DPDPA Compliance Checklist: Delaware Privacy

Complying with the Delaware Personal Data Privacy Act (DPDPA), Del. Code tit. 6, ch. 12D, starts with the applicability test in § 12D-103: a business is covered if, in the prior year, it controlled or processed personal data of 35,000-plus Delaware consumers, or 10,000-plus consumers while deriving more than 20 percent of gross revenue from data sales. Covered businesses must publish a compliant privacy notice, honor consumer rights, obtain opt-in consent before processing sensitive data, recognize a universal opt-out signal as of January 1, 2026, and conduct data protection assessments for higher-risk processing.

As of 2026, the Delaware Department of Justice enforces the law and a violation can carry civil penalties of up to $10,000 per violation. The 60-day right to cure sunset on December 31, 2025, so businesses can no longer count on a guaranteed window to fix problems before enforcement begins. This checklist walks through the practical steps in section order.

Jurisdiction scope: This covers Delaware's Personal Data Privacy Act (Del. Code tit. 6, ch. 12D). It is general legal information, not legal advice.

Step 1: Run the low-threshold applicability test

Start with § 12D-103. The DPDPA applies to any person that conducts business in Delaware, or produces products or services targeted to Delaware residents, and that in the preceding calendar year met one of two thresholds.

The first threshold is controlling or processing the personal data of at least 35,000 consumers, excluding data controlled or processed solely to complete a payment transaction. The second is controlling or processing the personal data of at least 10,000 consumers while deriving more than 20 percent of gross revenue from the sale of personal data.

Because there is no dollar-revenue floor and the consumer count is among the lowest nationally, many mid-size and smaller businesses are covered. Count Delaware-resident consumers across the full prior year, not a point-in-time snapshot, and remember the payment-only carve-out reduces but does not erase the count for businesses that collect more than transactional data.

Step 2: Check the nonprofit and higher-education coverage question

Delaware's exemption structure is unusual, so this step deserves its own pass. Under § 12D-103, the only nonprofit carve-out is for a nonprofit organization dedicated exclusively to preventing and addressing insurance crime. Every other nonprofit that meets the thresholds is generally covered, and the Delaware Department of Justice has publicly confirmed the law applies to both for-profit and nonprofit businesses.

Institutions of higher education are also covered. Section 12D-103 exempts Delaware state and local government bodies but expressly excludes institutions of higher education from that exemption, so colleges and universities fall under the law.

The practical takeaway: do not assume nonprofit status or institutional category removes you from the DPDPA. A charity, advocacy group, association, or university that meets the thresholds should run the full compliance program. Confirm only that you are not within the narrow insurance-crime nonprofit carve-out or a data-level exemption such as HIPAA, GLBA, FCRA, or FERPA.

Step 3: Publish a compliant privacy notice

Covered controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice under § 12D-106. The notice must disclose the categories of personal data the controller processes, the purpose of processing, how consumers may exercise their rights and appeal a decision, the categories of personal data the controller shares with third parties, and the categories of those third parties.

The notice must also describe how a consumer can submit a request, including, where applicable, the opt-out methods for targeted advertising, the sale of personal data, and profiling. If the controller sells personal data to third parties or processes data for targeted advertising, it must clearly and conspicuously disclose that activity and explain how to opt out.

Review the notice against the actual data flows. A notice that omits a category of data or a sharing relationship is a compliance gap, and the categories disclosed in the notice should match what the controller is prepared to report in response to a categories-of-third-parties request under § 12D-104(a)(5).

Step 4: Build rights-request and appeal workflows

Set up intake channels for the consumer rights in § 12D-104(a), including access, correction, deletion, portability, the categories-of-third-parties list, and the opt-outs. Authenticate requests using commercially reasonable methods, and remember that a controller need not comply with a request it cannot authenticate but may ask for information to do so.

