumers (excluding payment-only processing), OR
- Control or process personal data of 10,000+ Delaware consumers AND derive more than 20% of gross revenue from the sale of personal data
Lowest Thresholds in the Nation
| Comparison | Consumer Threshold | Revenue Threshold |
|---|---|---|
| Delaware | 35,000 / 10,000 | 20% |
| Montana | 50,000 / 25,000 | 25% |
| Colorado | 100,000 / 25,000 | Any revenue |
| Virginia | 100,000 / 25,000 | 50% |
| Connecticut | 100,000 / 25,000 | 25% |
Delaware's thresholds are designed to capture more businesses despite the state's smaller population.
Key Exemptions
Entity-Level Exemptions:
- State and local government entities
- Financial institutions subject to GLBA
- HIPAA-covered entities and business associates
- Nonprofit organizations
- Higher education institutions
Data-Level Exemptions:
- Employment data
- B2B contact information
- Data subject to HIPAA, GLBA, FCRA, FERPA, COPPA, DPPA
- Publicly available information
What the DPDPA Governs
Types of Data Covered
Personal Data - Information linked or reasonably linkable to an identified or identifiable individual.
Sensitive Data (requires opt-in consent):
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health condition or diagnosis
- Sex life or sexual orientation
- Citizenship or immigration status
- Genetic data
- Biometric data processed for identification
- Known child's personal data
- Precise geolocation data
Consumer Rights Under DPDPA
Delaware consumers have six core rights:
- Right to Access: Confirm processing and access personal data
- Right to Correct: Request correction of inaccurate data
- Right to Delete: Request deletion of personal data
- Right to Portability: Obtain data in portable, usable format
- Right to Opt-Out: Decline sale, targeted advertising, and profiling
- Right to Third-Party Information: Obtain list of specific third parties
Like Oregon, Delaware grants consumers the right to obtain specific third-party names, not just categories.
Compliance Requirements
Key Obligations for Controllers
1. Privacy Notice Requirements
Clear, accessible privacy notices must include:
- Categories of personal data processed
- Purposes for processing
- How to exercise consumer rights
- Categories shared with third parties
- Categories of third parties receiving data
- Information about third-party disclosure requests
2. Consumer Request Handling
| Requirement | Timeframe |
|---|---|
| Initial Response | 45 days |
| Extension (reasonably necessary) | Additional 45 days |
| Appeals Response | 60 days |
| Third-Party List Response | 45 days |
3. Data Protection Assessments
Required for:
- Targeted advertising
- Sale of personal data
- Profiling with significant effects
- Sensitive data processing
- Any processing presenting heightened risk
4. Third-Party Tracking
Controllers must maintain records of specific third parties receiving consumer data to fulfill disclosure requests.
Security Requirements
- Implement reasonable administrative, technical, and physical security
- Security appropriate to data volume and sensitivity
Consequences of Non-Compliance
Enforcement Process
- Notice of Violation: AG provides written notice
- Cure Period: 60 days to cure (until December 31, 2025)
- Post-Cure Period: No cure opportunity after 2025
- Enforcement: Civil action
Penalties and Fines
- Up to $10,000 per violation
- Investigative costs and attorney fees
- Injunctive relief available
Higher Penalty Cap
Delaware's $10,000 per violation penalty is higher than the $7,500 standard in most other states.
Why the DPDPA Exists
Historical Background
- 2023 Legislative Session: Delaware passes HB 154
- September 11, 2023: Governor Carney signs DPDPA
- January 1, 2025: DPDPA takes effect
Distinctive Features
- Lowest thresholds: 35,000/10,000 consumer thresholds
- Lowest revenue percentage: 20% from data sales
- Third-party disclosure right: Specific names required
- Higher penalties: $10,000 per violation
- 60-day appeal response: Extended timeline
Implementation & Best Practices
How to Become Compliant
Step 1: Threshold Analysis
- Count Delaware consumers (lower bar than other states)
- Calculate data sales revenue percentage (20% threshold)
- Document applicability determination
Step 2: Third-Party Tracking System
- Implement detailed third-party sharing records
- Prepare for specific name disclosure requests
- Update records when sharing arrangements change
Step 3: Standard Compliance Framework
- Follow comprehensive state privacy compliance steps
- Implement all consumer rights infrastructure
- Conduct data protection assessments
- Update privacy notices
Special Considerations
Given Delaware's low thresholds:
- More mid-sized businesses may be subject to DPDPA
- The 20% revenue threshold is lowest among states
- Third-party tracking requirements match Oregon
- Higher penalties ($10,000) warrant careful compliance
Related Regulations
- Oregon OCPA Compliance - Third-party disclosure requirements
- Virginia VCDPA Compliance - Virginia's privacy framework
- Connecticut CTDPA Compliance - Low revenue threshold comparison
- CCPA/CPRA Compliance Guide - California's privacy framework
Conclusion
The Delaware Personal Data Privacy Act sets the most accessible thresholds for comprehensive privacy law coverage in the United States. At just 35,000 consumers (or 10,000 with 20% data sales revenue), more businesses will find themselves subject to Delaware's requirements than under other state laws.
Organizations should carefully assess their Delaware consumer counts and implement third-party tracking systems to comply with the specific disclosure requirements. The higher $10,000 per-violation penalty makes compliance particularly important.