Delaware Personal Data Privacy Act (DPDPA): What Businesses Need to Know

Delaware's data privacy law came into effect on January 1, 2025, making it the 13th in the U.S. to enact comprehensive consumer privacy legislation. The Delaware Personal Data Privacy Act (DPDPA) gives Delaware residents meaningful rights over how their personal data is collected, used, and shared. The DPDPA also places a corresponding set of obligations on the businesses and organizations that process consumers’ data. 

Notably, the DPDPA's compliance thresholds are among the lowest of any comparable U.S. state privacy law, meaning a wider range of organizations fall within its scope. This overview covers who must comply, what the law requires, how enforcement works, and what has changed since the law took effect.

• The DPDPA took effect January 1, 2025, making Delaware the 13th U.S. state to enact a comprehensive consumer data privacy law.
• Compliance thresholds are the lowest of any comparable U.S. state law: covering controllers processing data on 35,000+ consumers, or 10,000+ consumers while deriving more than 20 percent of gross revenue from personal data sales.
• Consumers hold six key rights: access, correction, deletion, portability, disclosure of specific third parties, and opt-out of sale, targeted advertising, and certain profiling.
• Sensitive data — including precise geolocation, biometric data, and data revealing transgender or nonbinary status — cannot be processed without prior consent.
• Controllers must recognize Universal Opt-Out Mechanisms (such as Global Privacy Control) as of January 1, 2026.
• Delaware’s Attorney General enforces the law: the DPDPA does not specify a civil penalty amount, but by designating violations as unlawful practices under Delaware's Consumer Fraud Act, willful violations can result in civil penalties up to USD 10,000 per violation; cure period is at the DOJ’s discretion; consumers have no private right of action.

Delaware's Place in the U.S. Privacy Landscape

Delaware joined a growing list of states enacting comprehensive consumer data privacy legislation when Governor John Carney signed House Bill 154 into law on September 11, 2023. When the DPDPA took effect on January 1, 2025, Delaware became the 13th state to put a comprehensive privacy framework in place. 

For U.S. businesses operating nationally or internationally, the lack of a single, federal, comprehensive data privacy regulation means potentially managing compliance obligations across multiple jurisdictions simultaneously. 

Delaware's law adds one more layer, which, because its compliance thresholds are notably lower than its predecessors, draws in a broader range of organizations than many expect.Delaware's DPDPA is considered one of the more consumer-protective state-level privacy laws in the U.S., though it does not reach the stringency of California's CCPA/CPRA. It covers a wider range of business sizes than laws like Florida's Digital Bill of Rights (FDBR), which primarily targets large platforms, and unlike the Texas Data Privacy and Security Act (TDPSA), it does not exempt small businesses by revenue.

Does Delaware's DPDPA apply to your business?

Delaware's DPDPA has no revenue requirement and a low consumer data threshold. That means more businesses are covered than they may realize. Check your obligations — and other laws that might apply to you.

Find My Regulations

What Is the Delaware Personal Data Privacy Act?

The DPDPA is a consumer-oriented data protection statute designed to give Delaware residents meaningful control over how their personal data is collected, used, and shared. It establishes a comprehensive set of rights for consumers and a corresponding set of obligations for organizations that process personal data.

The law protects "consumers", meaning individuals who are Delaware residents acting in a personal or household capacity, not in a commercial or employment context. It defines data controllers, processors, and the categories of data they handle, and it establishes enforcement authority in the Delaware Attorney General and Department of Justice (DOJ).

The DPDPA follows the opt-out consent model common to most U.S. state privacy laws: businesses can generally collect and process personal data without prior consent, but must give consumers meaningful opportunities to opt out of certain uses, including the sale of personal data, targeted advertising, and profiling. Prior opt-in consent is required only for sensitive data categories and children's data.

Who Must Comply with the DPDPA?

