The Delaware Personal Data Privacy Act (DPDPA) was signed into law by Governor John Carney in September 2023. The DPDPA provides Delaware residents with new privacy rights, including the ability to access, correct, delete, and opt out of the sale or use of their personal data for targeted advertising. Businesses must comply with requirements like obtaining explicit consent for sensitive data processing, maintaining transparent privacy notices, and ensuring strong data security practices.
What Is the Delaware Personal Data Privacy Act (DPDPA)?
Why was the DPDPA passed?
What makes the DPDPA unique?
The Delaware Personal Data Privacy Act (DPDPA) is unique because it includes nonprofits and institutions of higher education, unlike most state privacy laws. It also provides special protections for minors under 18, requiring parental consent for those under 13 and direct consent from teens aged 13-17 for targeted advertising or data sales.
Understanding critical terminology in the Delaware Personal Data Privacy Act is essential for compliance, as stated on Section 12D-102 of the DPDPA:
Affiliate: Entities under shared control or branding.
Biometric Data: Unique biological identifiers (e.g., fingerprints) used for identification.
Consumer: Delaware residents, excluding those in a commercial or employment role.
Controller: Determines the purpose and means of personal data processing.
Personal Data: Information linked to an identifiable individual, excluding public or de-identified data.
Processing: Any operation on personal data, manual or automated.
Processor: Handles data on behalf of a controller.
Sale of Data: Exchange of personal data for value, with specific exclusions.
Sensitive Data: Includes racial, health, biometric, or precise location data, requiring consent for processing.
Who must comply with the DPDPA?
The DPDPA applies to businesses that:
Process the personal data of 35,000 or more Delaware consumers annually; or
Derive 20% or more of revenue from selling personal data and process data for at least 10,000 consumers.
“Consumer” means an individual who is a resident of this State. “Consumer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit organization, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or government agency.
The DPDPA exempts specific entities and types of data to avoid redundancy with existing laws and regulations. Unlike many state privacy laws, the Delaware data privacy law also includes most nonprofits and institutions of higher education. Exemptions apply to specific nonprofits, such as those combating insurance fraud or supporting crime victims.
Entity Exemptions
The DPDPA does not apply to:
Government entities – State and local government bodies.
Financial institutions – Entities covered by the Gramm-Leach-Bliley Act (GLBA).
Healthcare organizations – HIPAA-covered entities and their business associates.
Specific educational institutions – Entities regulated by the Family Educational Rights and Privacy Act (FERPA).
Specific nonprofit organizations - under Section 501(c) of the IRS code. Specifically, nonprofits exclusively dedicated to preventing and addressing insurance crime, and those collecting data related to victims or witnesses of certain crimes (such as domestic violence or stalking).
Data Exemptions
The following data is excluded from DPDPA requirements:
Publicly available data – Information available through government records or public sources.
Employment-related sata – Data collected in an employment context.
Business-to-business (B2B) data – Information from business communications or transactions.
De-identified or aggregated data – Data that cannot be linked to an individual.
Data regulated by other federal laws – Includes data under the FCRA, Driver’s Privacy Protection Act, and Farm Credit Act.
These exemptions focus the DPDPA on protecting consumer privacy without overlapping with existing federal laws.
Key provisions of the DPDPA
1. Consumer rights
The DPDPA grants Delaware residents these rights:
Access: Request a copy of personal data collected about them.
Correct: Update inaccurate or incomplete data.
Delete: Remove personal data from a business’s systems.
Portability: Obtain personal data in a transferable format.
Opt out: Decline targeted advertising, data sales, or profiling decisions.
Is the DPDPA opt-in or opt-out?
The Delaware Personal Data Privacy Act (DPDPA) is primarily opt-out, allowing consumers to opt out of data sales, targeted advertising, and profiling. However, for sensitive data, it is opt-in, requiring explicit consumer consent before processing.
Additionally, under the Delaware data privacy law, minors under 18 have specific opt-in requirements:
Children Under 13: Businesses must obtain verifiable parental consent before collecting or processing their personal data, following federal COPPA guidelines.
Teens Aged 13-17: Businesses must obtain direct consent from minors before processing their personal data for targeted advertising or selling it.
2. Business obligations
Transparency: Provide a clear and accessible privacy notice outlining data processing practices.
Data minimization: Limit personal data collection to what is adequate, relevant, and necessary for stated purposes.
Security measures: Implement appropriate safeguards to protect personal data.
Consent for sensitive data: Obtain explicit consent for processing sensitive data (e.g., health, biometric, or racial/ethnic information).
3. Sensitive data
Includes information such as race, ethnicity, religious beliefs, sexual orientation, health conditions, genetic or biometric data, and precise geolocation.
Under the Delaware Personal Data Privacy Act businesses must:
Provide transparency: Offer clear privacy notices detailing data collection, usage, sharing practices, and consumer rights.
Enable consumer rights: Allow consumers to access, correct, delete, and obtain copies of their personal data. Provide opt-out options for data sales, targeted advertising, and profiling.
