Delaware Data Privacy Laws: DPDPA Consumer Rights Guide (2026)

The Delaware Personal Data Privacy Act (6 Del. C. ch. 12D) took effect January 1, 2025, and gives Delaware residents the right to access, correct, delete, and port their personal data, and to opt out of targeted advertising. Businesses that process data on 35,000 or more Delaware consumers must comply.

Delaware enacted the most ambitious consumer data privacy statute on the East Coast when Governor John Carney signed House Bill 154 on September 11, 2023. The Delaware Personal Data Privacy Act (DPDPA) took effect January 1, 2025, making Delaware the 13th state in the nation to enact a comprehensive consumer data privacy law.

Three features set the DPDPA apart from most state privacy laws. First, its 35,000-consumer applicability threshold is among the lowest in the country, bringing substantially smaller businesses within scope than laws in California, Virginia, or Texas. Second, the law applies to nonprofits and institutions of higher education. Third, the sensitive data definition reaches categories that most other states do not specifically address, including transgender or nonbinary status and citizenship or immigration status.

This guide explains every layer of Delaware's data privacy framework: the DPDPA, the Delaware Online Privacy and Protection Act, the data breach notification law, and the federal statutes that overlay all three.

Jurisdiction scope: This article covers Delaware state data privacy laws, primarily the DPDPA (6 Del. C. ch. 12D), the Delaware Online Privacy and Protection Act (6 Del. C. ch. 12C), and the Delaware data breach notification law (6 Del. C. ch. 12B). It also addresses applicable federal laws including HIPAA, GLBA, COPPA, FCRA, and the TAKE IT DOWN Act. It does not address Delaware recording consent law; for that, see Delaware recording laws.

Overview of the Delaware Personal Data Privacy Act

The DPDPA is codified as Chapter 12D of Title 6 of the Delaware Code, spanning sections 12D-101 through 12D-114. House Bill 154, introduced by Representative Griffith, passed both chambers of the Delaware General Assembly in 2023. Governor Carney signed the bill on September 11, 2023.

The Act gives Delaware consumers meaningful control over their personal data. It requires covered businesses to be transparent about collection practices, honor consumer rights requests within defined timelines, and maintain reasonable data security. It establishes a tiered structure: controllers (entities that decide the purposes and means of processing) carry the primary compliance burden; processors (entities processing on behalf of controllers) carry contractual and subcontractor-management duties.

Unlike California's CCPA, the DPDPA does not grant rulemaking authority to any state agency. The law is enforced as written by the Attorney General, without the formal regulatory guidance process that California's Privacy Protection Agency uses to issue binding rules.

Who Must Comply: Applicability Thresholds

The DPDPA applies to persons who conduct business in Delaware or produce products and services targeted to Delaware residents and who meet at least one data-volume threshold during the preceding calendar year under 6 Del. C. § 12D-103.

The 35,000-Consumer Threshold

The first threshold applies when an entity controls or processes the personal data of at least 35,000 consumers, excluding data processed solely to complete a payment transaction. No revenue requirement accompanies this threshold.

Most state privacy laws set their primary threshold at 100,000 consumers. Delaware's 35,000-consumer floor means meaningfully smaller businesses fall within scope. New Hampshire sets the same 35,000 threshold; no other comprehensive state privacy law currently goes lower.

The 10,000-Consumer Revenue Threshold

The second threshold applies to entities that control or process the personal data of at least 10,000 consumers and derive more than 20% of gross annual revenue from selling personal data. This provision primarily captures data brokers and business models built on selling consumer information.

Pending Amendment: HB 380

House Bill 380, introduced in the 153rd General Assembly, would amend the DPDPA to lower the primary threshold from 35,000 to 15,000 consumers. The House Technology Committee voted 4-0 to advance HB 380 on April 21, 2026. Consumer Reports and the Electronic Privacy Information Center (EPIC) filed letters of support. The bill also proposes expanding the sensitive data definition and tightening data protection assessment requirements.

HB 380 had not passed the full House or been signed into law as of May 2026. Businesses should monitor its progress; if enacted, the lower threshold would extend DPDPA obligations to a significantly larger universe of entities operating in Delaware.

