Delaware Personal Data Privacy Act (DPDPA)

The United States does not have a federal data privacy law, though it does have the new EU-U.S. Data Privacy Framework adequacy agreement with the European Union.

Each state is passing data privacy laws separately. California was the first one to pass a comprehensive data privacy law in 2018, which came into force in 2020. The Delaware Personal Data Privacy Act (DPDPA) is the twelfth comprehensive privacy law passed to date, which was signed into law on September 11, 2023.

The Delaware Personal Data Privacy Act goes into effect on January 1, 2025.

What Is the Delaware Personal Data Privacy Act?

The Delaware Personal Data Privacy Act protects the privacy rights of residents of Delaware and establishes data privacy responsibilities for companies operating in the state or offering goods or services for Delaware residents.

Like other US states, Delaware defines a consumer as a resident or person living in the state and acting in an individual or household context and not in a commercial or employment context.

The law establishes data privacy responsibilities for companies conducting business in the state or providing goods and services targeted to Delaware residents.

DPDPA is one of the more consumer-friendly state-level data privacy laws.

Parents or legal guardians of children can exercise the rights of children under the age of 13. Since children’s data is considered sensitive by default, user consent is required to collect and process children’s data.

opt-out consent model

Like other US data privacy laws, the DPDPA uses an opt-out model for user consent, which means that data controllers can collect personal data without prior consumer consent in most cases.

However, consumers have the right to opt out of data collection and use for sale, targeted advertising, or profiling “in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer”. Consumers should exercise this right easily. The law says that controllers must provide “a clear and conspicuous link on the controller’s Internet web site to an Internet web page that enables a consumer, or an agent of the consumer, to opt out of the targeted advertising or the sale of the consumer’s personal data.”

Key definitions of the DPDPA

A Consumer is an individual who is a resident of the state of Delaware. It does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit organization, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or government agency.

A Controller is defined under the law as “a person that, alone or jointly with others, determines the purpose and means of processing personal data”.

A Processor is a person who processes personal data on behalf of a controller.

Personal data is any information that’s linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.

Sensitive data is personal data that includes any of the following:

• racial or ethnic origin
• religious beliefs
• mental or physical health condition or diagnosis (including pregnancy)
• sex life or sexual orientation, including status as transgender or nonbinary
• national origin
• citizenship or immigration status
• genetic or biometric data
• personal data of a known child
• precise geolocation data.

Data processing is any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

The sale of personal data is “the exchange of personal data for monetary or other valuable consideration by the controller to a third party”.

Exclusions to the definition of sale include disclosures of personal data:

• The disclosure of personal data to a processor that processes the personal data on behalf of the controller was limited to the purpose of such processing.
• The disclosure of personal data to a third party for purposes of providing a product or service affirmatively requested by the consumer.
• The disclosure or transfer of personal data to an affiliate of the controller.
• The disclosure of personal data is where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party.
• The disclosure of personal data that the consumer intentionally made available to the general public via a channel of mass media and is not restricted to a specific audience.
• The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller’s assets, or a proposed merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller’s assets.

Targeted advertising is “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated Internet websites or online applications to predict such consumer’s preferences or interests”.

Targeted advertising does not include:

• Advertisements based on activities within a controller’s own Internet websites or online applications.
• Advertisements based on the context of a consumer’s current search query, visit to an Internet website, or online application.
• Advertisements directed to a consumer in direct response to the consumer’s request for information or feedback.
• Processing personal data solely to measure or report advertising frequency, performance, or reach.

Consumers’ Rights Under the Delaware Personal Data Privacy Act

Delaware consumers have the following rights:

• Right to access. Consumers have the right to confirm whether the controller is processing the consumer’s personal information and access to that information. There is an exception if access would reveal a trade secret.
• Right to disclosure. Consumers have the right to get a list of the categories of third parties to which the controller has disclosed the consumer’s personal data, if any.
• Right to correction. Consumers have the right to correct any inaccurate or outdated information the controller has that was provided by the consumer.
• Right to delete. Consumers have the right to delete any personal data provided by or obtained about the consumer (with some exceptions).
• Right to data portability. Consumers have the right to obtain a copy of their data collected in a portable and readily usable format (with some exceptions).
• Right not to be discriminated against. Data controllers cannot unlawfully discriminate against consumers, including for exercising their rights, if consumers do not provide their data.
• Right to opt out. Consumers have the right to opt out of the sale of personal data, targeted advertising, or profiling.
• Consumers can designate an authorized agent to opt-out of personal data processing for them.
  The DPDPA also includes a requirement for controllers to recognize the universal opt-out signal, which will come into effect a year after the law comes into effect.

