Delaware Data Privacy Laws: DPDPA Consumer Rights Guide (2026)

Delaware joined the growing list of states with comprehensive consumer data privacy legislation when Governor John Carney signed House Bill 154 on September 11, 2023. The Delaware Personal Data Privacy Act (DPDPA) took effect on January 1, 2025, and it stands out among state privacy laws for several reasons.

The DPDPA features one of the lowest applicability thresholds in the nation, applies to nonprofits and institutions of higher education, and provides an expansive definition of sensitive data. This guide explains how the law works, who it covers, and what rights it grants to Delaware residents.

Overview of the Delaware Personal Data Privacy Act

The DPDPA is codified as Chapter 12D of Title 6 of the Delaware Code. It was introduced as HB 154 by Representative Griffith and passed both chambers of the Delaware General Assembly in 2023. Governor Carney signed the bill into law on September 11, 2023, making Delaware the 12th state to enact a comprehensive consumer data privacy law.

The Act establishes a framework that gives Delaware consumers meaningful control over their personal data. It requires businesses that meet certain thresholds to provide transparency about data collection practices, honor consumer rights requests, and implement reasonable data security measures.

Unlike many other state privacy laws, the DPDPA does not grant rulemaking authority to the Attorney General. The law is enforced as written, without additional regulatory guidance through formal rulemaking procedures.

Who Must Comply: Applicability Thresholds

The DPDPA applies to persons who conduct business in Delaware or produce products and services targeted to Delaware residents. To trigger compliance obligations, a business must also meet one of two thresholds during the preceding calendar year under Section 12D-103.

The 35,000-Consumer Threshold

The first threshold requires that the entity controlled or processed the personal data of at least 35,000 consumers, excluding data processed solely to complete a payment transaction. This threshold stands out because it has no accompanying revenue requirement.

Most other state privacy laws set their thresholds at 100,000 consumers. Delaware's 35,000-consumer threshold means that significantly smaller businesses fall within the law's scope. Only New Hampshire matches this low threshold among comprehensive state privacy laws.

The 10,000-Consumer Revenue Threshold

The second threshold applies to entities that controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data. This provision targets data brokers and businesses whose core model depends on selling consumer information.

Nonprofits and Higher Education

One of the most distinctive features of the DPDPA is its applicability to nonprofit organizations and institutions of higher education. Most state privacy laws exempt nonprofits entirely. Delaware takes a different approach.

The DPDPA applies to 501(c)(3), 501(c)(4), 501(c)(6), and 501(c)(12) nonprofit organizations. Only narrow exemptions exist for nonprofits that exclusively work to prevent insurance crime and for personal data collected by organizations that serve victims or witnesses of domestic violence, sexual assault, stalking, or human trafficking.

Institutions of higher education are explicitly excluded from the government entity exemption. This means that colleges and universities operating in Delaware must comply with the DPDPA if they meet the applicability thresholds. Currently, only Colorado and Oregon have similarly broad nonprofit coverage among state privacy laws.

Exempt Entities

The DPDPA does exempt certain entities, including state and local government bodies, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), entities covered by the Health Insurance Portability and Accountability Act (HIPAA), and national securities associations registered under the Securities Exchange Act of 1934.

Consumer Rights Under the DPDPA

The DPDPA grants Delaware residents a robust set of rights over their personal data under Section 12D-104. These rights apply when a consumer interacts with a controller that meets the applicability thresholds.

Right to Access

Consumers can confirm whether a controller is processing their personal data and access the specific data being processed. This right gives consumers visibility into what information businesses hold about them.

Right to Correct

Consumers can request corrections to inaccurate personal data. Controllers must take reasonable steps to correct the information, considering the nature of the data and the purpose of its processing.

Right to Delete

Consumers can request that a controller delete the personal data it has collected about them. This includes data the controller obtained from the consumer directly as well as data obtained from other sources.

Right to Data Portability

Consumers can obtain a copy of their personal data in a portable, readily usable format that allows transfer to another controller without hindrance. This right supports consumer choice and data mobility.

Right to Know Third-Party Recipients

The DPDPA includes a right that not all state privacy laws provide. Consumers can request a list of the categories of third parties to which a controller has disclosed their personal data. This transparency measure helps consumers understand the full scope of data sharing.

Right to Opt Out

Consumers can opt out of three specific types of processing:

• Targeted advertising. Using personal data to display ads selected based on data obtained from the consumer's activities across different businesses, websites, or applications.
• Sale of personal data. Exchanging personal data for monetary or other valuable consideration to third parties.
• Profiling. Automated processing that produces legal effects or effects of similar significance concerning the consumer.

Response Timeline

Controllers must respond to consumer rights requests within 45 days. This period may be extended by an additional 45 days when reasonably necessary, provided the controller informs the consumer of the extension and the reason for it.