The DPDPA applies to any person — defined as an individual or entity — that conducts business in Delaware or produces products and services targeted at Delaware residents, and that during the preceding calendar year met at least one of the following thresholds:

The 35,000-consumer figure is among the lowest threshold of any comparable U.S. state privacy law to date. This was a deliberate design choice, given Delaware's population of roughly one million people. 

The practical effect is that Delaware's law draws in significantly more small and mid-market businesses relative to the state's population than most comparable laws. Companies that have not historically considered themselves subject to state privacy laws should review these thresholds carefully.

Notably, the DPDPA does not include a revenue-only threshold. A company cannot qualify solely on the basis of annual revenue; it must meet one of the data-volume criteria above.

DPDPA Exemptions

Certain entities and categories of data are exempt from the DPDPA's requirements. Exempt entities include:

Data exempt from the law's scope includes information already governed by the following federal laws:

One important nuance: unlike some state laws, the DPDPA does not offer a blanket entity-level exemption for HIPAA-covered entities. Only the specific protected health information governed by HIPAA is exempt. Organizations that handle both HIPAA-regulated data and other categories of personal data may still fall within the DPDPA's scope for the latter. Legal counsel should review this carefully.

Key Definitions Under the DPDPA

Understanding the DPDPA's core definitions is essential to assessing compliance obligations accurately.

Personal Data

Personal data is defined as any information that is linked or reasonably linkable to an identified or identifiable individual. De-identified data and publicly available information are excluded. Common examples include home addresses, driver's license numbers, passport information, financial account numbers, login credentials, and payment card information.

Sensitive Data

Sensitive data is a specific, higher-risk subset of personal data that requires prior consumer consent before processing. Under the DPDPA, sensitive data includes information that reveals:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnosis, including pregnancy
• Sex life or sexual orientation, including status as transgender or nonbinary
• National origin
• Citizenship or immigration status
• Genetic or biometric data processed to uniquely identify an individual
• Personal data collected from a known child (under 13 years of age)
• Precise geolocation data (within a radius of 1,750 feet)

Delaware's inclusion of transgender or nonbinary gender status as sensitive data was, at the time of the law's passage, shared only with Oregon among U.S. state privacy statutes, though several more states have since adopted this in their privacy laws. 

The DPDPA also provides a specific definition of "genetic data", which was first among comprehensive U.S. state privacy laws at the time of enactment.

Consent

The DPDPA aligns with the consent standard established by the EU's General Data Protection Regulation (GDPR): consent must be a clear affirmative act that is freely given, specific, informed, and unambiguous. A written statement (including electronic) or any other unambiguous affirmative action qualifies. 

Consent does not include:

• Acceptance of general or broad terms of use containing data processing descriptions alongside unrelated information
• Actions such as hovering, muting, pausing, or closing a piece of content
• Agreement obtained through the use of dark patterns

Controllers and Processors

A controller is any person or entity that, alone or jointly with others, determines the purpose and means of processing personal data. A processor is any person or entity that processes personal data on behalf of a controller. The distinction matters because each role carries different (though related) compliance obligations under the law.

Profiling

The DPDPA defines profiling as any automated processing performed on personal data to evaluate, analyze, or predict aspects of an individual's economic situation, health, demographic characteristics, personal preferences, interests, reliability, behavior, location, or movements. 

The inclusion of "demographic characteristics" is broader than the profiling definitions in most comparable U.S. state laws, giving Delaware consumers a correspondingly wider right to opt out.

Targeted Advertising

Targeted advertising means displaying advertisements selected based on personal data obtained from a consumer's activities over time and across non-affiliated websites or applications. It does not include ads based solely on the context of the current visit, on-site activity, or direct responses to consumer requests, nor does it include processing purely to measure advertising performance.

Sale of Personal Data

Sale of personal data means the exchange or transfer of personal data for monetary or other valuable consideration to a third party. Excluded from this definition are disclosures to processors acting on the controller's behalf, transfers within affiliated entities, consumer-directed disclosures, publicly available data, and transfers as part of mergers, acquisitions, or bankruptcy proceedings.

