Delaware Personal Data Privacy Act (2023)

 

The Delaware Personal Data Privacy Act (DPDPA), enacted in September 2023, is Delaware’s first comprehensive consumer privacy statute and one of the most expansive in the country. The law applies to a broader range of businesses than many other state privacy laws, reflecting Delaware’s role as a national corporate hub.

The DPDPA takes effect on January 1, 2025.

Delaware’s law follows the general structure of the “Virginia/Colorado model,” but introduces several important distinctions—particularly around children’s data, nonprofit organizations, and low applicability thresholds. As a result, many organizations that are exempt in other states may find themselves covered in Delaware.

 

Who Must Comply

The DPDPA applies to controllers and processors that conduct business in Delaware or target Delaware residents and meet certain data‑volume thresholds. Notably:

  • There is no revenue threshold, and
  • Nonprofits are covered, unlike in most other states

This makes Delaware’s law one of the broadest in scope.

Exemptions include:

  • HIPAA‑regulated entities and data
  • GLBA‑regulated financial institutions
  • FERPA‑covered educational data
  • Certain state agencies
  • Employment‑related data (in most contexts)

 

Consumer Rights

Delaware residents gain a comprehensive set of rights over their personal information, including:

  • Right to access personal data
  • Right to delete personal data
  • Right to correct inaccuracies
  • Right to data portability
  • Right to opt out of:
  • Targeted advertising
  • Sale of personal data
  • Profiling that produces legal or similarly significant effects

Delaware also provides enhanced protections for children and teens, including:

  • A ban on selling personal data of consumers under 18 without consent
  • A ban on targeted advertising to minors without consent

These youth‑privacy provisions are among the strongest in the United States.

 

Controller Obligations

Businesses subject to the DPDPA must implement a comprehensive privacy program that includes:

1. Transparency

Controllers must provide a clear privacy notice describing:

  • Categories of personal data collected
  • Processing purposes
  • Consumer rights and how to exercise them
  • Whether data is sold or used for targeted advertising

2. Data Minimization & Purpose Limitation

Data collection must be limited to what is reasonably necessary for disclosed purposes.

3. Security Measures

Controllers must maintain reasonable administrative, technical, and physical safeguards.

4. Sensitive Data

Processing sensitive personal data requires opt‑in consent, including:

  • Precise geolocation
  • Biometric identifiers
  • Health information
  • Children’s data
  • Sexual orientation
  • Racial or ethnic origin

5. Data Protection Assessments

High‑risk processing—such as targeted advertising, profiling, or handling sensitive data—requires documented assessments.

6. Processor Contracts

Controllers must enter into binding contracts with processors governing data handling, confidentiality, and security.

 

Nonprofit Coverage

Delaware is one of the few states to include nonprofit organizations within the scope of its privacy law. Nonprofits that process significant volumes of personal data—especially those serving children or vulnerable populations—must prepare for full compliance.

 

Enforcement

  • Enforced exclusively by the Delaware Department of Justice
  • No private right of action
  • A cure period may be available during the early years of enforcement

Given Delaware’s corporate landscape, enforcement is expected to focus on transparency, children’s data, and high‑risk data practices.

 

Why the Delaware Law Matters

The DPDPA is a significant addition to the U.S. privacy landscape because it:

  • Applies to more organizations than most state privacy laws
  • Includes nonprofits, a rare and impactful feature
  • Provides strong protections for minors, including teens
  • Aligns with the dominant U.S. privacy‑law model while expanding its reach
  • Signals continued momentum toward a nationwide patchwork of state privacy frameworks

For organizations operating across multiple jurisdictions, Delaware’s law requires careful attention—particularly for nonprofits, mid‑sized businesses, and companies that process children’s data.