Delaware Biometric Privacy Laws: Collection, Consent & Penalties (2026)
Delaware does not have a standalone biometric privacy law like Illinois' BIPA. Instead, the state protects biometric information through the Delaware Personal Data Privacy Act (DPDPA), a comprehensive data privacy law signed by Governor John Carney on September 11, 2023, and effective January 1, 2025. The DPDPA treats biometric data as a category of "sensitive data" that triggers heightened consent requirements and processing restrictions.
This guide covers how Delaware law defines and regulates biometric data, what obligations businesses face, how enforcement works, and how breach notification rules apply to biometric information.
How Delaware Law Defines Biometric Data
Under Section 12D-102(3) of the DPDPA, biometric data means data generated by automatic measurements of an individual's unique biological characteristics. The statute lists specific examples:
- Fingerprints
- Voiceprints
- Eye retinas
- Irises
- Other unique biological patterns or characteristics
The defining requirement is that these measurements must be used to identify a specific individual.
What Is Excluded
The DPDPA explicitly excludes certain categories from the biometric data definition. Digital or physical photographs, audio recordings, and video recordings do not qualify as biometric data unless someone processes them specifically to identify a particular person.
This distinction matters in practice. A security camera recording in a Delaware workplace is not biometric data by itself. However, if a company runs that footage through facial recognition software to identify employees, the extracted faceprint data becomes biometric data subject to DPDPA requirements.
Biometric Data as Sensitive Data Under the DPDPA
Section 12D-102(30) classifies biometric data alongside other categories of sensitive personal data, including:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health conditions or diagnoses
- Sexual orientation
- Citizenship or immigration status
- Genetic data
- Precise geolocation data (within a 1,750-foot radius)
- Data concerning known children
This classification is significant because sensitive data receives stronger protections than ordinary personal data under the DPDPA. Controllers face additional obligations before they can collect or use any information in these categories.
Consent Requirements for Biometric Data
The DPDPA's most important biometric protection is its consent mandate. Under Section 12D-105, controllers cannot process sensitive data, including biometric data, without first obtaining the consumer's consent.
What Counts as Valid Consent
Delaware law sets a high bar for valid consent. Section 12D-102(7) requires a "clear affirmative act" that is:
- Freely given by the consumer without coercion
- Specific to the data processing activity
- Informed with clear notice about what data is collected and why
- Unambiguous in expressing agreement
What Does Not Count as Consent
The DPDPA specifically rejects several common business practices as valid consent:
- Accepting broad terms of service or general use policies
- Hovering over, pausing on, or otherwise interacting with website content
- Agreement obtained through deceptive or manipulative webpage design (dark patterns)
This means a company cannot bury biometric data consent in a lengthy terms of service agreement and claim compliance. Biometric data collection requires a separate, specific consent mechanism.
Special Rules for Children
When processing biometric data of a known child, controllers must obtain consent from the child's parent or lawful guardian. The controller must also comply with Section 1204C of the Delaware Code, which aligns with federal COPPA protections.
Who Must Comply: Applicability Thresholds
The DPDPA does not apply to every business operating in Delaware. Under Section 12D-103, the law covers entities that conduct business in Delaware and meet at least one of these thresholds:
- Controlled or processed the personal data of 35,000 or more consumers during the prior calendar year, OR
- Controlled or processed the personal data of 10,000 or more consumers and derived more than 20% of gross revenue from the sale of personal data
Key Exemptions
Several categories of organizations and data are exempt from the DPDPA:
- Government entities (excluding state institutions of higher education)
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
- HIPAA-covered entities and protected health information
- Educational records governed by FERPA
- Fair Credit Reporting Act activities
- Nonprofits serving abuse, trafficking, or stalking victims
These exemptions mean that a hospital collecting fingerprints for patient identification is likely covered by HIPAA rather than the DPDPA. A bank using fingerprint authentication would typically fall under GLBA instead.
Controller Obligations for Biometric Data
Beyond the consent requirement, the DPDPA imposes several duties on controllers that handle biometric data.