Consumer Rights Under the DPDPA

Delaware residents have seven rights under the DPDPA. Controllers must provide accessible mechanisms for consumers to exercise each of these rights:

• Right to access: Consumers may confirm whether a controller is processing their personal data, and access that data.
• Right to disclosure: Consumers may request a list of the specific categories of third parties to which their personal data has been disclosed.
• Right to correction: Consumers may request correction of inaccurate or outdated personal data the controller holds that was provided by the consumer.
• Right to deletion: Consumers may request deletion of their personal data held by the controller, subject to certain exceptions.
• Right to portability: Consumers may obtain a copy of their personal data in a readily usable format.
• Right not to be discriminated against: Controllers cannot deny services, charge different prices, or otherwise penalize consumers for exercising their rights.
• Right to opt out: Consumers may opt out of the sale of personal data, targeted advertising, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

Consumers may make one privacy rights request for free every 12 months. Controllers may deny requests that are manifestly unfounded, excessive, or repetitive, but bear the burden of demonstrating this. Controllers can also deny requests by consumers whose identities cannot be reasonably verified.

Businesses must respond to consumer requests within 45 days, with a possible 45-day extension if reasonably necessary. If a request is denied, controllers must provide a clear appeal process; the controller then has 60 days to respond to any appeal.

Consumer Complaints and the Role of the DOJ

Consumers who have an unresolved dispute with a controller may submit a complaint to the Delaware Department of Justice. Controllers are required to direct consumers to this mechanism in their privacy notices and appeals processes.

Coverage for Children

Parents and legal guardians may exercise consumer rights on behalf of children. All personal data of known children is classified as sensitive by default under the DPDPA, meaning prior parental or guardian consent is required before processing. 

The DPDPA defers to the federal Children's Online Privacy Protection Act (COPPA) for definitions and protections, including the definition of a "child" as any person under 13 years of age.

Manage personal data collection, consent, and user preferences with Cookiebot

In 5 minutes you can customize your cookie banner for your brand and relevant regulations. Then start your 14-day free trial to see it in action.

Try It Now

Business Obligations Under the DPDPA

The DPDPA creates a set of concrete obligations for controllers and processors. Organizations that fall within the law's scope should make sure that they have addressed each of the following areas.

Privacy Notice Requirements

Controllers must publish a privacy notice that is reasonably accessible, clear, and meaningful. The notice must include:

Data Minimization and Purpose Limitation

Controllers may only process personal data for the purposes disclosed to consumers. That processing must be adequate, relevant, and reasonably necessary in relation to those stated purposes. If the purposes for processing change, controllers must provide new notice. Where relevant, they must also obtain fresh consent for the additional purposes.

Data Security

Controllers must establish and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data they hold. 

This obligation extends to protecting the confidentiality, integrity, and accessibility of that data. Processors are similarly obligated, and their security responsibilities must be formalized contractually before processing begins.

Data Protection Assessments

Controllers are required to conduct data protection assessments (DPAs) for processing activities that present a heightened risk of harm, including:

• Targeted advertising
• Processing of sensitive data
• Sale of personal data
• Profiling where there is a reasonably foreseeable or heightened risk of harm

Additionally, controllers that process data belonging to 100,000 or more consumers must conduct regular DPAs. Importantly, this requirement applies only to processing activities created or generated on or after July 1, 2025, but it is not retroactive. The Delaware Attorney General may require a controller to disclose a DPA in the course of any investigation.

Consent Requirements

Prior consent is not required for most data processing under the DPDPA, but it is mandatory for sensitive data and children's data. Where consent is obtained, consumers must be able to revoke it as easily as they gave it. Upon receiving a revocation, controllers must cease processing within 15 days.

In the event of a data subject request or audit, it is also important for controllers to maintain and have available comprehensive and up-to-date records of users’ consent choices over time.

Nondiscrimination

Controllers are prohibited from unlawfully discriminating against consumers who exercise their rights. This includes denying access to a website because a consumer has opted out of data collection. 

