PrivacyLawMap
DE

Delaware Privacy Law

Delaware Personal Data Privacy Act

Effective: January 1, 2025Active

Overview

The Delaware Personal Data Privacy Act (DPDPA) was signed into law on September 11, 2023, and became effective on January 1, 2025. Delaware adopted a consumer-friendly approach with relatively low applicability thresholds, broad consumer rights, and a requirement to honor universal opt-out mechanisms starting in 2026. The DPDPA provides Delaware consumers with comprehensive privacy rights, including the right to access, correct, delete, and port personal data, as well as opt-out rights for data sales, targeted advertising, and profiling. The law includes an appeals process and requires data protection assessments. Delaware's lower thresholds mean that more businesses are covered compared to many other state privacy laws. The law applies to entities conducting business in Delaware or targeting Delaware consumers that control or process personal data of 35,000 or more consumers (excluding payment transaction data), or control or process personal data of 10,000 or more consumers while deriving more than 20% of gross revenue from the sale of personal data. The DPDPA includes a 60-day cure period and penalties of up to $10,000 per violation, enforced by the Delaware Attorney General.

Applicability Thresholds

Conditions are joined by OR meeting ANY one triggers applicability.

35,000+
Delaware consumers' data processed
10,000+ consumers
AND 20%+ revenue from data sales

Consumer Rights

Right to Access
Right to Delete
Right to Correct
Data Portability
Opt-Out of Sale
Opt-Out of Targeted Ads
Opt-Out of Profiling
Limit Sensitive Data Use
Right to Appeal
Private Right of Action

Key Changes in 2025-2026

  • Universal opt-out mechanism requirement takes effect January 1, 2026
  • Continued enforcement and guidance from Delaware AG
  • Lower thresholds mean broader business coverage in the corporate-friendly state
  • Potential amendments as Delaware evaluates enforcement experience

Enforcement Details

Enforced By
Delaware Attorney General
Penalty Per Violation
$10,000
Cure Period
60 days
Private Right of Action
No — AG enforcement only

Sensitive Data Categories

Consent model: opt-in

Racial or ethnic originReligious beliefsMental or physical health diagnosisSexual orientationCitizenship or immigration statusBiometric data for identification

Universal Opt-Out / GPC Requirements

GPC / Universal Opt-Out Required

Starting January 1, 2026, businesses must recognize and honor universal opt-out mechanisms such as Global Privacy Control (GPC) for opt-out of data sales and targeted advertising.

Effective: January 1, 2026

Minor / Child Protections

The DPDPA requires opt-in consent for processing personal data of known children under 13. For teens aged 13-17, the law requires consent before processing data for targeted advertising or data sales.

Compliance Checklist

  1. 1Assess applicability — note the lower thresholds of 35,000 consumers or 10,000+ with 20% data sale revenue
  2. 2Prepare to implement universal opt-out signal recognition by January 1, 2026
  3. 3Update privacy notices with all DPDPA-required disclosures
  4. 4Implement consumer rights request mechanisms with 45-day response period
  5. 5Obtain opt-in consent for processing sensitive personal data
  6. 6Conduct data protection assessments for high-risk processing activities

Delaware Privacy Law FAQ

Official Resources

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.