Controllers must provide at least one method for submitting requests that is consistent with how consumers normally interact with the business. According to the Delaware Attorney General's FAQ portal, businesses must include an easily accessible link on their website for opt-out requests.

Sensitive Data Protections

The DPDPA takes a notably broad approach to defining sensitive data under Section 12D-102. Controllers must obtain opt-in consent before processing any category of sensitive data.

Categories of Sensitive Data

The DPDPA defines sensitive data as personal data that reveals or contains:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnosis
• Sex life or sexual orientation
• Status as transgender or nonbinary
• Citizenship or immigration status
• Genetic data
• Biometric data used to identify an individual
• Personal data of a known child under 13
• Precise geolocation data

The inclusion of transgender or nonbinary status and citizenship or immigration status sets the DPDPA apart from most other state privacy laws. Only Oregon includes similar categories in its sensitive data definition.

Consent Requirements

Processing sensitive data requires affirmative, freely given, specific, informed, and unambiguous consent from the consumer. Controllers cannot use dark patterns or manipulative design techniques to obtain this consent. A clear opt-in mechanism must be presented before any sensitive data processing begins.

Children's Data Protections

The DPDPA provides layered protections for minors that go beyond what many state privacy laws require.

Children Under 13

Personal data of a known child under 13 years of age is automatically classified as sensitive data. This means controllers must obtain verifiable parental consent before processing it. The DPDPA specifies that compliance with the federal Children's Online Privacy Protection Act (COPPA) satisfies the parental consent requirement under state law.

Teenagers Aged 13 to 17

For consumers between 13 and 17 years old, controllers face additional restrictions. They cannot process a teenager's personal data for targeted advertising or sell a teenager's personal data without obtaining opt-in consent directly from the minor.

This means businesses must have age-verification mechanisms in place and cannot rely on default opt-in for teen data used in advertising. The teenager must affirmatively agree before their data can be used for these purposes.

Universal Opt-Out Mechanism Requirement

One of the forward-looking provisions of the DPDPA is its requirement for universal opt-out mechanism recognition under Section 12D-106(e).

What It Requires

Beginning January 1, 2026, controllers must recognize and honor opt-out preference signals sent by a platform, technology, or mechanism on behalf of consumers. The most widely recognized example is the Global Privacy Control (GPC), a browser-level signal that communicates a consumer's opt-out preferences automatically.

Technical Requirements

The universal opt-out mechanism must meet several criteria. It must not unfairly disadvantage other controllers. It must represent an affirmative, freely given choice by the consumer. It must be consumer-friendly and easy to use. And it must be consistent with similar mechanisms required under other state privacy laws.

When a controller receives a valid opt-out signal, it must treat it as a valid request to opt out of targeted advertising and the sale of personal data. Controllers cannot require consumers to verify the signal through additional steps.

Controller and Processor Obligations

The DPDPA establishes clear obligations for both controllers (entities that determine the purposes and means of processing) and processors (entities that process data on behalf of controllers).

Controller Duties

Controllers must comply with several requirements under Section 12D-106:

• Data minimization. Limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purpose.
• Purpose limitation. Process personal data only for purposes that are reasonably necessary and compatible with the purposes disclosed to the consumer.
• Security measures. Implement reasonable administrative, technical, and physical data security practices appropriate to the volume and sensitivity of the data.
• Privacy notices. Provide accessible, clear privacy notices that disclose the categories of data processed, the purposes of processing, how consumers can exercise their rights, the categories of third parties that receive data, and the categories of data shared with third parties.
• Non-discrimination. Refrain from processing personal data in a way that discriminates against consumers who exercise their privacy rights.

Processor Duties

Processors must follow the controller's instructions, maintain confidentiality obligations for personnel handling data, delete or return all personal data upon contract termination, cooperate with controller assessments, and contractually require subcontractors to meet the same obligations.

Data Protection Assessments

Controllers that process the personal data of 100,000 or more consumers must conduct data protection assessments under Section 12D-108 when engaging in:

• Targeted advertising
• Sale of personal data
• Profiling that presents a reasonably foreseeable risk of harm
• Processing sensitive data

These assessments must weigh the benefits of processing against potential risks to consumers and document the safeguards in place.

Enforcement and Penalties

The Delaware Attorney General holds exclusive enforcement authority over the DPDPA under Section 12D-111. There is no private right of action, meaning individual consumers cannot file lawsuits under the Act.

Civil Penalties

Violations of the DPDPA are treated as unlawful practices under Delaware's consumer protection laws. Each violation can result in civil penalties of up to $10,000. The Attorney General may also seek injunctive relief and restitution on behalf of affected consumers.