Engineer the workflow to meet the 45-day response deadline in § 12D-104(c)(1), with the one allowed 45-day extension documented and communicated within the first 45 days. Provide responses free of charge up to twice per year per consumer.

Build the appeal process required by § 12D-104(d) so it is conspicuous and similar to the original request process, with a 60-day appeal response and, on denial, a method for the consumer to complain to the Delaware Department of Justice.

Step 5: Get opt-in consent for sensitive data and teen data

Sensitive data is a hard gate. Under § 12D-106(a)(4), a controller may not process sensitive data without the consumer's opt-in consent, and for a known child it must obtain parental consent and handle the data consistent with children's privacy law.

The sensitive-data definition in § 12D-102(30) is broad. It includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis including pregnancy, sex life, sexual orientation, status as transgender or nonbinary, citizenship status, and immigration status, plus genetic or biometric data, the data of a known child, and precise geolocation. Inventory whether you process any of these, and if you do, route it through a valid consent mechanism that meets Delaware's definition of consent.

Layer in the teen rule from § 12D-106(a)(7). Where you have actual knowledge, or willfully disregard, that a consumer is at least 13 but younger than 18, you may not use that data for targeted advertising or sell it without consent. Build age signals into the consent flow so that known teens are treated as opt-in for those activities.

Step 6: Recognize the universal opt-out mechanism by January 1, 2026

If you process personal data for targeted advertising or sell personal data, you must honor a universal opt-out preference signal under § 12D-106(e) as of January 1, 2026. That means detecting and respecting a signal such as Global Privacy Control sent automatically by a consumer's browser or device.

As of 2026 this requirement is live. Test that your site and apps read the signal, apply the opt-out to the right processing activities, and persist the choice. Document the technical method you use to detect and honor the signal so you can demonstrate compliance.

Where a recognized signal conflicts with a choice the consumer affirmatively made, you may notify the consumer and ask them to confirm the conflicting choice, but absent that confirmation a recognized signal should be treated as a valid opt-out.

Step 7: Conduct data protection assessments and sign processor contracts

Two structural obligations round out the program. First, under § 12D-108, a controller that controls or processes the personal data of not less than 100,000 consumers must conduct and document a data protection assessment for each processing activity that presents a heightened risk of harm. That includes processing for targeted advertising, the sale of personal data, profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment or other substantial injury, and the processing of sensitive data.

Keep the assessments current and on file. The Delaware Department of Justice may require a controller to disclose a relevant data protection assessment in connection with an investigation, so they should be written to be produced.

Second, under § 12D-107, every relationship with a processor must be governed by a contract that sets out processing instructions, confidentiality duties, deletion or return of data, and audit cooperation, and that flows the obligations down to subcontractors. Review vendor agreements against this list and update any that predate the DPDPA.

Step 8: Plan for enforcement now that the cure period has sunset

The compliance stakes rose in 2026 because the cure period expired. Under § 12D-111, the Delaware Department of Justice has exclusive enforcement authority, and there is no private right of action under § 12D-111(d). A violation is treated as an unlawful practice and can carry civil penalties of up to $10,000 per violation.

During 2025, the Department was required to give a controller a notice of violation and 60 days to cure before bringing an action where a cure was possible. That mandatory right to cure sunset on December 31, 2025. Beginning January 1, 2026, any cure opportunity is discretionary and weighed against statutory factors such as the number of violations, the controller's size, and the substantial likelihood of public injury.

The practical consequence is that, as of 2026, a business cannot assume it will get a free fix-it window. The right posture is to operate as if every gap is directly actionable: keep the privacy notice accurate, the rights workflows on deadline, consent in place for sensitive and teen data, the universal opt-out honored, and assessments and processor contracts documented and ready to produce.

Compliance checklist at a glance

Related guides

• Delaware data privacy laws parent hub
• What is the DPDPA?
• DPDPA consumer rights
• State data privacy law comparison
• What is the CCPA?

Sources