Data Minimization
Controllers must limit their collection of biometric data to what is "adequate, relevant, and reasonably necessary" for the disclosed purpose. A retailer that needs fingerprint scans for employee time tracking cannot also use those scans for marketing analytics.
Security Requirements
Controllers must establish "reasonable administrative, technical, and physical data security practices" to protect biometric data. While the statute does not specify exact security standards, Section 12D-106 references frameworks like NIST and ISO/IEC standards as acceptable benchmarks.
Privacy Notice
Every controller processing biometric data must provide a "reasonably accessible, clear, and meaningful privacy notice" that discloses the categories of personal data processed, the purposes of processing, how consumers can exercise their rights, and what categories of data are shared with third parties.
Easy Revocation
If a consumer gave consent to biometric data processing, the controller must provide a way to revoke that consent. The revocation mechanism must be "at least as easy as" the method used to give consent in the first place.
Non-Discrimination
Controllers cannot discriminate against consumers who exercise their privacy rights. A company cannot deny services or charge higher prices to an employee who refuses to provide fingerprint data, as long as the biometric data is not strictly necessary for the service.
Consumer Rights Over Biometric Data
Delaware residents have several rights under Section 12D-104 that apply to their biometric data:
- Right to confirm and access: Consumers can ask whether a company processes their biometric data and request a copy.
- Right to correct: Consumers can demand correction of inaccurate biometric records.
- Right to delete: Consumers can request deletion of their biometric data.
- Right to portability: Consumers can obtain their biometric data in a portable format.
- Right to know third-party recipients: Consumers can request a list of third parties who received their biometric data.
- Right to opt out: Consumers can opt out of the sale of their biometric data, its use for targeted advertising, or automated profiling.
Controllers must respond to these requests within 45 days, with a possible 45-day extension. The first request in any 12-month period must be processed free of charge.
Consumers can also designate an authorized agent to exercise opt-out rights on their behalf, including through browser settings, privacy-focused extensions, or other technical mechanisms.
Employer Obligations in the Workplace
The DPDPA does not contain a separate employer exemption for biometric data. If a Delaware employer meets the applicability thresholds, it must comply with DPDPA requirements when collecting employee biometric data.
Common workplace biometric uses that trigger compliance obligations include:
- Fingerprint-based time clocks for tracking attendance
- Facial recognition systems for building access
- Palm scanners or hand geometry readers at secure facilities
- Voice recognition for phone authentication
Employers must provide clear notice, obtain affirmative consent, limit collection to what is necessary, protect the data with reasonable security measures, and honor employee requests to access, correct, or delete their biometric information.
Practical Compliance Steps for Employers
- Audit all systems that collect biometric data from employees
- Create a standalone biometric data consent form, separate from general employment agreements
- Draft a privacy notice that specifically addresses biometric data collection
- Implement a process for employees to revoke consent or request deletion
- Review data retention practices and delete biometric data that is no longer needed
Breach Notification for Biometric Data
Delaware's Computer Security Breaches law (Title 6, Chapter 12B) provides a separate layer of protection for biometric data. Under Section 12B-101(7), "unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes" qualifies as personal information that triggers breach notification obligations.
If a company suffers a data breach involving biometric data, it must:
- Notify affected Delaware residents without unreasonable delay and no later than 60 days after discovering the breach
- Notify the Delaware Attorney General if the breach affects 500 or more Delaware residents
- Investigate whether the breach is likely to result in harm to affected individuals
For more details on Delaware's breach reporting requirements, see our guide to Delaware Data Breach Notification Laws.
Enforcement and Penalties
Attorney General Enforcement
The Delaware Department of Justice has exclusive authority to enforce the DPDPA under Section 12D-111. This means only the Attorney General can bring enforcement actions against companies that violate the law's biometric data provisions.
No Private Right of Action
Unlike Illinois' Biometric Information Privacy Act (BIPA), which allows individuals to sue companies directly, the DPDPA explicitly states that nothing in the chapter "shall be construed as providing the basis for...a private right of action." Delaware residents cannot file lawsuits against companies for mishandling their biometric data under this law.
