Delaware Personal Data Privacy Act (DPDPA): Complete 2026 Compliance Guide

Delaware’s Privacy Law Is Fully Active in 2026

The Delaware Personal Data Privacy Act (DPDPA) took effect on January 1, 2025, making Delaware one of a growing wave of states with comprehensive data privacy protections. In 2026, the law enters a new phase with two critical changes: controllers must now recognize universal opt-out mechanisms (like Global Privacy Control) as valid consumer requests, and the mandatory 60-day cure period has expired — meaning the Attorney General can now pursue enforcement without first requiring businesses to fix violations.

Who Must Comply with the DPDPA?

The DPDPA applies to businesses that conduct business in Delaware or produce products or services targeted to Delaware residents, and meet at least one of these thresholds:

• Process personal data of 35,000+ Delaware consumers during a calendar year (excluding payment transaction data), OR
• Process personal data of 10,000+ consumers AND derive more than 20% of gross revenue from the sale of personal data

Delaware’s thresholds are notably lower than many states. Compare with our Privacy Law Calculator to see which states’ laws apply to your business.

Exemptions

The DPDPA exempts several categories of entities and data:

• Entity exemptions: State and local government agencies, financial institutions subject to GLBA, entities subject to HIPAA, nonprofit organizations, institutions of higher education, National Securities Association members, and insurance companies
• Data exemptions: Data governed by HIPAA, GLBA, FCRA, FERPA, DPPA, COPPA, the Farm Credit Act, and certain employment and B2B data processed in those contexts

Consumer Rights Under the DPDPA

Delaware residents have these rights under the DPDPA:

• Right to confirm and access — Confirm whether a controller is processing their personal data and access that data
• Right to correct — Request correction of inaccurate personal data
• Right to delete — Request deletion of personal data provided by or obtained about the consumer
• Right to data portability — Obtain a copy of personal data in a portable, readily usable format
• Right to opt out — Opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects
• Right to list of third parties — Obtain a list of categories of third parties to whom the controller has disclosed personal data

Controllers must respond to consumer requests within 45 days, with one 45-day extension if reasonably necessary. Controllers must provide an appeals process — if denied, consumers can appeal and must receive a response within 60 days.

Key Business Obligations

Privacy Notices

Controllers must provide a clear, accessible privacy notice that includes: categories of personal data processed, purposes of processing, how consumers can exercise their rights, categories of data shared with third parties, and contact information for the controller.

Data Minimization

Controllers may only collect personal data that is adequate, relevant, and reasonably necessary for the disclosed processing purposes. Processing for purposes incompatible with the disclosed purpose requires fresh consumer consent.

Sensitive Data Consent

Processing sensitive data requires the consumer’s affirmative consent. Sensitive data under the DPDPA includes: racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data of a known child, and precise geolocation data (within 1,750 feet).

Universal Opt-Out Mechanism (New in 2026)

As of January 1, 2026, controllers must recognize universal opt-out mechanisms — such as Global Privacy Control (GPC) — as valid consumer requests to opt out of targeted advertising and data sales. This is a critical new requirement. Use our GPC Compliance Checker to verify your readiness.

Data Protection Assessments

Controllers must conduct data protection assessments for processing activities that present a heightened risk of harm, including: targeted advertising, sale of personal data, certain profiling activities, processing sensitive data, and any processing involving a significant risk of injury to consumers.

Processor Contracts

When engaging data processors, controllers must establish contracts that specify: processing instructions, data confidentiality obligations, deletion or return of data at contract end, audit cooperation requirements, and subprocessor notification obligations.

Minor Protections

The DPDPA requires opt-in consent for the sale of personal data or targeted advertising for consumers the controller knows to be between ages 13 and 17. For children under 13, parental consent is required consistent with COPPA.

Enforcement and Penalties

The Delaware Department of Justice (AG’s office) has exclusive enforcement authority. There is no private right of action.

• Penalties: Up to $10,000 per violation
• Cure period: The original 60-day cure period expired on December 31, 2025. As of January 1, 2026, the AG may — but is not required to — provide an opportunity to cure before enforcement

The expiration of the mandatory cure period means the AG can now take direct enforcement action. View our Enforcement Tracker for the latest penalties across all states.

How Delaware Compares to Other State Privacy Laws

Delaware’s DPDPA shares similarities with Connecticut’s CTDPA while incorporating elements from newer state laws:

• Thresholds: Delaware uses 35K/10K+20% thresholds — similar to Rhode Island and lower than states like Virginia (100K) or Colorado (100K)
• Cure period: Delaware’s cure period has sunset, similar to Colorado and Rhode Island, while states like New Hampshire still have 60 days
• Universal opt-out: Required in 2026, joining California, Colorado, Connecticut, Montana, and Texas
• Third-party list: Delaware uniquely requires controllers to provide consumers a list of categories of third parties who received their data

Use our State Comparison Tool to compare Delaware with other states side by side.

8-Step DPDPA Compliance Plan

1. Determine applicability — Use our Privacy Law Calculator to check if you meet Delaware’s thresholds (35K consumers or 10K + 20% revenue from data sales)
2. Implement universal opt-out recognition — Detect and honor GPC signals and other universal opt-out mechanisms as of January 2026. Use our GPC Checker to verify.
3. Update your privacy notice — Ensure it covers all DPDPA requirements, including categories of data collected, processing purposes, consumer rights, and third-party sharing categories
4. Build consumer rights processes — Establish intake, verification, fulfillment, and appeals workflows. Respond within 45 days with one 45-day extension available.
5. Obtain sensitive data consent — Implement opt-in consent for processing sensitive data categories, including precise geolocation
6. Conduct data protection assessments — Perform DPAs for high-risk processing activities and maintain documentation
7. Review processor contracts — Update agreements with all vendors and data processors to meet DPDPA requirements
8. Implement minor protections — Ensure opt-in consent mechanisms for data sales and targeted advertising for 13–17-year-olds

For a detailed walkthrough, see our Delaware Compliance Checklist.

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 28, 2026.