However, if certain features depend on specific cookies or trackers to function, and a consumer opts out of those, the resulting limitation is not considered discriminatory. Controllers may offer reasonable, proportionate incentives, such as loyalty program benefits, for voluntary data sharing, but such offers cannot be structured to look like payments for consent.

Third-Party Contracts and Processor Obligations

A binding contract must be in place between a controller and any processor before data processing begins. That contract must specify:

• A duty of confidentiality
• Clear instructions for processing, including nature, purpose, type of data, and duration
• Rights and obligations of both parties
• Requirements for the processor to delete or return data at the end of services, absent superseding legal obligations
• The processor's obligation to provide, on request, all information needed to verify compliance
• Requirements for any subprocessors to comply with the same obligations

Universal Opt-Out Mechanism (UOOM)

As of January 1, 2026, controllers subject to the DPDPA must recognize universal opt-out signals such as the Global Privacy Control (GPC). As of 2026, Delaware is one of 12 states requiring GPC or UOOM recognition. 

GPC enables consumers to set opt-out preferences once — typically in their browser — and have those preferences communicated automatically to all compatible websites they visit. This removes the burden on consumers of opting out individually on each site (consumers wouldn’t typically see a consent banner, for example) and places the recognition obligation squarely on controllers.

DPDPA Enforcement: What Changed in 2026

The enforcement landscape for the DPDPA has evolved since the law took effect. Two milestones in particular have shifted how businesses should approach their compliance posture going into 2026 and beyond.

Enforcement authority rests exclusively with the Delaware Attorney General and Department of Justice. Consumers do not have a private right of action under the DPDPA, meaning they cannot sue controllers directly, for example, in the event of a data breach. Instead, complaints are submitted to the DOJ, which investigates and may initiate proceedings.

The Cure Period Has Sunset

Until December 31, 2025, the DPDPA required the Attorney General to provide a 60-day cure period before initiating enforcement action. This gave controllers time to fix identified violations before incurring penalties. 

That mandatory cure period expired as of January 1, 2026. The DOJ has full discretion over whether to offer any opportunity to cure, depending on the nature, scope, and severity of the violation. Organizations that relied on the cure period as a compliance buffer no longer have that safety net.

When determining whether and how to enforce, the DOJ weighs factors including the number and nature of violations, the size and complexity of the organization, the likelihood of harm to the public, whether the violation resulted from human or technical error, and the organization's prior compliance history.

Penalties

Violations of the DPDPA constitute a per se violation of Delaware's Consumer Fraud Act under Subchapter II of Chapter 25 of Title 29 of the Delaware Code. The Attorney General may investigate, initiate administrative proceedings, sanction unlawful conduct, and/or seek remedies including:

• Civil penalties up to USD 10,000 per violation, pursuant to Delaware's Consumer Fraud Act
• Injunctive relief
• Restitution
• Disgorgement of unlawfully obtained gains

There is no cap on the aggregate number of violations that can be charged, meaning that a single non-compliant data processing practice affecting thousands of consumers could, in principle, give rise to thousands of individual violations.

How the DPDPA Is Different from Other U.S. State Privacy Laws

While the DPDPA shares many structural features with other comprehensive U.S. state privacy laws, several provisions set it apart in ways that matter for compliance planning.

The 35,000-consumer threshold is one of the lowest of any comparable U.S. law, drawing in a broader population of businesses, including smaller organizations with significant data processing activity. 

The revenue threshold is also comparatively accessible: deriving 20 percent of gross revenue from data sales while processing 10,000 consumers' data triggers coverage. Laws in states like California or Colorado require higher revenue percentages or larger consumer volumes.

Delaware's definition of profiling is broader than most, explicitly including "demographic characteristics". This gives consumers the right to opt out of a wider range of automated data processing activities.

The right to disclosure — specifically, the right to receive a list of the categories of third parties to whom a controller has disclosed personal data — is found in only a handful of other U.S. state privacy laws. Oregon and Minnesota go further, requiring controllers to name specific third parties; Maryland shares Delaware's narrower formulation.

