Delaware's Privacy Law Stands Out Among US State Frameworks
The Delaware Personal Data Privacy Act (DPDPA), signed into law as HB 154 in September 2023, took effect on 1 January 2025. Delaware became the twelfth US state to enact a comprehensive consumer privacy statute, but its version carries broader reach than many of its predecessors.
Most US state privacy laws include a revenue threshold or exempt small businesses. The DPDPA does not. If your website processes the personal data of at least 35,000 Delaware residents, the law applies regardless of your annual revenue. A second applicability trigger covers controllers that process the data of at least 10,000 Delaware residents and derive more than 20 per cent of gross revenue from selling personal data.
Given that more than 1.8 million legal entities are incorporated in Delaware, the practical impact is wide.
Who Must Comply with the DPDPA
The DPDPA applies to persons that conduct business in Delaware or produce products or services targeted at Delaware residents, provided they meet one of the two processing thresholds above. The law does not require the controller to have a physical presence in the state.
Several entity types are exempt. State and local government bodies, financial institutions already governed by the Gramm-Leach-Bliley Act, entities subject to HIPAA, registered nonprofits, higher education institutions, and public utilities fall outside the scope. Data regulated under specific federal frameworks - such as FCRA data, HIPAA-protected health information, and FERPA student records - is also excluded at the data level.
The absence of a revenue threshold is significant. Under laws like the Utah Consumer Privacy Act, only businesses with $25 million in annual revenue need comply. Delaware removed that barrier entirely.
Consumer Rights Under the DPDPA
Delaware residents receive six core rights over their personal data:
- Right to confirm and access - verify whether a controller is processing their data, and obtain a copy
- Right to correct - fix inaccuracies in their personal data
- Right to delete - request erasure of data the controller holds
- Right to portability - receive a portable copy in a readily usable format
- Right to third-party disclosure list - obtain the categories of third parties that received their data
- Right to opt out - refuse processing for targeted advertising, data sales, or automated profiling with legal effects
Controllers must respond to consumer requests within 45 days, with one 45-day extension permitted when reasonably necessary. The right to a third-party disclosure list mirrors provisions in the Connecticut Data Privacy Act and goes beyond what most state laws require.
Universal Opt-Out Signals: The January 2026 Deadline
From 1 January 2026, controllers must recognise and honour universal opt-out mechanisms such as Global Privacy Control (GPC). A browser extension, device setting, or platform that transmits a machine-readable signal qualifies as a valid opt-out request for targeted advertising and data sales.
This requirement gives businesses a full year after the law's effective date to build the technical infrastructure. Your website must detect the Sec-GPC HTTP header or the navigator.globalPrivacyControl JavaScript property and treat an active signal as an opt-out.
If your site already honours GPC for Colorado or Connecticut compliance, extending that logic to Delaware visitors is straightforward. If not, a consent management platform with built-in GPC detection can handle signal recognition automatically.
Sensitive Data and Consent Requirements
The DPDPA requires opt-in consent before processing sensitive data. The definition of sensitive data is broad and includes:
| Category | Examples |
|---|---|
| Racial or ethnic origin | Self-reported demographic data |
| Religious beliefs | Affiliation data collected via forms |
| Health data | Mental or physical health diagnosis |
| Sexual orientation or gender identity | Including transgender or nonbinary status |
| Citizenship or immigration status | Visa or residency information |
| Precise geolocation | GPS coordinates accurate within 1,750 feet |
| Genetic or biometric data | Fingerprints, facial recognition identifiers |
| Children's data | Data from a known child under 13 (also subject to COPPA) |
Consent must be freely given, specific, informed, and unambiguous. Pre-ticked checkboxes do not qualify. If your site collects any of these data categories from Delaware residents, a clear opt-in mechanism is required before processing begins.
Data Protection Assessments
Controllers processing the data of at least 100,000 consumers (excluding payment transaction data) must conduct and document data protection assessments for certain high-risk activities. These activities include processing personal data for targeted advertising, selling personal data, profiling, and processing sensitive data.
The assessment obligation applies to activities created or generated after 1 July 2025 and is not retroactive. Each assessment must weigh the benefits of the processing against potential risks to consumer rights.