Nonprofits and Higher Education

The DPDPA's applicability to nonprofits is one of its most distinctive features. Most state privacy laws exempt 501(c)(3) organizations entirely. Delaware applies the DPDPA to 501(c)(3), 501(c)(4), 501(c)(6), and 501(c)(12) nonprofit organizations, subject only to narrow exceptions for nonprofits that exclusively prevent insurance crime and those serving victims of domestic violence, sexual assault, stalking, or human trafficking.

Institutions of higher education are also covered because they fall outside the government entity exemption. Colleges and universities that meet the applicability thresholds must comply with the DPDPA for personal data that is not protected by FERPA. Only Colorado and Oregon have similarly broad nonprofit coverage among comprehensive state privacy laws.

Exempt Entities

The DPDPA exempts state and local government bodies; financial institutions subject to the Gramm-Leach-Bliley Act (GLBA); entities covered by HIPAA; and national securities associations registered under the Securities Exchange Act of 1934. Data-type exemptions apply to protected health information under HIPAA, financial data under GLBA, and educational records under FERPA.

Consumer Rights Under the DPDPA

Section 12D-104 grants Delaware residents six core rights over their personal data.

Right to access. Consumers can confirm whether a controller processes their personal data and access the specific data being processed.

Right to correct. Consumers can request corrections to inaccurate personal data. Controllers must take reasonable steps to correct information, accounting for the nature and purpose of the data.

Right to delete. Consumers can request deletion of personal data the controller collected, whether obtained directly from the consumer or from other sources.

Right to data portability. Consumers can obtain a copy of their personal data in a portable, readily usable format that allows transfer to another controller without hindrance.

Right to know third-party recipients. Under § 12D-104(a)(6), consumers can request a list of the categories of third parties to which a controller has disclosed their personal data. This right is absent from several other state privacy laws.

Right to opt out. Consumers can opt out of three processing types: targeted advertising (ads selected based on cross-context behavioral data), sale of personal data (exchange for monetary or other valuable consideration), and profiling that produces legal or similarly significant effects.

Response Timeline

Controllers must respond to consumer rights requests within 45 days. A single 45-day extension is available when reasonably necessary, provided the controller notifies the consumer of the extension and explains the reason. The Delaware Attorney General's FAQ portal specifies that controllers must include an easily accessible opt-out link on their website.

Sensitive Data Protections

Section 12D-102 defines sensitive data broadly. Controllers must obtain opt-in consent before processing any sensitive data category.

The DPDPA's sensitive data categories include:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnosis
• Sex life or sexual orientation
• Status as transgender or nonbinary
• Citizenship or immigration status
• Genetic data
• Biometric data used to identify an individual
• Personal data of a known child under 13
• Precise geolocation data

The inclusion of transgender or nonbinary status and citizenship or immigration status distinguishes the DPDPA from nearly all other state privacy laws. Only Oregon includes comparable categories.

Consent for sensitive data processing must be affirmative, freely given, specific, informed, and unambiguous. Controllers cannot use dark patterns or deceptive design techniques to obtain consent.

If HB 380 is enacted, the sensitive data definition would expand further. The bill proposes adding reproductive or sexual health information, financial data, and certain biometric characteristics. Businesses should watch for final legislative text.

Children's Data Protections

The DPDPA layers children's protections on top of federal COPPA requirements, extending obligations beyond what federal law requires.

Under 13. Personal data of a known child under 13 is automatically sensitive data. Controllers must obtain verifiable parental consent before processing it. Compliance with COPPA's verifiable parental consent requirements satisfies this state requirement under § 12D-102.

Ages 13 to 17. Controllers cannot process a teenager's personal data for targeted advertising, nor sell a teenager's personal data, without first obtaining opt-in consent directly from the minor. Age-verification mechanisms are necessary to operationalize this requirement. The teenager must affirmatively agree before their data is used for targeted advertising or sale.

This protection for 13-to-17-year-olds goes beyond COPPA, which only covers children under 13. Businesses that serve teen audiences in Delaware must treat minor-to-17 data differently from adult data.

Delaware Online Privacy and Protection Act

Separate from the DPDPA, Delaware enacted the Online Privacy and Protection Act (DOPPA), codified at 6 Del. C. ch. 12C, effective January 1, 2016.