Obtain consent for sensitive data: Secure explicit consent before processing sensitive data, including racial or ethnic origin, religious beliefs, health information, sexual orientation, citizenship or immigration status, genetic or biometric data, and precise geolocation data.
Ensure data minimization: Collect only data that is adequate, relevant, and reasonably necessary for disclosed purposes.
Maintain security: Implement reasonable administrative, technical, and physical safeguards to protect personal data.
Facilitate consumer requests: Respond to consumer requests regarding their data within 45 days and provide an appeal process for denied requests. citeturn0search0
“I am confident Delaware businesses will take their new personal data privacy obligations seriously, and our Consumer Protection Unit is working hard to help them prepare (...). Businesses should begin taking an inventory of the personal data they collect from Delawareans and discussing compliance with their own legal counsel to put in policies and procedures to ensure they are in compliance with the law.”
These requirements aim to protect consumer privacy while ensuring business accountability.
Penalties for non-compliance
Fines
Under the DPDPA, businesses that violate its provisions may face civil penalties of up to $10,000 per violation.
Cure Period
Initially, the DPDPA provides a 60-day period for businesses to address and rectify violations upon receiving notice from the Delaware Department of Justice. This opportunity to cure is available until December 31, 2025. After this date, granting a cure period becomes discretionary, depending on the nature and scope of the violation.
It's important to note that enforcement authority rests exclusively with the Delaware Department of Justice; the DPDPA does not establish a private right of action for consumers.
To avoid penalties, businesses should ensure compliance with the DPDPA's requirements, including transparency in data practices, honoring consumer rights, and implementing robust data security measures.
The impact of the DPDPA on businesses
The Delaware Personal Data Privacy Act introduces both opportunities and challenges for businesses as they adapt to its requirements. Compliance not only ensures adherence to the law but also offers a chance to strengthen consumer relationships and competitive positioning.
Opportunities
Consumer trust: Compliance enhances brand credibility and fosters trust among Delaware residents.
Competitive edge: Early adopters can differentiate themselves and align with broader U.S. privacy trends.
Efficiency: Data minimization leads to streamlined processes and reduced data management costs.
Legal clarity: Clear guidelines simplify adaptation and reduce uncertainty.
Interstate alignment: Preparing for the DPDPA helps businesses comply with similar state laws.
Challenges
Compliance costs: Investments in systems for consumer rights, consent management, and data protection are significant.
Operational changes: Revising data collection and handling workflows can disrupt current operations.
Consent complexity: Managing consent for sensitive data (e.g., health or biometric) requires robust processes.
Penalties: Non-compliance risks fines up to $10,000 per violation, alongside reputational damage.
Resource strain: Smaller businesses meeting thresholds may face greater challenges adapting to the requirements.
Adopting a proactive approach can turn compliance into an opportunity for growth and consumer engagement.
The impact of the DPDPA on consumers
The Delaware privacy law enhances consumer privacy and control over personal data. Key impacts include:
Empowered rights
Consumers can access, correct, delete, and obtain a copy of their personal data.
Opt-out options for targeted ads, data sales, and profiling ensure greater control over how their data is used.
“Delawareans deserve to have their private data protected and to have a say in how it is shared. Thanks to the upcoming implementation of the Delaware Personal Data Privacy Act, we will be able to do just that(...)”
Applies to entities conducting business in Delaware or targeting Delaware residents, processing data of ≥35,000 consumers, or ≥10,000 consumers with >20% revenue from data sales.
January 1, 2025
Grants consumer rights to access, correct, delete, and obtain personal data; opt-out of targeted advertising, data sales, and profiling; requires opt-in consent for sensitive data; mandates data protection assessments.
Up to $10,000 per violation; enforced by the Delaware Department of Justice with a 60-day cure period, sunsetting on December 31, 2025.
Colorado (CPA)
Colorado residents
July 1, 2023
Opt-out for targeted advertising; sensitive data consent; data protection assessments
Up to $20,000 per violation
California (CCPA/CPRA)
California residents
January 1, 2023
Right to access, delete, opt-out; data protection assessments; enforcement includes private right of action
Up to $7,500 per violation
Virginia (VCDPA)
Virginia residents
January 1, 2023
Opt-out rights, data protection assessments, strong consumer rights
Up to $7,500 per violation
Texas (TDPSA)
Texas residents
July 1, 2024
Consumer rights, data protection, opt-out of data sales
Up to $7,500 per violation
Oregon (OCPA)
Oregon residents
July 1, 2024
Strong consumer rights, opt-out options, data minimization
Up to $7,500 per violation
Connecticut (CTDPA)
Connecticut residents
July 1, 2023
Opt-out for targeted ads and data sales; requires data protection assessments; expanded consumer rights
Up to $5,000 per violation
Iowa (ICDPA)
Iowa residents
January 1, 2025
Data protection, opt-out of data sharing
Up to $7,500 per violation
Montana (MCDPA)
Montana residents
October 1, 2024
Consumer rights, opt-out options, sensitive data consent
Up to $7,500 per violation
New Jersey (NJDPA)
New Jersey residents
January 15, 2025
Right to access, correct, delete data; opt-out of targeted advertising
Up to $10,000 per violation
What makes the DPDPA stand out?
