Delaware
What Is the DPDPA? Delaware Data Privacy Act
The Delaware Personal Data Privacy Act (DPDPA) is Delaware's comprehensive consumer data privacy law, codified at Del. Code tit. 6, ch. 12D (§§ 12D-101 through 12D-111). It was enacted as House Bill 154 of the 152nd General Assembly, signed September 11, 2023, and took effect January 1, 2025. It gives Delaware residents the right to access, correct, delete, and port their personal data, to opt out of targeted advertising, the sale of personal data, and certain profiling, and to obtain a list of the categories of third parties to which a business has disclosed their data.
As of 2026, the Delaware Department of Justice has exclusive enforcement authority, and a violation can carry civil penalties of up to $10,000 per violation. The 60-day right to cure that businesses relied on through 2025 sunset on December 31, 2025, so a guaranteed grace period before the state acts no longer exists.
Jurisdiction scope: This covers Delaware's Personal Data Privacy Act (Del. Code tit. 6, ch. 12D). It is general legal information, not legal advice.
What the DPDPA is: statute, enactment, and effective date
The Delaware Personal Data Privacy Act is Delaware's first comprehensive consumer data privacy law. It is codified at Title 6, Chapter 12D of the Delaware Code, running from § 12D-101 through § 12D-111. The short title appears at § 12D-101, and the definitions that drive the rest of the chapter sit at § 12D-102.
The law was enacted as House Bill 154 during the 152nd General Assembly and was signed into law on September 11, 2023. It then took effect on January 1, 2025, giving covered businesses roughly fifteen months to build compliance programs before their obligations began.
As of 2026, the DPDPA is fully operative. Every business that meets the applicability thresholds in § 12D-103 must honor consumer rights requests, respect opt-out signals, limit how it processes sensitive data, and maintain a compliant privacy notice. For the full set of controller and processor obligations, see the Delaware data privacy laws parent page.
Who the DPDPA covers: low applicability thresholds
The applicability test lives in § 12D-103. The law applies to any person that conducts business in Delaware, or that produces products or services targeted to Delaware residents, and that during the preceding calendar year met either of two data thresholds.
The first trigger is controlling or processing the personal data of not less than 35,000 consumers, excluding data controlled or processed solely for the purpose of completing a payment transaction. That payment carve-out means a merchant does not count every card swipe toward the threshold when the only data involved is what is needed to complete that single purchase.
The second trigger is controlling or processing the personal data of not less than 10,000 consumers while deriving more than 20 percent of gross revenue from the sale of personal data. This lower headcount targets data-driven businesses whose model depends on monetizing personal information.
The 35,000-consumer floor is among the lowest in the country. Several states set their threshold at 100,000 consumers, so Delaware's net reaches well down into mid-size and even smaller organizations. A regional retailer, a membership group, or a digital service with a modest Delaware audience can be covered where the same business would escape a 100,000-consumer law.
The unusual coverage of nonprofits and higher education
One of the DPDPA's defining features is how few entity-level exemptions it grants. Most state privacy laws exempt all nonprofit organizations outright. Delaware does not.
Under § 12D-103, the only nonprofit carve-out is for a nonprofit organization dedicated exclusively to preventing and addressing insurance crime. Every other nonprofit that meets the applicability thresholds is generally covered. The Delaware Department of Justice has confirmed in its public guidance that the law applies to both for-profit and nonprofit businesses. A charity, advocacy group, museum, or membership association handling enough Delaware resident data falls inside the law.
Institutions of higher education are also covered, and this too sets Delaware apart. Section 12D-103 exempts Delaware state agencies and local government bodies, but it expressly carves higher education back in by excluding institutions of higher education from that governmental exemption. The practical result is that Delaware colleges and universities are subject to the DPDPA even though general government bodies are not.
These two features, broad nonprofit coverage and express higher-education coverage, mean organizations cannot assume their tax status or institutional category removes them from the law. The exemption analysis has to be done against the actual § 12D-103 list rather than a general assumption.
Data-level exemptions and the GLBA carve-out
Delaware still recognizes data-level and sector-specific exemptions. Under § 12D-103, protected health information processed under HIPAA is exempt, as are patient-identifying information, certain human-subjects research data, consumer report data regulated by the Fair Credit Reporting Act, data covered by the Driver's Privacy Protection Act, and education records governed by FERPA.