DOPPA has three distinct components.

Marketing restrictions for minors under 18. Operators of websites, online services, apps, and mobile applications directed to children may not market or advertise products or services in certain restricted categories. Those categories include alcoholic beverages, tobacco, firearms, fireworks, tanning equipment, lotteries, body piercing, tattoos, and drug paraphernalia. Unlike COPPA's under-13 scope, DOPPA applies to anyone under 18.

Privacy policy requirements. Commercial websites, online services, and apps that collect personal information from Delaware residents must maintain and post a privacy policy. The policy must identify the types of personal information collected, describe the categories of third parties with whom it is shared, and explain how users can review and request changes to their information.

Student data protection. The Student Data Privacy Protection Act, part of the DOPPA framework, restricts how operators of educational technology services may use student data. Operators serving K-12 schools cannot use student data for targeted advertising, sell student information, or build advertising profiles of students except for authorized school purposes.

Businesses that collect data from Delaware residents online, and especially those whose services reach users under 18 or the K-12 education market, must layer DOPPA compliance onto their DPDPA analysis.

Universal Opt-Out Mechanism Requirement

Section 12D-106(e) requires controllers to recognize universal opt-out preference signals. This requirement took effect January 1, 2026 and is now in force.

When a consumer uses a browser extension or platform configured to send a Global Privacy Control (GPC) signal or similar mechanism, the controller must treat that signal as a valid opt-out request for targeted advertising and data sales. Controllers cannot require additional verification steps, cannot ignore the signal, and cannot create barriers that disadvantage consumers who exercise this preference.

The opt-out mechanism must be consumer-friendly, represent an affirmative and freely given choice, and be consistent with similar mechanisms recognized by other state privacy laws. Delaware's requirement aligns with California, Colorado, Connecticut, and Montana, all of which mandate GPC recognition.

Controller and Processor Obligations

Section 12D-106 sets out the duties of controllers.

Data minimization. Controllers must limit personal data collection to what is adequate, relevant, and reasonably necessary for the disclosed purpose.

Purpose limitation. Personal data may be processed only for purposes that are reasonably necessary and compatible with those disclosed to the consumer.

Security measures. Controllers must implement reasonable administrative, technical, and physical data security practices appropriate to the volume and sensitivity of data processed.

Privacy notices. Notices must disclose the categories of data processed, the purposes of processing, how consumers can exercise their rights, the categories of third parties that receive the data, and the categories of data shared with those third parties.

Non-discrimination. Controllers may not process personal data in a way that unlawfully discriminates against consumers who exercise their privacy rights.

Processors must follow controller instructions, maintain confidentiality obligations for personnel who handle data, delete or return all personal data upon contract termination, cooperate with controller assessments, and require subcontractors to meet the same obligations by contract.

Data Protection Assessments

Controllers that process the personal data of 100,000 or more consumers must conduct data protection assessments under § 12D-108 when engaging in targeted advertising, selling personal data, profiling that poses a foreseeable risk of harm, or processing sensitive data. Assessments must weigh the benefits of processing against the potential risks to consumers.

Enforcement and Penalties

Section 12D-111 grants exclusive enforcement authority to the Delaware Attorney General. There is no private right of action.

Civil Penalties

Each violation of the DPDPA constitutes an unlawful practice under Delaware's consumer protection laws. The Attorney General may seek civil penalties of up to $10,000 per violation, injunctive relief, and restitution on behalf of affected consumers. Because each consumer affected can constitute a separate violation, total exposure can accumulate quickly for systemic noncompliance.

Cure Period: Now Expired

From January 1, 2025, through December 31, 2025, a mandatory 60-day cure period applied. If the Attorney General determined a violation was curable, the controller received written notice and 60 days to remedy the issue before any enforcement action could proceed.

The mandatory cure period expired December 31, 2025. As of January 1, 2026, the Attorney General has full discretion in deciding whether to offer a cure opportunity. Factors the AG considers include the number of violations, the size and complexity of the entity, the nature and extent of the processing activity, the likelihood of harm to consumers, and whether the controller has demonstrated good faith compliance efforts.

