Delaware is officially the latest US state to pass a data protection law.
The Delaware Personal Data Privacy Act — House Bill 154, officially — was signed into law after being passed through the state house and senate this summer.
In this guide, you’ll learn if the DPDPA impacts your business, what rights it grants to consumers, and how it compares to all other current U.S. data privacy laws.
- What Is the Delaware Personal Data Privacy Act (DPDPA)?
- DPDPA Key Terms and Definitions
- What Does the Delaware Personal Data Privacy Act Cover?
- Requirements of the DPDPA
- Delaware’s Data Privacy Law vs. Other States: Similarities and Differences
- How Will Consumers Be Impacted by the DPDPA
- How Will Businesses Be Impacted by the DPDPA?
- Who Must Comply With Delaware’s New Data Privacy Law?
- How Can Businesses Prepare for the DPDPA?
- How Will the DPDPA Be Enforced?
- Fines and Penalties Under the Delaware Personal Data Privacy Act
- How Will Termly Help With DPDPA Compliance?
- Are There Other Privacy Related Laws in Delaware?
What Is the Delaware Personal Data Privacy Act (DPDPA)?
The Delaware Personal Data Privacy Act (DPDPA) is a data privacy law covering the U.S. state of Delaware.
It describes the rights and options consumers have over their personal information and outlines requirements entities must follow to legally collect, process, and use that information.
Additionally, it explains who has the authority to enforce the law and seek penalties should anyone violate it.
It is Delaware’s first comprehensive consumer data privacy and protection law.
DPDPA Effective Date
Because the governor signed the Delaware Personal Data Privacy Act before January 1, 2024, it’s scheduled to enter into action on January 1, 2025.
Covered entities must prepare for the requirements of Delaware’s new data privacy law by then.
DPDPA Key Terms and Definitions
The Delaware Personal Data Privacy Act introduces several key terms you must understand to comply with its various requirements properly.
Below is a compiled list of those terms and their definitions exactly as they appear in the text of the DPDPA:
Consent: A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. “Consent” may include a written statement, including by electronic means, or any other unambiguous affirmative action.
It does not include any of the following:
- (b.) Hovering over, muting, pausing, or closing a given piece of content;
- (c.) Agreement obtained through the use of dark patterns.
- It does not include any of the following:
Consumer: An individual who is a resident of this State.
- It does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit organization, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or government agency.
- Controller: A person who, alone or jointly with others, determines the purpose and means of processing personal data.
- Personal data: Any information that’s linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.
- Processing: Any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
- Processor: A person who processes personal data on behalf of a controller.
Sale of personal data: The exchange of personal data for monetary — or other valuable consideration — by the controller to a third party.
It does not include any of the following:
- (a.) The disclosure of personal data to a processor that processes the personal data on behalf of the controller was limited to the purpose of such processing;
- (b.) The disclosure of personal data to a third party for purposes of providing a product or service affirmatively requested by the consumer;
- (c.) The disclosure or transfer of personal data to an affiliate of the controller;
- (d.) The disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party;
- (e.) The disclosure of personal data that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience;
- (f.) The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller’s assets, or a proposed merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller’s assets.
- It does not include any of the following:
Sensitive data: Personal data that includes any of the following:
- (a.) Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status;
- (b.) Genetic or biometric data;
- (c.) Personal data of a known child;
- (d.) Precise geolocation data.
Targeted advertising: Displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated Internet websites or online applications to predict such consumer’s preferences or interests.
It does not include
- (a.) Advertisements based on activities within a controller’s own Internet websites or online applications;
- (b.) Advertisements based on the context of a consumer’s current search query, visit to an Internet website, or online application;
- (c.) Advertisements directed to a consumer in direct response to the consumer’s request for information or feedback; or
- (d.) Processing personal data solely to measure or report advertising frequency, performance, or reach.
- It does not include
What Does the Delaware Personal Data Privacy Act Cover?
As it’s currently written, the DPDPA covers the personal data of residents of the state of Delaware acting in a personal or household capacity.
The personal data it covers includes anything linked or reasonably linkable to an identified or identifiable person, including sensitive personal information.
Requirements of the DPDPA
The DPDPA requires entities to follow specific standards to legally collect, process, use, and share personal data.
Let’s explore those conditions in more detail.
Requirements for Processing Personal Data
Controllers under Section 12D-106 of the DPDPA must limit the collection of personal data to what is considered reasonable, adequate, and relevant to the purposes of the processing as presented to the user.
You must also establish and maintain reasonable technical, administrative, and physical security measures to protect the confidentiality and integrity of the information.
The controller must obtain consent from the consumer to collect and process data that falls beyond the scope of what is necessary.
According to the Delaware Personal Data Privacy Act, consent from a consumer must be:
- Freely given
You must use a written statement or other electronic means to signify affirmative action.
Additionally, the new Delaware data privacy law states using dark patterns, hovering over, muting, pausing, or closing a piece of content are not signifiers of consent.