On financial institutions, § 12D-103 exempts a financial institution or its affiliate to the extent it is subject to Title V of the Gramm-Leach-Bliley Act. That is a meaningful but bounded exemption keyed to GLBA-regulated activity.
The structure means an organization may be partly exempt and partly covered. A covered entity should map each data set against the exemption list rather than assume one regulatory status removes the whole organization.
Opt-in sensitive data and teen protections
Sensitive data sits at the center of the DPDPA because processing it requires opt-in consent. Under § 12D-106(a)(4), a controller may not process sensitive data without first obtaining the consumer's consent, and for the data of a known child it must obtain consent from a parent or lawful guardian.
The definition of sensitive data at § 12D-102(30) is broad. It covers data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis including pregnancy, sex life, sexual orientation, status as transgender or nonbinary, citizenship status, and immigration status. It also covers genetic or biometric data, the personal data of a known child, and precise geolocation data. The express inclusion of pregnancy and of transgender or nonbinary status is notable and broadens the consent gate compared with narrower state definitions.
Delaware adds a distinct teen protection. Under § 12D-106(a)(7), where a controller has actual knowledge, or willfully disregards, that a consumer is at least 13 but younger than 18, it may not process that consumer's personal data for targeted advertising or sell that data without consent. This teen consent rule reaches the 13-to-17 age band that older child-privacy frameworks did not cover.
The categories-of-third-parties list right
The DPDPA gives Delaware consumers a transparency right that many older privacy frameworks lacked. Under § 12D-104(a)(5), a consumer may obtain a list of the categories of third parties to which the controller has disclosed the consumer's personal data.
This is a category-level disclosure, meaning a controller discloses groups such as advertising partners or analytics vendors rather than every named recipient. It still gives consumers a structured view of where their data flows, and it forces controllers to maintain records of their disclosure categories. The DPDPA consumer rights guide covers this right and the request procedure in depth.
DPDPA vs. CCPA: the key differences
Companies that operate nationally often compare Delaware's DPDPA with California's law. The state data privacy law comparison page covers the broader multistate picture, but several differences from California's CCPA stand out.
| Feature | Delaware DPDPA | California CCPA/CPRA |
|---|---|---|
| Coverage threshold | 35,000 consumers, or 10,000 plus 20% of revenue from data sales; no dollar floor | $25M revenue, 100,000 consumers, or 50% revenue from data sales |
| Nonprofits | Generally covered; only insurance-crime nonprofit exempt (§ 12D-103) | Generally exempt |
| Higher education | Covered; excluded from the government exemption (§ 12D-103) | Covered as businesses if thresholds met |
| Sensitive data | Opt-in consent required; broad definition (§ 12D-102(30)) | Right to limit use; opt-out model |
| Private right of action | None (§ 12D-111(d)) | Limited, for certain data breaches |
The most consequential differences are the coverage net and the entity exemptions. Delaware's lack of a dollar-revenue floor and its 35,000-consumer threshold pull in companies that California's $25 million revenue threshold would leave out, and Delaware reaches nonprofits and colleges that many state laws exempt.
The two laws also differ on sensitive data. California uses a right to limit the use of sensitive personal information, an opt-out model. Delaware requires opt-in consent under § 12D-106(a)(4) before sensitive data may be processed at all, a stricter default for that data.
Related guides
- Delaware data privacy laws parent hub
- DPDPA consumer rights
- DPDPA compliance checklist
- State data privacy law comparison
- What is the CCPA?
Sources
Sources and References
- Del. Code tit. 6, ch. 12D: Delaware Personal Data Privacy Act (Full Chapter)(delcode.delaware.gov).gov
- Del. Code tit. 6, § 12D-103: Applicability and Exemptions(delcode.delaware.gov).gov
- Del. Code tit. 6, § 12D-102: Definitions (Sensitive Data)(delcode.delaware.gov).gov
- Del. Code tit. 6, § 12D-106: Responsibilities of Controllers(delcode.delaware.gov).gov
- Del. Code tit. 6, § 12D-111: Enforcement by the Department of Justice(delcode.delaware.gov).gov
- Delaware HB 154 (152nd General Assembly): Personal Data Privacy Act(legis.delaware.gov).gov
- Delaware Department of Justice: Personal Data Privacy Portal(attorneygeneral.delaware.gov).gov
- Delaware DOJ: Personal Data Privacy Act Frequently Asked Questions(attorneygeneral.delaware.gov).gov