As of May 2026, the Delaware Department of Justice has not publicly announced formal enforcement actions under the DPDPA. The AG's office has focused its early-enforcement posture on outreach, compliance education through its Personal Data Privacy Portal, and published consumer guidance. Businesses should treat the absence of announced actions as reflecting an early enforcement phase, not a signal that enforcement is unlikely.

Filing a Complaint

Delaware residents who believe their rights have been violated can file complaints with the Department of Justice at privacy@delaware.gov.

Delaware Data Breach Notification Law

Delaware's data breach notification law, 6 Del. C. ch. 12B, predates the DPDPA and addresses a separate set of obligations.

What triggers notification. Under § 12B-102, a "breach of security" is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. Encrypted data is generally excluded unless the encryption key was also compromised.

Personal information under the breach notification law means a resident's name combined with Social Security numbers, driver's license numbers, financial account numbers with security codes, passport numbers, login credentials, medical information, health insurance identifiers, biometric data, or taxpayer identification numbers.

Notification timeline. Entities must notify affected Delaware residents without unreasonable delay, and no later than 60 days after determining that a breach occurred. Notification to the Attorney General is also required within 60 days when more than 500 Delaware residents are affected.

Credit monitoring. When a breach involves Social Security numbers, the breached entity must offer affected residents free credit monitoring for at least one year, including enrollment information and guidance on placing a credit freeze.

Enforcement. The Attorney General may pursue legal action against entities that fail to comply and seek direct economic damages on behalf of affected consumers.

Interaction with Federal Privacy Laws

The DPDPA coordinates with several federal regimes. Understanding which federal law governs a particular data type is essential for businesses with multi-jurisdictional operations.

HIPAA. Protected health information governed by HIPAA is exempt from the DPDPA at the data level. Covered entities and business associates handling health data under HIPAA do not need to apply DPDPA requirements to that specific data, though other personal data they collect may still fall under state law.

GLBA. Financial institutions subject to the Gramm-Leach-Bliley Act are exempt at the entity level. This is broader than some states: the exemption covers the entire institution, not just its financial data.

COPPA. The DPDPA explicitly recognizes COPPA compliance. Verifiable parental consent obtained under COPPA satisfies the DPDPA's consent requirements for personal data of children under 13.

FERPA. Educational records protected by the Family Educational Rights and Privacy Act are exempt at the data level. However, institutions of higher education are not entity-exempt. A university must comply with the DPDPA for non-FERPA data while continuing to follow FERPA for educational records.

FCRA. Consumer reporting data governed by the Fair Credit Reporting Act is exempt from DPDPA requirements at the data level.

FTC Act Section 5. The Federal Trade Commission may take action against deceptive or unfair data practices by Delaware businesses independently of the DPDPA, under its general authority to police unfair or deceptive acts and practices in commerce. FTC enforcement is not limited to entities meeting DPDPA thresholds.

TAKE IT DOWN Act: Federal Criminal Prohibition on Nonconsensual Intimate Images

The federal TAKE IT DOWN Act, Pub. L. 119-12, was signed by President Trump on May 19, 2025. It creates a federal criminal prohibition that applies in Delaware and every other state.

Criminal prohibition. The Act makes it a federal crime to knowingly publish or threaten to publish nonconsensual intimate images (NCII), including AI-generated deepfakes, of adults or minors. Penalties reach two years' imprisonment for adult victims and three years for minors.

Platform takedown obligations. Covered platforms (websites and mobile applications that host user-generated content) must implement a notice-and-removal process. Upon receiving a valid takedown notice, a platform must remove the intimate image "as soon as possible" and no later than 48 hours after receiving the notice. This obligation became effective May 19, 2026. The Federal Trade Commission enforces the platform requirements.

Interaction with Delaware law. Delaware already criminalizes nonconsensual pornography under its own statutes. The TAKE IT DOWN Act adds a parallel federal criminal layer and a new platform-accountability mechanism. Businesses operating content platforms serving Delaware users must implement compliant notice-and-removal processes.

Delaware's Role as Incorporation State

Delaware is the state of incorporation for more than 60% of Fortune 500 companies and a majority of publicly traded corporations in the United States. This creates a practical compliance consideration: a company incorporated in Delaware but headquartered elsewhere must determine whether it conducts business in Delaware or produces products and services targeted to Delaware residents within the meaning of the DPDPA.

