Delaware Personal Data Privacy Act: A Plain-English Guide
DPDPA explained for small businesses: low thresholds, consumer rights, penalties, and a compliance checklist for Delaware's 2025 privacy law.
Last updated: 2026-02-08
Delaware may be famous as America's corporate home state, but its privacy law is aimed squarely at businesses of all sizes -- including yours. The Delaware Personal Data Privacy Act (DPDPA) took effect on January 1, 2025, and it carries some of the lowest applicability thresholds in the country. If you process data from even a modest number of Delaware residents, you may be in scope. Paired with similar low-threshold laws in New Hampshire and Rhode Island, the DPDPA signals a clear trend: state legislatures are making sure smaller businesses cannot ignore consumer privacy. This guide explains what the DPDPA requires, who needs to comply, and exactly what steps your business should take.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the Delaware Personal Data Privacy Act (Del. Code Ann. title 6, chapter 12D), as of the date of publication.
Does the DPDPA Apply to Your Business?
The DPDPA applies to businesses that conduct business in Delaware or produce products or services targeted to Delaware residents, and meet at least one of two thresholds:
- Control or process the personal data of at least 35,000 Delaware consumers during a calendar year (excluding data processed solely to complete a payment transaction).
- Control or process the personal data of at least 10,000 Delaware consumers and derive more than 20% of gross revenue from the sale of personal data.
Delaware has a population of roughly 1 million residents. That means 35,000 consumers represents about 3.5% of the state's population. For any business with meaningful online reach, this threshold is surprisingly easy to hit.
Consider this scenario: an online retailer with a national audience serves 1.5 million unique visitors per year. If about 2.5% of those visitors are from Delaware, that is approximately 37,500 consumers -- above the threshold. A SaaS company with 200,000 active users might have 7,000 to 10,000 in Delaware, and if data monetization represents more than 20% of revenue, the second threshold applies.
Compared to California's CCPA, which requires $25 million in revenue or 100,000 consumers, Delaware's thresholds bring significantly more businesses into scope. The 20% revenue figure on the second prong is also more aggressive than the 50% used by Virginia and several other states.
The DPDPA exempts state and local government entities, nonprofits, higher education institutions, entities and data regulated by HIPAA, and financial institutions regulated under the Gramm-Leach-Bliley Act. Data subject to certain federal laws such as the Fair Credit Reporting Act and the Driver's Privacy Protection Act is also exempt.
Notably, the DPDPA does not exempt small businesses based on revenue or employee count. If you meet the data processing thresholds, you are covered regardless of your company's size.
What Rights Do Consumers Have?
The DPDPA grants Delaware residents a robust set of privacy rights. These are broadly consistent with the framework established by Connecticut and Maryland, but every detail matters when you are building your compliance process.
Consumers can request access to the personal data a controller has collected about them. They can request correction of inaccurate personal data. They can request deletion of their personal data. They have the right to data portability, allowing them to obtain their data in a portable, commonly used format. They can opt out of the sale of personal data, opt out of targeted advertising, and opt out of profiling that produces legal or similarly significant effects.
| Right | Granted? | Notes |
|---|---|---|
| Access | Yes | Consumer can request all personal data a controller holds |
| Correction | Yes | Consumer can correct inaccurate personal data |
| Deletion | Yes | Consumer can request erasure of their personal data |
| Portability | Yes | Data must be provided in a readily usable format |
| Opt-out of sale | Yes | Consumer can prohibit the sale of their data |
| Opt-out of targeted advertising | Yes | Consumer can opt out of targeted ads |
| Opt-out of profiling | Yes | Limited to profiling with legal or significant effects |
| Private right of action | No | Only the Attorney General can bring enforcement actions |
You have 45 days to respond to a consumer request, with an extension of up to 45 additional days if reasonably necessary. You must notify the consumer of any extension and the reason within the initial 45-day period. If you decline a request, you must explain why and inform the consumer of their right to appeal. A denied appeal must include instructions for filing a complaint with the Delaware Attorney General.
The DPDPA also requires businesses to recognize universal opt-out mechanisms such as Global Privacy Control (GPC). This means your website must technically support and honor browser-level opt-out signals -- a requirement that can catch businesses off guard if they have not prepared for it.
What Your Business Must Do
The DPDPA requires more than just responding to requests. Several proactive obligations apply to covered businesses.
Privacy notice: You must provide a reasonably accessible and clear privacy notice. It must disclose the categories of personal data processed, the purposes of processing, how consumers can exercise their rights, the categories of data shared with third parties, and the identity of those third parties. You must clearly state if you sell personal data or process it for targeted advertising.
Data minimization: You may only collect personal data that is adequate, relevant, and reasonably necessary for the purposes you have disclosed. Collecting data "just in case" or for undefined future purposes is not compliant.
Purpose limitation: You cannot process personal data for purposes beyond those disclosed to the consumer, unless you obtain their consent for the additional processing.
Reasonable security: You must implement and maintain reasonable administrative, technical, and physical data security practices proportionate to the volume and sensitivity of the personal data you process. The law does not specify particular security controls, but the "reasonableness" standard means you should be able to demonstrate that your practices are appropriate.
Consent for sensitive data: Processing sensitive personal data requires opt-in consent. Sensitive data under the DPDPA includes data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data from a known child, and precise geolocation data.
Data protection assessments: The DPDPA requires you to conduct and document data protection assessments for activities that present a heightened risk of harm. This includes targeted advertising, the sale of personal data, processing sensitive data, and profiling activities. These assessments must weigh the benefits of the processing against the potential risks to consumers.