Penalties
Violations of the DPDPA constitute an "unlawful practice" under Section 2513 of the Delaware Code. The Attorney General can pursue:
- Civil penalties of up to $10,000 per violation
- Injunctive relief to stop ongoing violations
- Restitution for affected consumers
- Disgorgement of profits gained through violations
Cure Period Changes
The enforcement timeline has shifted since the DPDPA took effect:
- Through December 31, 2025: The Attorney General was required to issue a notice of violation and give controllers 60 days to cure the problem before taking enforcement action.
- Starting January 1, 2026: The mandatory cure period has ended. The Attorney General now has discretion to consider the severity of the violation, the size and complexity of the business, the number of affected consumers, and any prior violations when deciding whether to offer a cure opportunity.
Consumers can submit complaints to the Delaware Department of Justice at privacy@delaware.gov.
Legislative History and Future Outlook
Delaware's path to biometric privacy protection has evolved over several years.
In 2018, the Delaware General Assembly introduced HB 350, a standalone biometric privacy bill modeled after Illinois' BIPA. That bill would have required written retention policies, specific consent before collection, and a ban on selling biometric data. HB 350 died in the House Economic Development/Banking/Insurance/Commerce Committee without receiving a vote.
Rather than revisiting a standalone biometric law, Delaware took a broader approach. The DPDPA, signed into law in September 2023, folded biometric protections into a comprehensive consumer data privacy framework. This approach addresses biometric data as one category of sensitive information rather than creating a separate regulatory scheme.
As of early 2026, the Delaware General Assembly has also begun exploring neural data privacy protections, which could expand the definition of biometric data to include brain-computer interface data and other neurotechnology outputs. No bill has been introduced yet, but the issue brief signals growing legislative interest in emerging biometric technologies.
How Delaware Compares to Other States
Delaware's approach to biometric privacy falls in the middle of the national landscape:
| Feature | Delaware (DPDPA) | Illinois (BIPA) | Texas (CUBI) |
|---|---|---|---|
| Law type | Comprehensive privacy law | Standalone biometric law | Standalone biometric law |
| Private right of action | No | Yes | No |
| Consent required | Yes (sensitive data) | Yes (written release) | Yes (informed consent) |
| Maximum penalty | $10,000/violation | $1,000-$5,000/violation | $25,000/violation |
| Retention/destruction policy | Not explicitly required | Required (3-year max) | Required |
| Effective date | January 1, 2025 | October 3, 2008 | September 1, 2009 |
Delaware offers solid biometric protections but lacks the private right of action that makes Illinois' BIPA the strongest biometric privacy law in the country. The absence of a standalone biometric statute also means Delaware does not require explicit written retention and destruction policies for biometric data.
For a broader overview of Delaware's privacy framework, see our guide to Delaware Data Privacy Laws.
More Delaware Laws
- Delaware Recording Laws
- Delaware Recording Laws
- Delaware Recording Laws
- Delaware Data Privacy Laws
- Delaware Recording Laws
- Delaware Recording Laws
- Delaware Recording Laws
- Delaware Recording Laws
This article is for informational purposes only and does not constitute legal advice. Biometric privacy law is evolving rapidly, and the information here reflects Delaware law as of early 2026. Consult a qualified attorney licensed in Delaware for guidance on your specific situation.
Sources and References
- Delaware Personal Data Privacy Act (Title 6, Chapter 12D)(delcode.delaware.gov).gov
- HB 154 Bill Detail - Delaware General Assembly(legis.delaware.gov).gov
- Delaware Personal Data Privacy Portal - Attorney General(attorneygeneral.delaware.gov).gov
- DPDPA Frequently Asked Questions - Delaware DOJ(attorneygeneral.delaware.gov).gov
- Delaware Computer Security Breaches Law (Title 6, Chapter 12B)(delcode.delaware.gov).gov
- HB 350 Biometric Privacy Bill - Delaware General Assembly(legis.delaware.gov).gov
- AG Jennings Announces New Data Privacy Rights - Delaware News(news.delaware.gov).gov
- Neural Data Privacy Issue Brief - Delaware General Assembly(legis.delaware.gov).gov
- Data Security Breaches - Delaware DOJ(attorneygeneral.delaware.gov).gov