Incorporation alone does not trigger DPDPA obligations. The jurisdictional hook is market-facing activity, not the location of the certificate of incorporation. A company incorporated in Delaware but with no Delaware consumer base and no Delaware-targeted products does not meet the DPDPA's applicability requirement. Conversely, a company incorporated elsewhere that actively markets to Delaware residents and processes data on 35,000 or more of them does come within scope.

This distinction is particularly relevant for early-stage companies that incorporate in Delaware for legal flexibility but whose customer base is entirely outside the state.

Compliance Steps for Businesses

Businesses preparing for or auditing DPDPA compliance should work through several core steps.

Assess applicability. Determine whether the organization meets either the 35,000-consumer or the 10,000-consumer-plus-revenue threshold. The 35,000 threshold excludes data processed solely to complete payment transactions. Monitor HB 380: if the threshold drops to 15,000, re-run the analysis.

Update privacy notices. The Delaware AG's guidance is specific: notices must state clearly that they apply to Delaware residents, use plain and accessible language, and avoid vague formulations like "you may have rights." Notices must be accessible on all devices and accommodate individuals with disabilities.

Build consumer rights workflows. Establish systems to receive, authenticate, and respond to access, correction, deletion, portability, and opt-out requests within 45 days. The response channel must be consistent with how consumers typically interact with the business.

Honor GPC signals. As of January 1, 2026, controllers must detect and process Global Privacy Control signals as valid opt-out requests for targeted advertising and data sales. No additional consumer action can be required.

Audit sensitive data practices. Map all data collection against the DPDPA's sensitive data categories, including the Delaware-specific categories of transgender or nonbinary status and citizenship or immigration status. Implement opt-in consent workflows for any sensitive data processing.

Complete data protection assessments. If the organization processes data of 100,000 or more consumers and engages in targeted advertising, data sales, profiling, or sensitive data processing, conduct the required assessments documenting benefit-versus-risk analysis and safeguards.

Layer DOPPA compliance. If the organization operates a website or app collecting personal information from Delaware residents, post a compliant privacy policy. If the service is directed to users under 18 or serves K-12 schools, apply DOPPA's marketing restrictions and student data protections on top of DPDPA compliance.

Implement TAKE IT DOWN Act processes. If the organization operates a platform hosting user-generated content, implement a notice-and-removal process for nonconsensual intimate images and deepfakes. The platform obligation became effective May 19, 2026.

How Delaware Residents Can Exercise Their Rights

Delaware residents can exercise their DPDPA rights by contacting any covered controller directly. Controllers must provide at least one mechanism consistent with their normal consumer interaction channels.

If a controller denies a rights request, consumers can appeal the denial. Controllers must maintain an appeals process and must respond to appeals within 60 days.

Consumers who believe their rights have been violated and were unable to resolve the issue with the controller directly can file a complaint with the Delaware Department of Justice's privacy team at privacy@delaware.gov or through the Personal Data Privacy Portal.

In-depth guides

• What Is the DPDPA? Delaware Personal Data Privacy Act
• DPDPA Consumer Rights: Your Data Privacy Rights
• DPDPA Compliance Checklist for Businesses (2026)

More Delaware Laws

• Delaware AI Meeting Recording Laws
• Delaware Alimony Laws
• Delaware At-Will Employment Laws
• Delaware Car Accident Laws
• Delaware Car Seat Laws
• Delaware Child Custody Laws
• Delaware Child Support Laws
• Delaware Common Law Marriage Laws
• Delaware Deepfake Laws
• Delaware Divorce Laws
• Delaware Dog Bite Laws
• Delaware Emancipation Laws
• Delaware Expungement Laws
• Delaware Hit and Run Laws
• Delaware Landlord-Tenant Laws
• Delaware Lemon Laws

---

This article presents general legal information about Delaware data privacy laws. It does not constitute legal advice. Delaware's DPDPA, DOPPA, and breach notification law are subject to legislative amendment, attorney general guidance, and judicial interpretation. The federal TAKE IT DOWN Act and other federal statutes described herein are similarly subject to regulatory implementation and enforcement policy changes. Consult a qualified attorney licensed in Delaware for advice specific to your situation. Information last verified: May 2026.