Delaware Privacy Law Overview
Delaware's privacy law took effect January 1, 2025. With thresholds as low as 35,000 consumers and few of the blanket exemptions found in other states, it reaches a wide range of organizations, including many nonprofits and smaller businesses that serve Delaware residents.
The Delaware Personal Data Privacy Act (DPDPA)
Delaware's law provides comprehensive consumer rights with opt-in consent for sensitive data and recognition of universal opt-out signals from January 1, 2026. Its low thresholds and narrow exemptions — including coverage of many nonprofits — make it one of the broader-reaching state privacy laws despite Delaware's small population.
DPDPA: Quick Overview
- Effective Date: January 1, 2025
- Citation: Del. Code tit. 6, ch. 12D
- Enforced By: Delaware Department of Justice
- Maximum Penalty: Up to $10,000 per violation
- Private Right of Action: No (enforcement by the state only)
- Right to Cure: 60 days (expired December 31, 2025)
Who Must Comply
The DPDPA applies to businesses that meet Delaware's applicability thresholds:
- Controls or processes the personal data of 35,000+ Delaware consumers per year, or
- Processes data of 10,000+ consumers and derives more than 20% of gross revenue from selling personal data
What makes Delaware different: Low thresholds and few exemptions — including coverage of many nonprofits — give Delaware's law unusually broad reach.
Consumer Rights Under the DPDPA
Delaware residents can exercise the following rights over their personal data:
- Right to access / confirm what data is held
- Right to correct inaccurate data
- Right to delete personal data
- Right to data portability
- Right to opt out of targeted advertising
- Right to opt out of the sale of personal data
- Right to opt out of profiling for significant decisions
Sensitive personal data: Businesses must obtain opt-in consent before processing sensitive data (such as health, biometric, precise-geolocation, or demographic data).
Data Breach Notification in Delaware
Delaware requires notice to affected residents within 60 days and to the Department of Justice when a breach affects more than 500 residents.
- Deadline to notify residents: Without unreasonable delay, no later than 60 days after discovery
- Attorney General notice: Notify the Delaware Department of Justice if more than 500 residents are affected
- Covered data: Name combined with sensitive identifiers (SSN, driver's license, financial-account or medical information, and more)
Federal Privacy Laws That Apply in Delaware
Even where Delaware law is silent, residents and businesses are covered by federal privacy statutes:
- HIPAA — health information held by providers, plans and their vendors
- GLBA — privacy and safeguards rules for financial institutions
- FERPA — student education records
- FCRA — consumer reporting agencies and background screening
- COPPA — online collection of data from children under 13
- FTC Act §5 — unfair or deceptive privacy and data-security practices
Delaware Privacy Law FAQ
Why does Delaware's privacy law reach so many businesses?
Who enforces the Delaware Personal Data Privacy Act?
How a Delaware Privacy Attorney Can Help
For Businesses
- Build and audit a privacy compliance program
- Draft privacy policies, notices and vendor contracts
- Respond to consumer rights requests
- Manage data-breach response and notification
- Defend regulatory investigations and enforcement
For Consumers
- Enforce your privacy rights against non-compliant businesses
- Pursue or join data-breach litigation
- File complaints with the Delaware Department of Justice
- Seek damages for identity theft and fraud
- Stop unlawful data sales and unwanted marketing
Need a Delaware Privacy Attorney?
Whether you are a business working toward compliance or a Delaware resident whose privacy has been violated, our network of Delaware-licensed attorneys can help.
Find a Delaware Privacy Attorney