Effective Date: January 1, 2025
The Delaware Personal Data Privacy Act (DPDPA) is a comprehensive privacy law designed to protect the personal information of Delaware residents.
This guide breaks down its major aspects, making it easier to understand what this law covers, who it applies to, and what rights it grants to consumers.
This law applies to businesses that operate in Delaware or offer products or services to Delaware residents and:
Note: There is no revenue threshold for businesses. Certain non-profits and state entities are exempt.
Sensitive data under the DPDPA includes:
Delaware residents are granted several rights under the DPDPA to control their personal data:
To make exercising their rights simple and secure, the DPDPA outlines specific methods and protections for Delaware consumers. Here’s how consumers can take control of their data:
Request Process – Consumers can submit requests to businesses to, among others, access, correct, or delete their personal data. Each business covered by the DPDPA must set up a secure, reliable process for these requests, ensuring consumer privacy and security. This process, along with instructions, must be clearly explained in the business’s privacy notice, so consumers know exactly how to make their requests.
No Account Required – Consumers do not need to create an account to exercise their rights. However, if a consumer already has an account with the business, they may be asked to use that account to streamline the request process.
Authorized Agents – The DPDPA allows for flexibility in how requests are made, acknowledging that not all consumers can or will make requests on their own. For this reason, parents, legal guardians, or authorized agents can submit requests on behalf of others. This includes parents acting for their children, as well as guardians or conservators acting for those under their protection, like elderly family members or individuals with special needs.
These provisions make it straightforward for Delaware consumers to exercise their data rights, whether acting independently or through a trusted representative.
The DPDPA sets clear requirements and deadlines to ensure businesses handle consumer data responsibly. Key responsibilities include adhering to strict response timelines, obtaining consumer consent, and maintaining privacy and security protocols.
Businesses have a set timeframe to respond to consumer requests under the DPDPA:
These deadlines help consumers receive timely information and resolutions to their requests.
Businesses are restricted in the data they can collect. Data collection must be limited to what is necessary and relevant for the specific purposes disclosed to consumers.
This limitation ensures that businesses only gather data essential for the purpose stated, minimizing unnecessary data collection and storage.
Obtaining consumer consent is central to DPDPA compliance:
By mandating consent, the DPDPA provides consumers with greater control over how their sensitive information is used.
Every business must provide a clear, comprehensive privacy notice that includes, among others:
This privacy notice must be easily accessible to consumers, ensuring transparency in data handling practices.
To protect consumer data, businesses must maintain security practices. Implement strong administrative, technical, and physical security measures to secure the confidentiality, integrity, and accessibility of personal data. These security requirements help prevent data breaches and unauthorized access to consumer information.
Starting January 1, 2026, businesses must honor consumers’ universal opt-out signals to opt out of targeted advertising and data sales.
Consumers can opt out of targeted advertising or data sales through universal opt-out signals. This additional option allows consumers more control over their online privacy preferences and how their data is used in marketing.
The DPDPA is a landmark step for data privacy in Delaware, giving consumers more control and transparency over their personal information. By requiring clear consent, protection measures, and response timelines, Delaware aims to create a safer and more transparent data environment.