This threshold is separate from the general applicability threshold of 35,000 residents. A business might fall under the DPDPA's general requirements but remain below the assessment trigger.
How the DPDPA Compares to Other State Laws
The DPDPA follows the opt-out model used by most US states rather than the opt-in framework of the GDPR. It shares structural similarities with the Virginia VCDPA but includes several provisions that set it apart.
| Provision | Delaware (DPDPA) | Virginia (VCDPA) | Texas (TDPSA) |
|---|---|---|---|
| Revenue threshold | None | None | None |
| Processing threshold | 35,000 residents | 100,000 residents | None specified |
| Universal opt-out signals | Required (Jan 2026) | Not required | Not required |
| Third-party disclosure list | Yes | No | No |
| Cure period | 60 days (sunsets Dec 2025) | 30 days (sunset) | 30 days |
| Penalty per violation | Up to $10,000 | Up to $7,500 | Up to $7,500 |
| Private right of action | No | No | No |
The Texas TDPSA shares the lack of a revenue threshold but does not mandate universal opt-out signals. Delaware's 35,000-resident processing threshold is one of the lowest among states that use a numeric trigger.
Enforcement and Penalties
The Delaware Department of Justice holds exclusive enforcement authority. There is no private right of action, meaning individual consumers cannot sue businesses directly for violations.
Each violation may result in a civil penalty of up to $10,000. During 2025, controllers receive a 60-day cure period after receiving notice from the Attorney General, provided the AG determines the violation is curable. That cure period expires on 31 December 2025.
From 1 January 2026 onward, the Attorney General may still offer a cure opportunity but is no longer required to do so. This shift means enforcement can proceed directly to penalties without a warning period. Consumers may submit complaints to the Department of Justice at privacy@delaware.gov.
Practical Steps for Website Compliance
Start by confirming whether the DPDPA applies to your operations. Review your analytics to estimate how many Delaware residents visit your site or use your services. If you are near the 35,000 threshold, treat compliance as a priority.
Update your cookie banner and privacy notice to reflect Delaware-specific rights, including the right to a third-party disclosure list. Your privacy policy must also include a mechanism for consumers to file complaints with the Delaware Department of Justice.
Implement GPC signal detection before 1 January 2026. If your consent management platform supports GPC recognition, enable it for Delaware visitors. Test the implementation using browser extensions that send the Sec-GPC header.
Audit your data processing activities. Identify whether you process sensitive data from Delaware residents and, if so, ensure opt-in consent is collected before that processing begins. A cookie audit can reveal tracking scripts that collect data categories qualifying as sensitive under the DPDPA.
Frequently Asked Questions
Does the Delaware DPDPA apply to small businesses?
The DPDPA has no revenue threshold. Any business that processes the personal data of at least 35,000 Delaware residents, or 10,000 residents while deriving over 20 per cent of gross revenue from data sales, must comply regardless of size.
When must websites start honouring Global Privacy Control under Delaware law?
Controllers must recognise and honour universal opt-out mechanisms, including GPC, from 1 January 2026. The one-year delay from the law's effective date gives businesses time to implement the technical infrastructure.
What is the penalty for violating the DPDPA?
The Delaware Department of Justice can impose civil penalties of up to $10,000 per violation. From 2026 onward, there is no guaranteed cure period before enforcement action.
Does the DPDPA require opt-in consent for cookies?
The DPDPA follows an opt-out model for general personal data processing, including most cookie-based tracking. Opt-in consent is required only for sensitive data categories such as precise geolocation, health data, and biometric identifiers.
Can consumers sue businesses for DPDPA violations?
No. The DPDPA does not include a private right of action. Only the Delaware Department of Justice can enforce the law and pursue penalties against violators.
How does the DPDPA differ from the CCPA?
The CCPA applies based on revenue ($25 million), household count, or data sale revenue percentage. The DPDPA uses resident-count thresholds only and has no revenue floor. The CCPA also grants a limited private right of action for data breaches, which the DPDPA does not.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets or whether your current setup meets Delaware's requirements, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
