Delaware
DPDPA Consumer Rights: Delaware Data Privacy
Under the Delaware Personal Data Privacy Act (DPDPA), Del. Code tit. 6, ch. 12D, a Delaware resident can confirm whether a business is processing their personal data and access it, correct inaccuracies, delete data, obtain a portable copy, get a list of the categories of third parties that received their data, and opt out of targeted advertising, the sale of personal data, and certain profiling. These rights are set out in § 12D-104(a) and took effect January 1, 2025.
A controller must respond to a rights request within 45 days under § 12D-104(c), with one 45-day extension when reasonably necessary, and must offer an appeal process under § 12D-104(d). As of January 1, 2026, controllers must also honor a universal opt-out preference signal such as Global Privacy Control under § 12D-106(e). The Delaware Department of Justice enforces these rights, and there is no private right of action.
Jurisdiction scope: This covers Delaware's Personal Data Privacy Act (Del. Code tit. 6, ch. 12D). It is general legal information, not legal advice.
The five core data rights
The DPDPA grants Delaware consumers a full slate of data rights in § 12D-104(a). These rights apply to covered controllers, meaning businesses that meet the applicability thresholds in § 12D-103.
The right to access, in § 12D-104(a)(1), lets a consumer confirm whether a controller is processing the consumer's personal data and access that data. The right to correct, in § 12D-104(a)(2), lets a consumer correct inaccuracies, taking into account the nature of the personal data and the purposes of processing.
The right to delete, in § 12D-104(a)(3), is broad: a consumer may delete personal data provided by or obtained about the consumer. That reaches beyond data the consumer supplied directly to data the business obtained from other sources. The right to data portability, in § 12D-104(a)(4), lets a consumer obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format.
For the full controller obligations behind these rights, see the Delaware data privacy laws parent page.
The categories-of-third-parties list right
A distinct DPDPA right lets consumers see where their data has traveled. Under § 12D-104(a)(5), a consumer may obtain a list of the categories of third parties to which the controller has disclosed the consumer's personal data.
This is a category-level disclosure. A controller discloses groups of recipients, such as advertising networks, analytics providers, or payment processors, rather than every individually named company. Even so, it gives consumers a structured view of the controller's data sharing and forces businesses to track and maintain their disclosure categories.
To answer these requests accurately, a controller needs a data map that records which categories of vendors and partners receive which data. Businesses that have not inventoried their downstream sharing will struggle to respond within the statutory deadline.
The three opt-out rights
Section 12D-104(a)(6) gives consumers three opt-out rights. Under § 12D-104(a)(6)(a), a consumer may opt out of the processing of personal data for purposes of targeted advertising. Under § 12D-104(a)(6)(b), a consumer may opt out of the sale of personal data. Under § 12D-104(a)(6)(c), a consumer may opt out of profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.
The profiling opt-out is narrow by design. It reaches automated decisions with legal or similarly significant effects, such as decisions affecting access to financial services, housing, employment, or similar outcomes. Routine ad personalization that does not produce such effects falls under the targeted-advertising opt-out instead.
Delaware's definition of "sale" is broad. It covers the exchange of personal data for monetary or other valuable consideration, which means data sharing that produces non-cash value can still count as a sale and trigger the opt-out.
Response deadlines, extensions, and authentication
A controller must respond to a consumer rights request promptly. Under § 12D-104(c)(1), the controller must respond without undue delay and in any case not later than 45 days after receiving the request. The controller may extend that period by an additional 45 days when reasonably necessary, considering the complexity and number of requests, as long as it informs the consumer of the extension and the reason for it within the initial 45-day window.
If a controller declines to act, it must tell the consumer why within that response period and explain how to appeal. A controller may decline to act on a request it cannot authenticate using commercially reasonable efforts, and in that situation it is not required to comply but may ask the consumer for information reasonably necessary to authenticate the request.
Responses must generally be provided free of charge, up to twice annually per consumer. If requests are manifestly unfounded, excessive, or repetitive, the controller may charge a reasonable fee or decline to act, and it bears the burden of demonstrating that character.
