Delaware Personal Data Privacy Act (DPDPA) – Full Guide 2025
Delaware’s jumped on the privacy bandwagon with its own data privacy law. They call it the Delaware Personal Data Privacy Act, or DPDPA for short. Governor John Carney signed it into law on September 11, 2023, and it’s in force from January 1, 2025. What’s it all about? Well, it’s Delaware’s move to protect personal data, joining a bunch of other states doing the same. If you’re doing business in Delaware or targeting its residents, this law applies to you, especially if you’re handling a lot of personal data. Let’s break down what this means for businesses and consumers
Table of Contents
Key Takeaways
- Delaware has introduced its own data privacy law, the DPDPA, effective January 1, 2025.
- The law affects businesses operating in Delaware or targeting Delaware residents.
- Applies to businesses processing data of 35,000+ Delaware consumers or 10,000+ consumers if 20% revenue comes from data sales.
- Enforced by Delaware Department of Justice with 60-day cure period
- No private right of action
- Required opt-out mechanism deadline: January 1, 2026
Overview of the Delaware Personal Data Privacy Act
Historical Context and Significance
Delaware has taken a significant step by enacting the Personal Data Privacy Act, making it the twelfth state to implement comprehensive privacy legislation. This law was passed by both the House and the Senate, contributing to a total of seven state privacy laws enacted in 2024. The Delaware Personal Data Privacy Act (DPDA) is a response to growing concerns over data privacy and security, reflecting a broader trend across the United States to empower consumers with more control over their personal information.
Key Objectives of the Act
The DPDA aims to:
- Protect consumer privacy by setting clear guidelines on how businesses collect, use, and share personal data.
- Enhance transparency, ensuring that consumers are well-informed about their data rights.
- Align Delaware’s privacy standards with those of other states, fostering a more uniform approach to data protection.
Scope and Applicability of the Delaware Personal Data Privacy Act
Your business falls under the DPDPA if you:
- Conduct business in Delaware or target Delaware residents
- Control or process personal data of 35,000+ Delaware consumers (excluding payment transaction data), OR
- Control/process data of 10,000+ Delaware consumers AND derive over 20% of gross revenue from selling personal data
Exemptions and Special Cases
There are exceptions to every rule, and this Act is no different. Certain organizations and data types are exempt. This includes:
- Non-profit organizations
- Data processed for employment purposes
- Data already regulated by federal laws like HIPAA
Consumer Rights Under the Delaware Personal Data Privacy Act
The law requires businesses to provide Delaware residents with several fundamental rights:
- Right to access their personal data
- Right to correct inaccuracies
- Right to delete personal data
- Right to obtain a portable copy of their data
- Right to get a list of third parties who received their data
- Right to opt out of:
- Targeted advertising
- Personal data sales
- Profiling for automated decisions
Obligations for Businesses Under the Delaware Personal Data Privacy Act
Privacy Notice Requirements
Under the Act, businesses are required to be transparent about their data practices. This means they must clearly disclose what data they’re collecting, why they’re collecting it, and how it’s being used. Your business must provide a clear, accessible privacy notice including:
- Categories of personal data processed
- Processing purposes
- How consumers can exercise their rights
- Categories of data shared with third parties
- Categories of third-party recipients
- Active email or online contact method
Data Processing Rules
You must:
- Limit data collection to what’s necessary
- Process data only for disclosed purposes
- Implement reasonable security measures
- Get consent for processing sensitive data
- Respond to consumer requests within 45 days (can be extended by additional 45 days)
- Provide an appeals process for denied requests
Data Protection Assessments
Businesses operating in Delaware must conduct regular data protection assessments. These assessments are crucial for identifying privacy risks and ensuring compliance with the Delaware Data Privacy Act. They help companies understand how personal data is collected, stored, and used. Regular assessments are mandatory for activities that present heightened risks, including:
- Targeted advertising
- Data sales
- Certain profiling activities
- Processing sensitive data
Third-Party Monitoring
Under the Delaware Data Privacy Act, it is mandatory to monitor third-party’s compliance:
“(d) A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. The determination of the reasonableness of such oversight and the appropriateness of contractual enforcement must take into account whether the disclosed data includes data that would be sensitive data if it were re-identified.”
You can monitor your third-parties automatically with hoggo.
Enforcement and Penalties
Failing to comply with the Delaware Personal Data Privacy Act can result in significant penalties. Businesses that do not adhere to the regulations may face fines and legal actions. The severity of penalties often depends on the nature and extent of the violation. Companies are encouraged to regularly review their data practices to avoid these consequences.
- Enforcement by Delaware Department of Justice
- 60-day cure period after notice of violation
- No private right of action
- Violations treated as unlawful trade practices
Business Checklist For Delaware Personal Data Privacy Act Conpliance
Take these steps to prepare for the DPDPA:
- Data Mapping
- Identify what personal data you collect
- Document data flows and processing activities
- Map third-party data sharing
- Policy Updates
- Update privacy notices
- Create consumer rights procedures
- Develop consent mechanisms
- Establish data protection assessment processes
- Technical Implementation
- Build consumer rights request portals
- Implement opt-out mechanisms
- Create data deletion procedures
- Enhance security measures
- Review processor contracts
- Update agreements to meet DPDPA requirements
- Implement vendor monitoring processes
Impact of the Delaware Personal Data Privacy Act on Businesses
Changes in Data Management Practices
The Delaware Personal Data Privacy Act is shaking things up for businesses when it comes to how they handle data. Companies now have to rethink how they collect, store, and use personal information. Many are finding that they need to upgrade their systems to keep up with the new rules.
- Review current data collection methods.
- Identify and assess third-parties.
- Train staff on compliance requirements.
Cost Implications for Compliance
Getting up to speed with the Delaware Personal Data Privacy Act isn’t cheap. Businesses are spending more on technology and staff training. While some see this as an investment, others are feeling the pinch. The costs might include:
| Expense Type | Estimated Cost Increase |
|---|---|
| Technology Upgrades | 20-30% |
| Staff Training | 15-25% |
| Legal Consultation | 10-20% |
Adapting to these changes is a challenge, but it also presents an opportunity for businesses to build trust with their customers by showing they care about privacy.
Wrapping It Up
So, there you have it. The Delaware Personal Data Privacy Act is a big deal for businesses and consumers in Delaware, aiming to give folks more control over their personal info. If you’re running a business in Delaware or just living there, it’s something to keep an eye on. With this new law, Delaware joins a growing list of states taking data privacy seriously. It’s all about making sure your data is handled right. As we get closer to the start date, it’ll be interesting to see how things unfold and what changes might come next. Stay tuned!
Noa Kahalon
Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, an AI-driven Digital Governance platform that allows legal and compliance teams connect, monitor, and automate digital governance across all business workflows.