Processor contracts: Written agreements are required with any processor handling personal data on your behalf. These contracts must specify the data being processed, the duration and purpose of processing, the type of data involved, and the rights and obligations of both parties.
Universal opt-out support: Your website and applications must recognize and honor universal opt-out preference signals. This is a technical requirement that requires integration with tools like Global Privacy Control.
How Is the DPDPA Enforced?
The DPDPA is enforced exclusively by the Delaware Attorney General (Del. Code Ann. title 6, section 12D-110). There is no private right of action. Individual consumers cannot sue your business directly for DPDPA violations.
The law originally included a 60-day cure period, which gave businesses 60 days to remedy identified violations after receiving notice from the Attorney General. However, this cure period sunset on January 1, 2026. As of that date, the Attorney General can bring enforcement actions without first offering an opportunity to cure. This is a significant change -- businesses that have been relying on the cure period as a safety net should be aware that it no longer applies.
Violations of the DPDPA are treated as violations of Delaware's consumer protection statute. The Attorney General can seek injunctive relief and civil penalties of up to $10,000 per violation. For systemic violations affecting many consumers, penalties could be substantial. A processing practice that violates the law across 5,000 consumer records could theoretically result in $50 million in penalties.
While enforcement is still in its early stages, the Delaware Attorney General's office has demonstrated interest in data privacy enforcement, and the removal of the cure period signals a shift toward more aggressive oversight.
How the DPDPA Compares to Other State Laws
Delaware belongs to a cohort of states with low applicability thresholds, alongside Maryland, New Hampshire, and Rhode Island. For comparison with a more established framework, here is how Delaware stacks up against Connecticut and Maryland.
| Feature | Delaware (DPDPA) | Maryland (MODPA) | Connecticut (CTDPA) |
|---|---|---|---|
| Effective date | January 1, 2025 | October 1, 2025 | July 1, 2023 |
| Consumer threshold | 35,000 | 35,000 | 100,000 |
| Lower threshold (with revenue %) | 10,000 + 20% revenue | 10,000 + 20% revenue | 25,000 + 25% revenue |
| Right to access | Yes | Yes | Yes |
| Right to delete | Yes | Yes | Yes |
| Right to correct | Yes | Yes | Yes |
| Opt-out of sale | Yes | Yes | Yes |
| Universal opt-out required | Yes | Yes | Yes |
| Cure period | 60 days (sunset Jan 2026) | None | 60 days (sunset Jan 2025) |
| Private right of action | No | No | No |
| Max penalty per violation | $10,000 | $10,000 | $5,000 |
| Enforced by | Attorney General | Attorney General | Attorney General |
The pattern is clear: states are converging on lower thresholds, universal opt-out requirements, and expiring cure periods. If your business is already compliant with the DPDPA, extending to New Hampshire and Rhode Island requires only minor adjustments. And if you are compliant with California's CCPA, you already have most of the foundational pieces in place.
Action Checklist for Small Businesses
Follow these steps to build your DPDPA compliance program:
-
Determine if the law applies. Count how many Delaware consumers' data you process annually. Check both the 35,000-consumer threshold and the 10,000-consumer-plus-revenue threshold.
-
Inventory your data. Map what personal data you collect from Delaware consumers, where it is stored, the purposes for collecting it, and who it is shared with.
-
Update your privacy notice. Ensure your privacy notice includes all DPDPA-required disclosures: data categories, processing purposes, consumer rights, third-party sharing, and data sale or targeted advertising disclosures.
-
Build a consumer request workflow. Set up processes for intake, identity verification, processing, and response for all seven consumer rights within the 45-day deadline.
-
Implement universal opt-out support. Configure your website to detect and honor Global Privacy Control and similar universal opt-out preference signals.
-
Get consent for sensitive data. If you process sensitive data categories, implement an opt-in consent flow before processing begins.
-
Conduct data protection assessments. Document assessments for targeted advertising, data sales, sensitive data processing, and profiling activities.
-
Review and update vendor contracts. Ensure all processor agreements include DPDPA-compliant terms covering data processing scope, duration, purpose, and responsibilities.
-
Train your team. Everyone who handles consumer data or privacy requests should understand the DPDPA's requirements and your internal response process.
-
Act now -- the cure period is gone. The 60-day cure period sunset on January 1, 2026. There is no longer a grace period for fixing violations. Your compliance program needs to be fully operational today.
Key Dates
- September 2023: DPDPA signed into law by Governor John Carney.
- January 1, 2025: DPDPA took effect.
- January 1, 2026: 60-day cure period sunset -- Attorney General can now enforce without offering a cure opportunity.
References
- Delaware Personal Data Privacy Act (DPDPA): Del. Code Ann. title 6, chapter 12D. Full text on Delaware General Assembly website
- Delaware Department of Justice: Official website
- Maryland Online Data Privacy Act (MODPA): Md. Code Ann., Com. Law sections 14-4601 through 14-4616.
- Connecticut Data Privacy Act (CTDPA): Conn. Gen. Stat. sections 42-515 through 42-525. Full text
- New Hampshire Privacy Act (NHPA): N.H. Rev. Stat. Ann. chapter 507-H.
- Rhode Island RIDTPPA: R.I. Gen. Laws chapter 6-48.1.
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.
The cure period is over -- is your DSAR process ready? Our DSAR Compliance Guide gives you a proven framework for handling consumer requests under Delaware's law and beyond. Or grab our DSAR Response Templates to start responding to requests this week.