Nonprofits are generally covered from day one, unlike some state laws (such as Oregon's) that granted nonprofits additional transition time. Organizations in the nonprofit sector should not assume an exemption applies without verifying which, if any, of the specific nonprofit carve-outs they meet.

Finally, the DPDPA does not authorize rulemaking, meaning the law's text is the definitive source of obligations. There is no state privacy agency that will issue clarifying regulations over time, as California's CPPA does. This makes precise statutory interpretation and qualified legal counsel particularly important.

Consent Management and DPDPA Compliance

The DPDPA's opt-out framework requires businesses to give consumers clear, accessible, and actionable information about how their data is being processed. They must also have a straightforward mechanism to exercise their choices. A consent management platform (CMP) is one of the most practical tools available to help achieve this.

Cookiebot by Usercentrics scans websites automatically to identify cookies and tracking technologies in use, categorizes them, and surfaces them to users in a transparent consent banner. 

For a DPDPA-subject organization, this directly addresses the law's requirement to provide consumers with clear, granular information about the categories of data collected, the specific services involved, and the third parties with whom data is shared.

Cookiebot CMP also supports the management of consent preferences across multiple regulations simultaneously, which is essential for businesses operating in several U.S. states or internationally. 

Geotargeting capabilities enable the CMP to present region-specific consent experiences in the user's preferred language, ensuring that both opt-out obligations under Delaware's law and opt-in requirements under frameworks like the GDPR are handled correctly for each visitor.

As of January 1, 2026, the DPDPA requires controllers to recognize the Global Privacy Control signal and other universal opt-out mechanisms. Cookiebot by Usercentrics supports GPC recognition, enabling businesses to honor browser-level opt-out preferences automatically and without requiring consumers to navigate each site individually.

For organizations managing compliance across multiple U.S. states, the patchwork nature of state-level privacy law makes a centralized, adaptable consent infrastructure a practical necessity. See the Cookiebot guide to U.S. data privacy laws for a broader overview of the landscape.

Preparing for DPDPA Compliance: A Practical Checklist

This section is not legal advice; organizations should consult qualified privacy counsel for a compliance program tailored to their specific operations. That said, the following steps represent the core areas any DPDPA-subject business should address.

The DPDPA's compliance threshold review should be the starting point. If your organization processes data on 35,000 or more Delaware residents, or 10,000 or more with significant revenue from personal data sales, it is in scope. This is a lower bar than many businesses assume.

Once scope is confirmed, organizations should audit their data processing activities: 

• What personal data is collected
• What the processing purposes are
• How long data is retained and how it is deleted/anonymized
• Which third parties receive data 

Such audits should be conducted regularly as business operations, technologies in use, and regulatory requirements change. The inventory forms the foundation for a compliant privacy notice and for conducting the data protection assessments now required for activities created or generated after July 1, 2025.

Privacy notices should be reviewed against the DPDPA's specific requirements, particularly the obligation to disclose the categories of third parties to whom data has been shared, and to provide a clear contact mechanism (such as a verified email address) for consumer requests. Opt-out links must be clear and conspicuous on the website.

Consumer rights request processes — covering access, correction, deletion, portability, and opt-out — should be documented and tested. Response timelines (45 days, extendable by 45 days) and the appeal procedure (60-day response window) must be built into operational workflows.

Data processing agreements with all processors must be reviewed or established. If processors engage subprocessors, the chain of contractual obligations must extend to them as well.

With the mandatory cure period now expired, organizations should treat DPDPA enforcement as fully active. The January 1, 2026 universal opt-out deadline means GPC recognition is now an immediate operational requirement, not a future obligation.

One state's privacy rules or all of them? They all have specific requirements.

Do you have privacy obligations only in the state where you're headquartered, or need coast-to-coast or global coverage? Find out what relevant laws say about consumer rights and what you need to do.

Find My Regulations