Cure Period (Expired)

From January 1, 2025, through December 31, 2025, the DPDPA included a mandatory 60-day cure period. During this window, if the Attorney General determined that a violation was curable, the controller received written notice and 60 days to remedy the issue before enforcement action.

As of January 1, 2026, the mandatory cure period has expired. The Attorney General now has full discretion in deciding whether to offer a cure opportunity. Factors considered include the number of violations, the size and complexity of the entity, the nature and extent of the processing activity, the likelihood of harm to consumers, and whether the controller has demonstrated good faith compliance efforts.

Complaints

Delaware residents who believe their privacy rights have been violated can file complaints with the Department of Justice at privacy@delaware.gov.

Delaware Data Breach Notification Law

Separate from the DPDPA, Delaware has a data breach notification law codified in Chapter 12B of Title 6 of the Delaware Code. This law predates the DPDPA and addresses a different aspect of data protection.

What Triggers Notification

Under Section 12B-102, a breach of security is defined as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. Encrypted data is generally excluded unless the encryption key was also compromised.

Personal information under the breach notification law includes a resident's name combined with Social Security numbers, driver's license numbers, financial account numbers with security codes, passport numbers, login credentials, medical information, health insurance identifiers, biometric data, or taxpayer identification numbers.

Notification Timeline

Entities must notify affected Delaware residents without unreasonable delay, but no later than 60 days after determining that a breach occurred. If more than 500 Delaware residents are affected, the entity must also notify the Attorney General within the same timeframe.

Credit Monitoring Requirements

When a breach involves Social Security numbers, the breached entity must offer affected residents free credit monitoring services for at least one year. The notification must include enrollment information and guidance on placing a credit freeze.

Enforcement

The Attorney General can pursue legal action against entities that fail to comply with breach notification requirements and seek direct economic damages on behalf of affected consumers.

Interaction with Federal Privacy Laws

The DPDPA includes exemptions for data already regulated by certain federal laws. Understanding these carve-outs is important for businesses that handle multiple types of regulated data.

HIPAA

Protected health information governed by the Health Insurance Portability and Accountability Act is exempt from the DPDPA. Covered entities and business associates handling health data under HIPAA do not need to apply DPDPA requirements to that specific data, though other personal data they process may still fall under the state law.

GLBA

Financial institutions subject to the Gramm-Leach-Bliley Act are exempt at the entity level. This is a broader exemption than some states provide, as it covers the entire institution rather than just the financial data.

COPPA

The DPDPA explicitly recognizes COPPA compliance. Controllers who obtain verifiable parental consent in accordance with COPPA's requirements are considered compliant with the DPDPA's consent requirements for children's data.

FERPA

Data regulated by the Family Educational Rights and Privacy Act is exempt from the DPDPA's data-type exemptions. However, institutions of higher education are not exempt as entities. A university must comply with the DPDPA for non-FERPA data while continuing to follow FERPA for educational records.

Compliance Guidance for Businesses

Businesses preparing for DPDPA compliance should take several practical steps.

Assess Applicability

Determine whether your organization meets either the 35,000-consumer or the 10,000-consumer-plus-revenue threshold. Remember that the 35,000 threshold counts Delaware consumers whose data you control or process, excluding payment-only transactions.

Update Privacy Notices

According to the Delaware AG's guidance, privacy notices must clearly state that they apply to Delaware residents. Vague language such as "you may have rights" is insufficient. Notices must use plain, straightforward language and be accessible on all devices, including accommodations for individuals with disabilities.

Implement Consumer Rights Mechanisms

Establish processes to receive, verify, and respond to consumer rights requests within the 45-day timeframe. Provide methods consistent with how consumers interact with your business.

Prepare for Universal Opt-Out

As of January 1, 2026, controllers must honor universal opt-out signals like Global Privacy Control. Implement technical systems to detect and process these signals without requiring additional consumer action.

Review Data Processing for Sensitive Categories

Audit your data collection practices for the DPDPA's broad sensitive data categories. Implement opt-in consent mechanisms for any sensitive data processing, particularly for categories unique to Delaware like transgender or nonbinary status and citizenship or immigration status.

Conduct Data Protection Assessments

If you process data of 100,000 or more consumers and engage in targeted advertising, data sales, profiling, or sensitive data processing, complete the required data protection assessments.

More Delaware Laws

• Delaware Hit and Run Laws
• Delaware Whistleblower Laws
• Delaware Dog Bite Laws
• Delaware Statute of Limitations
• Delaware Child Support Laws
• Delaware Sexting Laws
• Delaware Lemon Laws

---

This article is for informational purposes only and does not constitute legal advice. Data privacy laws are subject to legislative amendments, regulatory guidance, and evolving judicial interpretation. Consult a qualified attorney licensed in Delaware for advice specific to your situation. Last reviewed: March 2026.