The appeal process
The DPDPA requires controllers to build an appeal path for consumers whose requests are denied. Under § 12D-104(d), a controller must establish a process for a consumer to appeal the controller's refusal to take action on a request. The appeal process must be conspicuously available and similar to the process for submitting the original request.
Within 60 days of receiving an appeal, the controller must inform the consumer in writing of any action taken or not taken in response, along with a written explanation of the reasons. If the controller denies the appeal, it must also provide the consumer with a way to contact the Delaware Department of Justice to submit a complaint.
That referral to the regulator is a practical backstop. A consumer who believes a controller wrongly denied a rights request can escalate the matter to the enforcer rather than relying only on the controller's internal review.
The universal opt-out mechanism, effective January 1, 2026
Delaware requires controllers to honor a browser-level or device-level opt-out signal. Under § 12D-106(e), not later than January 1, 2026, a controller that processes personal data for targeted advertising or sells personal data must allow consumers to opt out through an opt-out preference signal sent by a platform, technology, or mechanism, such as Global Privacy Control.
The universal opt-out mechanism lets a consumer set a single signal in their browser or device that automatically communicates an opt-out to every site they visit, rather than clicking an opt-out link on each one. As of 2026, this requirement is in force, so covered businesses must detect and respect the signal.
When the signal conflicts with a setting the consumer affirmatively chose, the law allows the controller to notify the consumer and let them confirm the conflicting choice, but the default is to treat a recognized signal as a valid opt-out.
Teen protections for ages 13 to 17
The DPDPA adds a protection for older minors that goes beyond the general opt-in for children's data. Under § 12D-106(a)(7), where a controller has actual knowledge, or willfully disregards, that a consumer is at least 13 but younger than 18 years of age, the controller may not process that consumer's personal data for purposes of targeted advertising, or sell that personal data, without the consumer's consent.
This shifts the default for the 13-to-17 age band from opt-out to opt-in for targeted advertising and sale. A business that knows a user is a teenager, or that ignores clear signs of it, cannot rely on the teen's failure to opt out. It must obtain affirmative consent first.
This is separate from the rule for known children under 13, whose sensitive data and personal data are governed by the consent requirements in § 12D-106(a)(4) and related federal children's privacy law.
Rights and deadlines at a glance
| Right or step | Statute | Key detail |
|---|---|---|
| Access | § 12D-104(a)(1) | Confirm and access personal data |
| Correct | § 12D-104(a)(2) | Fix inaccuracies |
| Delete | § 12D-104(a)(3) | Data provided by or obtained about the consumer |
| Portability | § 12D-104(a)(4) | Portable, readily usable copy |
| Third-party categories list | § 12D-104(a)(5) | Categories of third parties that received data |
| Opt out of ads, sale, profiling | § 12D-104(a)(6) | Targeted ads, sale, significant-effect profiling |
| Response deadline | § 12D-104(c)(1) | 45 days, plus one 45-day extension |
| Appeal response | § 12D-104(d) | 60 days, with DOJ complaint referral |
| Universal opt-out signal | § 12D-106(e) | Required by January 1, 2026 |
Related guides
- Delaware data privacy laws parent hub
- What is the DPDPA?
- DPDPA compliance checklist
- State data privacy law comparison
- What is the CCPA?
Sources
Sources and References
- Del. Code tit. 6, ch. 12D: Delaware Personal Data Privacy Act (Full Chapter)(delcode.delaware.gov).gov
- Del. Code tit. 6, § 12D-104: Personal Data Rights of Consumers(delcode.delaware.gov).gov
- Del. Code tit. 6, § 12D-106: Responsibilities of Controllers and Universal Opt-Out(delcode.delaware.gov).gov
- Del. Code tit. 6, § 12D-102: Definitions (Sale, Consent, Profiling)(delcode.delaware.gov).gov
- Del. Code tit. 6, § 12D-111: Enforcement by the Department of Justice(delcode.delaware.gov).gov
- Delaware Department of Justice: Personal Data Privacy Portal(attorneygeneral.delaware.gov).gov
- Delaware DOJ: Personal Data Privacy Act Frequently Asked Questions(attorneygeneral.delaware.gov).gov