The DPDPA stands out for its broad applicability and unique protections. Unlike many state privacy laws, it includes nonprofits and institutions of higher education, with limited exemptions for certain nonprofits like those addressing insurance fraud or supporting crime victims.
It also provides enhanced protections for minors under 18: businesses must obtain verifiable parental consent for children under 13 and direct consent from teens aged 13-17 before processing their personal data for targeted advertising or data sales.
This dual focus on organizational scope and minor data protection makes the DPDPA distinct in the U.S. privacy law landscape.
How Ketch can simplify DPDPA compliance
Complying with the DPDPA and other state privacy laws can be simpler than you think. The Ketch data permissioning platform helps businesses stay compliant by:
Third parties list export: Ketch makes it easy to export and send consumers a list of third parties with which you process personal data.
DPDPA policy template: Ketch Consent Management includes a pre-built policy template for the Delaware Personal Data Privacy Act, with ability to customize rights as desired, no coding required to make changes.
Right for Consumers to Opt Out: The law permits consumers to opt out of the processing of personal data for the sale of personal data or for targeted advertisements. With Ketch Consent Management, businesses can offer clear privacy notices with this option specific to Delaware residents.
Requirement to respect universal opt-out mechanisms (UOOMs): UOOMs are tools that a consumer can use to opt out of online personal data processing. The most well-known and recognized example is the Global Privacy Control (GPC). Ketch makes it easy for companies to comply with GPC signals, enabling automatic recognition of GPC in the consumer’s browser. DPDPA requires UOOM compliance by 2026.
Data subject rights: The law provides consumers with right to access, correct, delete, and obtain a copy of their personal data. Ketch enables end-to-end DSR fulfillment with capabilities like drag-and-drop workflow builder, smart routing, and task-level automation.
Final thoughts: Preparing your business for the DPDPA
The Delaware Personal Data Privacy Act represents a significant step forward in data privacy for Delaware residents. By preparing for compliance now, businesses can avoid penalties and build stronger relationships with their affected customers.
Contact Ketch today to streamline your compliance and future-proof your privacy strategy.
This a sample accordion element needed for script above to work
Ketch supports compliance with major privacy laws, including GDPR, CCPA, CPRA, and various emerging US state laws, ensuring businesses meet global and local data privacy requirements.
Does the DPDPA require businesses to honor universal opt-out signals like Global Privacy Control (GPC)? Yes, businesses are required to honor universal opt-out mechanisms for targeted advertising and data sales under the DPDPA.
How does the DPDPA define publicly available data? Publicly available data includes information lawfully available from government records or data the consumer has deliberately made public. Such data is excluded from the law’s scope.
Are loyalty programs affected by the DPDPA? The DPDPA does not specifically address loyalty programs but requires businesses to disclose data practices associated with such programs in their privacy notices.
Does the DPDPA require a data retention policy? The DPDPA does not mandate specific retention policies, but the data minimization requirement implies businesses should retain personal data only as long as necessary for stated purposes.
Are businesses required to conduct regular audits for compliance? The DPDPA does not mandate audits, but businesses are encouraged to periodically review their data practices to ensure compliance with the law.
How does the DPDPA handle pseudonymized data? Pseudonymized data is not explicitly excluded. If it can reasonably be linked to an individual, it is considered personal data and falls under the law’s scope.
Does the DPDPA require businesses to notify consumers of data breaches? The DPDPA itself does not include breach notification requirements. Businesses must comply with existing Delaware breach notification laws.
Can businesses charge fees for consumer requests under the DPDPA? Businesses generally cannot charge fees for fulfilling consumer requests unless the requests are repetitive, excessive, or unfounded.
Does the DPDPA require employee training? While not explicitly required, employee training on data privacy and handling consumer requests is recommended to ensure compliance.
Are there specific rules for cross-border data transfers? The DPDPA does not address cross-border data transfers directly, but businesses must maintain transparency and safeguard personal data regardless of location.
Does the DPDPA apply to small businesses? The Delaware Personal Data Privacy Act generally does not apply to small businesses unless they meet specific thresholds, such as processing personal data for 35,000 or more Delaware residents annually or deriving 20% or more of their revenue from selling personal data while processing data for at least 10,000 consumers. Notably, the DPDPA does not consider an entity’s annual revenue in determining applicability. Therefore, small businesses that meet the above criteria are subject to the DPDPA, regardless of their revenue size.
Matt George is the Data Protection Officer at Ketch. A seasoned privacy attorney with a strong IT and data management background, he is also CIPP/US and CIPP/A certified from IAPP.
Automate your privacy compliance with Ketch
Risk of regulatory action or fine is no longer an unlikely, empty threat—regulators across Europe and now the United States are charging brands with irresponsible handing of consumer data.
Your knowledge of the regulations and requirements for your business may be the difference maker in ensuring your brand reputation stays intact. Ketch can help.
.webp)