Data Protection Assessments
The DPDPA requires certain entities to perform data protection assessments, as explained in Section 12D-108.
In particular, controllers that process the data of 100,000 consumers (excluding data processed solely for completing payment transactions) must perform and document assessments if they:
- Process personal data for targeted advertising.
- Sell personal data.
- Process data for the purposes of profiling.
- Process sensitive data.
The controller must weigh the benefits of processing consumer data against the potential risks to consumer rights.
Any safeguards in place — like using de-identified data — should also be considered.
You can use a single assessment to document multiple processing activities and to meet the requirements of another data privacy law with a similar scope.
Contractual Obligations With Third-Party Processors
The legally binding contract must:
- Clearly set forth the instructions for processing data.
- Explain the nature and purpose of processing.
- List the types of data subject to processing.
- Explain the duration of the processing.
- Set forth the rights and obligations of both parties.
Additionally, the contract must require that the processor:
- Ensures each person processing the information is subject to a duty of confidentiality.
- Deletes or returns all data to the controller as requested at the end of the services or the controller’s direction (unless retention is required by law).
- Makes all information in its possession available to the controller upon a reasonable request to demonstrate compliance with the DPDPA.
- Requires any subcontractors to engage in a contract with the same guidelines after giving the controller to object to the subcontractor.
- Allows for and cooperates with reasonable assessments by the controller, their designated assessor, or a qualified independent assessor arranged by the processor.
Global Privacy Controls
Under Section 12D-105 of the DPDPA, consumers can designate a “browser setting, browser extension, or global device setting” to indicate opting out of certain types of processing.
Controllers under this potential law must set their websites up to respond adequately to Global Privacy Controls (GPC) and other universal opt-out mechanisms (UOOMs) by January 1, 2026.
Delaware’s Data Privacy Law vs. Other States: Similarities and Differences
The DPDPA shares many similarities with the U.S. state laws that have recently been signed or are currently in action.
Those laws include the following:
- California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
- Colorado Privacy Act (CPA) — currently in force
- Connecticut Data Privacy Act (CTDPA) — currently in force
- Florida Digital Bill of Rights (FDBR) — effective July 1, 2024
- Indiana Consumer Data Protection Act (Indiana CDPA) — effective January 1, 2026
- Iowa Consumer Data Protection Act (Iowa CDPA) — effective January 1, 2025
- Montana Consumer Data Privacy Act (MCDPA) — effective October 1, 2024
- Oregon Data Privacy Act (ODPA) — effective July 1, 2024
- Tennessee Information Protection Act (TIPA) — effective July 1, 2024
- Texas Data Privacy and Protection Act (TDPSA) — effective July 1, 2024
- Utah Consumer Privacy Act (UCPA) — effective December 31, 2023
- Virginia Consumer Data Protection Act (VCDPA) — currently in force
In the table below, you can compare the DPDPA to all of these other U.S. state laws.
* A private right of action is granted under the CCPA only if an entity compromises or exposes a consumer’s email address in combination with a password or security question or nonencrypted and nonredacted personal information due to negligence.
How Will Consumers Be Impacted by the DPDPA
Delaware’s new data privacy law positively impacts consumers by granting them new rights and more control over how covered entities process their personal data.
Specifically, Part 12D-104 of the DPDPA grants consumers the right to:
- Confirm if a controller is processing their personal data and access that information.
- Correct inaccuracies in their data.
- Delete the personal information provided by or obtained about the consumer.
- Obtain a portable copy of their data in a readily usable format to the extent that it’s technically feasible.
- Obtain a list of categories of third parties to which the controller discloses their data.
- Opt out of targeted advertising.
- Opt out of the sale of data (with some exceptions).
- Opt out of profiling in furtherance of solely automated decisions that produce legal (or similarly significant) effects regarding the individual.
These consumer rights are very similar to those granted by other U.S. state laws that are already in effect or have recently passed.
Who Does the DPDPA Apply To?
The Delaware Personal Data Privacy Act applies to the personal information of Delaware residents living in a personal or household context.
However, it does not apply to people acting in a commercial or employment capacity.
It also doesn’t apply to owners, directors, officers, or contractors of a company, partnership, sole proprietorship, nonprofit, organization, or government agency.
How Will Businesses Be Impacted by the DPDPA?
The DPDPA impacts businesses in several ways beyond the data protection assessments and contractual obligations previously mentioned.
For example, Section 12D-106 states that controllers must present consumers with a “reasonably accessible, clear, and meaningful” privacy notice that features all of the following:
- The categories of personal data processed
- The purpose for processing the data
- How consumers can exercise their rights and appeal the controller’s decisions regarding their requests
- The categories of personal data the controller shares with third parties, if any
- The categories of the third parties the controller shares data with, if any
- An active email address or online mechanism the consumer may use to contact the controller
- If the controller sells personal data or uses it for targeted advertising, and how the consumer can opt out of such processing activities
- One or more secure, reliable way consumers can submit requests to exercise their rights under the DPDPA
Additionally, you must include a link to your website within your privacy notice leading to a web page where the consumer can opt out of targeted advertising and the sale of their data.