Controller Duties Under the Delaware Personal Data Privacy Act

The DPDPA requires controllers to follow several restrictions regarding consumers’ data.

Requirements for Processing Personal Data

The DPDPA sets up the following duties for processing personal data:

1. Limitation of data usage. The DPDPA requires controllers to limit the collection of personal data to what is “adequate, relevant, and reasonably necessary based on the purpose disclosed to the consumer, and to not process it if otherwise”.  
2. Data security and privacy. Controllers must implement adequate safety and security means to protect the personal data of consumers.

Consent requirements

Even if the DPDPA uses opt out consent model, opt-in consent is required for sensitive data and children’s data.

Controllers must gain opt-in consent to process sensitive data or data of a known child.

According to the DPDPA, user consent must be:

• Affirmative.
• Freely given.
• Specific.
• Informed.
• Unambiguous.

Entities must use a written statement or other electronic means to record affirmative action.

The consent request cannot include broad terms of use or similar documents alongside the data processing details.

The Delaware data privacy law also does not allow using dark patterns to get user consent, including, hovering over, muting, pausing, or closing a piece of content are not signifiers of consent.

Privacy notice requirements

Controllers must provide consumers with a privacy notice that is “accessible, clear, and meaningful”. The privacy notice must include the following information:

• Controller’s data processing operations and purposes.
• Categories of personal data collected and processed.
• Categories of personal data shared with third parties, if any.
• categories of third parties.
• Means for consumers to exercise their data privacy rights.
• Means for consumers to appeal a controller’s decision.
• A “secure and reliable” digital mode of contact for the controller, like an email address or phone.
• A “clear and conspicuous disclosure” if the controller sells personal data or uses it for targeted purposes.

Processors are obliged to help controllers to comply with the DPDPA and be in a contract that describes data processing procedures.

Global Privacy Control

Under the DPDPA, consumers can designate a “browser setting, browser extension, or global device setting” to provide opting out of certain types of processing.

Controllers must set their websites up to respond adequately to Global Privacy Controls (GPC) and other universal opt-out mechanisms by January 1, 2026.

The DPDPA and Data Protection Assessments

Some state-level privacy rights require us to perform Data Protection Assessments, including California, Colorado, Connecticut, Tennessee, Texas, Indiana, Montana, Oregon, and Virginia, while others don’t. Delaware requires Data Protection Assessments.

If an entity controls or processes data of at least 100,000 consumers, the entity must conduct a data protection assessment for any activity with a heightened risk of harm to a consumer. These activities comprise: 

• Targeted advertising.
• Sell of personal data. 
• Processing sensitive data.
• Dara profiling if there’s a risk of:
  Unfair or deceptive treatment to consumers. 
  Financial, physical, or reputational injury. 
  Intrusion upon the solitude or seclusion of a consumer (if the intrusion would be offensive to a reasonable person).

Who Must Comply with the Delaware Personal Data Privacy Act?

Delaware Personal Data Privacy Act applies to any entity that does business in the state or produces products or services that are targeted to Delaware residents and that, during the previous calendar year, met one of the following conditions: 

1. Controlled or processed the personal data of 35,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction. 
2. Controlled or processed the personal data of 10,000 consumers or more and derived more than 20 percent of their gross revenue from the sale of personal data.

Note, that the DPDPA does not have a revenue threshold for companies to be subject to the law. In addition, the 35,000-consumer threshold is the lowest in the US among data privacy laws so far. This means the DPDPA will apply to many small and medium-sized companies, differently from other US privacy laws, that target mostly big companies.  

DPDPA exemptions 

Like other laws, the DPDPA exempts certain institutions from complying with the DPDPA, including:

• Governmental agencies, including regulatory, administrative, legislative or judicial bodies.
• Public health organizations.
• Financial institutions, entities, and affiliates subject to the GLBA.
• Press, wire, or other information service, including non-commercial activities of media entities.
• Victims or witnesses of criminal activities.

The following exemptions to the Delaware Personal Data Privacy Act are in most cases the same as other US data privacy regulations, submitting to existing federal laws, including:

• Health Insurance Portability and Accountability Act (HIPAA).
• Gramm-Leach-Bliley Act (GLBA).
• Fair Credit Reporting Act (FCRA).
• Driver’s Privacy Protection Act.
• Family Educational Rights and Privacy Act (FERPA).
• Farm Credit Act.
• Airline Deregulation Act.

Enforcement of the Delaware Personal Data Privacy Act

Department of Justice (DOJ) has the exclusive authority to enforce the Delaware Personal Data Privacy Act.