For example, under this potential law, consumers have the right to opt out of:
- Targeted advertising
- The sale of their data
Additionally, to collect sensitive personal information through internet cookies, you must obtain active opt-in consent before placing cookies on users’ browsers.
Who Must Comply With Delaware’s New Data Privacy Law?
According to Section 12D-103 of the DPDPA, you must comply with this law if you conduct business in the state or produce products or services that target Delaware residents and meet either of the following during a calendar year:
- Control or process the personal information of no less than 35,000 consumers (excluding personal information processed solely for completing payment transactions)
- Control or process the personal data of no less than 10,000 consumers and derive more than 20% of your gross annual revenue from the sale of personal data
Interestingly, the current threshold of the DPDPA is numerically smaller than other U.S. state laws and is more likely to apply to small to medium-sized businesses.
Who Is Exempt From the DPDPA?
All of the following entities are exempt from complying with the DPDPA:
- Any regulatory, administrative, advisory, executive, appointive, legislative, or judicial body of the State or a political subdivision of the State.
- Financial institutions or their affiliates that are subject to the Gramm Leach Bliley Act (GLBA)
- Nonprofit organizations that are exclusively dedicated to addressing and preventing insurance crimes.
- National securities associations, pursuant to the Securities Exchange Act of 1934.
How Can Businesses Prepare for the DPDPA?
Covered entities should also provide multiple ways for consumers to express their data privacy rights, like implementing a consent banner and adding a Data Subject Access Request form to your site or app.
If your organization processes data from more than 100,000 consumers, plan to perform data protection assessments.
Similarly, ensure any contracts with third-party processors or controllers meet the specifications outlined by the DPDPA.
Finally, parts of this law require covered entities’ websites to honor Global Privacy Controls, so you should also prepare your platform for those obligations.
How Will the DPDPA Be Enforced?
The DPDPA gives the Department of Justice the authority to enforce the act in Section 12D-111 of the bill, unlike other U.S. state privacy laws that give enforcement power to their respective Attorneys General.
The Department of Justice provides controllers that violate the law with a 60-day cure period.
However, the cure period ends on December 31, 2025.
After this date, the Department of Justice will consider the following details to determine whether the controller will get a cure period or not:
- The number of violations
- The size and complexity of the controller or processor
- The nature and extent of their processing activities
- The likelihood of injury to the public
- The safety of the persons or property
- If a human or technical error likely caused the alleged violation
- The extent to which the controller or processor violated similar laws in the past
Fines and Penalties Under the Delaware Personal Data Privacy Act
The current version of the DPDPA states that the Department of Justice can prosecute violations following Subchapter II of Chapter 25 of Title 29, a consumer protection law.
Fines and penalties may reach as high as $10,000 for each violation.
The DPDPA stipulates that consumers do not have a private right to action under this law but can file grievances with the Department of Justice.
How Will Termly Help With DPDPA Compliance?
Termly offers policy generators and a Consent Management Platform (CMP) that can help entities meet some guidelines outlined by laws and bills like the DPDPA.
Our legal team and data privacy experts vet our compliance solutions, and we update them regularly to keep up with new and changing data privacy legislation from around the globe.
See a screenshot of it below.
Additionally, we offer a Consent Management Platform that provides you with a consent banner. You can configure it to meet the opt-out requirements described by laws like the DPDPA.
See what it looks like in the screenshot below.
Are There Other Privacy Related Laws in Delaware?
The DPDPA is Delaware’s first comprehensive consumer data protection law, but other laws in the Delaware Code affect the privacy of state residents.
Notably, the Delaware Online Privacy and Protection Act (DOPPA) describes specific guidelines for entities that operate internet websites, online or cloud computing services, and online or mobile apps directed at children.
Additionally, the Student Data Privacy Protection Act (SDPPA) protects students’ personal information in the state and prevents entities from:
- Using students’ data for targeted advertising.
- Selling students’ information, except in specific circumstances.
- Creating an advertising profile of the student unless it’s for K-12 school purposes.
Now that the governor has officially signed the Delaware Personal Data Privacy Act, it’s Delaware’s official comprehensive consumer privacy protection law.
To prepare for this new piece of legislation, businesses should:
- Update their cookie and privacy policies to meet notice obligations.
- Provide consumers with multiple ways to follow through on their rights, like a DSAR form and a consent banner with a preference center.
- Use adequate contracts with any third-party processors that meet the requirements described by the DPDPA.
- Perform data protection assessments, particularly if you collect personal data from 100,000 or more consumers.
- Give consumers an easy way to opt out of targeted ads, having their data sold, and certain kinds of profiling.
- Request opt-in consent from consumers to collect sensitive data or information that falls beyond the scope of what’s considered “reasonably necessary.”
Luckily, the DPDPA shares many similarities with several other U.S. state data privacy laws.