Like other state laws, consumers do not have a private right of action.

In the case of a suspected violation of the law, the Department of Justice will inform the controller about the violation and will give a possibility to cure the violation. The cure provision is 60 days. It is meant to help businesses transition to the law and implement means to protect consumer privacy.

However, the default cure period ends on December 31, 2025.

After this date, the Department of Justice will consider the following details to determine whether the controller will get a cure period or not:

• The number of violations.
• The size and complexity of the controller or processor.
• The nature and extent of their processing activities.
• The likelihood of injury to the public.
• The safety of the persons or property.
• If a human or technical error likely caused the alleged violation.
• The extent to which the controller or processor violated similar laws in the past.

If businesses fail to cure the violation, the penalty for violating the law could be up to $10,000 per violation.   

How to Comply with the Delaware Personal Data Privacy Act?

Many Delaware businesses that operate in multiple states will need to ensure they understand the DPDPA and other state-level data privacy laws and their requirements for protecting consumer data.

The most reliable way to comply with the DPDPA and other privacy laws is by using a Consent Management Platform (CMP).

CookieScript CMP is the CMP, that was recently ranked as the best CMP on G2. It has the following functionalities:

• geo-targeting. You can specifically target the consumers of Florida with the geo-targeting functionality.
• Google-certified CMP. CookieScript is a Google-certified CMP partner and comes with a full IAB TCF v2.2 integration.
• Supports Google Consent Mode v2. If you want to use Google services (GA4, Google Ads, gtag, and Google Tag Manager) in the EU or EEA, you need to use a Google-certified CMP.
• Local Storage and Session Storage scanning and blocking. GDPR and other privacy laws require blocking of cookies, Local Storage and Session Storage until user consent is given. However, majority of CMPs do not offer this functionality. CookieScript blocks both Local Storage and Session Storage.
  
• Multiple integrations. CookieScript CMP integrates easily with Google services automatically via Google Tag Manager, so you could use Google advertisement products easily. The CookieScript CMP is also integrated with other platforms, including content management systems such as Drupal, Magento, Shopify, WordPress, PrestaShop, etc., and analytics platforms, including Google Analytics 4.
• Fully customizable. CookieScript CMP allows Cookie Banner behavior adjustments, and design customization, and has a self-hosted code option.
• Supports the Global Privacy Control signal.

Frequently Asked Questions

What Is the Delaware Personal Data Privacy Act?

The Delaware Personal Data Privacy Act protects the privacy rights of residents of Delaware and establishes data privacy responsibilities for companies operating in the state or offering goods or services for Delaware residents. Use CookieScript CMP to create a Cookie Banner, get user consent, and comply with the DPDPA.

Is user consent required to collect personal data in Delaware?

The Delaware Personal Data Privacy Act uses an opt-out model for user consent, which means that data controllers can collect personal data without prior consumer consent in most cases. However, user consent is required to collect or process sensitive personal data or data from a known child. In addition, consumers have the right to opt out of data collection and use for sale, targeted advertising, or profiling. Use CookieScript CMP to create a cookie banner, get user consent, and comply with the DPDPA.

Does the Delaware data privacy law respect the Global Privacy Controls signal?

Under the DPDPA, consumers can designate a browser setting, browser extension, or global device setting to provide opting out of certain types of processing. From January 1, 2026, controllers must set their websites up to respond adequately to Global Privacy Contro (GPC) and other universal opt-out mechanisms. Use CookieScript CMP to create a cookie banner that respects the Global Privacy Control signal. 

Who must comply with the Delaware Personal Data Privacy Act?

Delaware Personal Data Privacy Act applies to any entity that does business in the state or produces products or services that are targeted to Delaware residents and, during the last year, met one of the following conditions: controlled or processed the personal data of 35,000 consumers or more, or controlled or processed the personal data of 10,000 consumers or more and derived more than 20 percent of their gross revenue from the sale of personal data. Use CookieScript CMP to comply with the DPDPA.

How to Comply with the Delaware Personal Data Privacy Act?

The most reliable way to comply with the DPDPA and other privacy laws is by using a Consent Management Platform (CMP). CookieScript CMP is the CMP, that was recently ranked as the best CMP on G2. It has all functionalities that you would need, including geo-targeting, cookie banner customization, multiple integrations, is a Google-certified CMP, and supports Google Consent Mode v2.

What is the Delaware Personal Data Privacy Act’s effective date? 

The Delaware Personal Data Privacy Act (DPDPA) comes into effect on January 1, 2025. Use CookieScript CMP to comply with the DPDPA.