Iubenda logo
Start generating

Documentation

Table of Contents

Delaware Personal Data Privacy Act (DPDPA)

Effective Date: January 1, 2025

The Delaware Personal Data Privacy Act (DPDPA) is a comprehensive privacy law designed to protect the personal information of Delaware residents. 

This guide breaks down its major aspects, making it easier to understand what this law covers, who it applies to, and what rights it grants to consumers.

Who Does the DPDPA Apply To?

This law applies to businesses that operate in Delaware or offer products or services to Delaware residents and:

  1. process the personal data of at least 35,000 consumers (excluding data solely related to payment transactions).
  2. process the personal data of at least 10,000 consumers and derive more than 20% of gross revenue from selling personal data.

Note: There is no revenue threshold for businesses. Certain non-profits and state entities are exempt.

What Is Sensitive Data?

Sensitive data under the DPDPA includes:

  • Personal information revealing race, ethnicity, religion, health condition, sexual orientation, gender identity, and immigration status.
  • Genetic and biometric data used for unique identification.
  • Children’s data – individuals under the age of 13.
  • Precise geolocation data that can track a person’s exact location.

Key Consumer Rights Under the DPDPA

Delaware residents are granted several rights under the DPDPA to control their personal data:

  1. Access and Confirmation: Consumers can ask if a business is processing their data and can access it, unless this would reveal trade secrets.
  2. Data Copy in a Usable Format: individuals have the right to request a copy of their personal data in a format they can easily use or transfer to another entity.
  3. Correction of Inaccurate Data: Consumers may request corrections to inaccurate personal data.
  4. Deletion of Personal Data: Consumers can ask for their personal data to be deleted.
  5. Opt-Out Options: Consumers can opt out of having their data used for targeted advertising, being sold, or profiling.
  6. Non-Discrimination: Businesses are not allowed to treat consumers unfairly if they choose to exercise their DPDPA rights.
  7. List of Third-Party Data Sharing: Consumers can request a list of third parties with whom the business has shared their data.

How Consumers Can Exercise Their Rights

To make exercising their rights simple and secure, the DPDPA outlines specific methods and protections for Delaware consumers. Here’s how consumers can take control of their data:

Request Process – Consumers can submit requests to businesses to, among others, access, correct, or delete their personal data. Each business covered by the DPDPA must set up a secure, reliable process for these requests, ensuring consumer privacy and security. This process, along with instructions, must be clearly explained in the business’s privacy notice, so consumers know exactly how to make their requests.


No Account Required – Consumers do not need to create an account to exercise their rights. However, if a consumer already has an account with the business, they may be asked to use that account to streamline the request process.


Authorized Agents – The DPDPA allows for flexibility in how requests are made, acknowledging that not all consumers can or will make requests on their own. For this reason, parents, legal guardians, or authorized agents can submit requests on behalf of others. This includes parents acting for their children, as well as guardians or conservators acting for those under their protection, like elderly family members or individuals with special needs.

These provisions make it straightforward for Delaware consumers to exercise their data rights, whether acting independently or through a trusted representative.

Business Responsibilities and Deadlines under the DPDPA

The DPDPA sets clear requirements and deadlines to ensure businesses handle consumer data responsibly. Key responsibilities include adhering to strict response timelines, obtaining consumer consent, and maintaining privacy and security protocols.

Response Time

Businesses have a set timeframe to respond to consumer requests under the DPDPA:

  • 45-Day Response: Businesses must respond to a consumer’s initial request within 45 days.
  • 60-Day Appeal Response: If a consumer appeals the initial response, the business must respond to the appeal within 60 days.

These deadlines help consumers receive timely information and resolutions to their requests.

Data Collection Limitations

Businesses are restricted in the data they can collect. Data collection must be limited to what is necessary and relevant for the specific purposes disclosed to consumers.

This limitation ensures that businesses only gather data essential for the purpose stated, minimizing unnecessary data collection and storage.

Consumer Consent

Obtaining consumer consent is central to DPDPA compliance:

  • Consent for New Purposes: Businesses must gain consumer consent before processing data for any purposes not necessary to or compatible with those specified in the privacy notice.
  • Consent for Sensitive Data: Consent is required for processing sensitive data, such as health, biometric, or racial information.

By mandating consent, the DPDPA provides consumers with greater control over how their sensitive information is used.

Privacy Notice Requirements

Every business must provide a clear, comprehensive privacy notice that includes, among others:

  1. Data Types: Categories of personal data the business processes.
  2. Processing Purposes: Reasons why the data is processed.
  3. Third-Party Sharing: Any third parties with whom the data is shared.
  4. Consumer Rights: and relevant methods for consumers to exercise them.
  5. Opt-Out Options: Methods for consumers to opt out of targeted advertising or data sales.

This privacy notice must be easily accessible to consumers, ensuring transparency in data handling practices.

Data Security

To protect consumer data, businesses must maintain security practices. Implement strong administrative, technical, and physical security measures to secure the confidentiality, integrity, and accessibility of personal data. These security requirements help prevent data breaches and unauthorized access to consumer information.

Honoring Universal Opt-Out Signals by 2026

Starting January 1, 2026, businesses must honor consumers’ universal opt-out signals to opt out of targeted advertising and data sales.

Consumers can opt out of targeted advertising or data sales through universal opt-out signals. This additional option allows consumers more control over their online privacy preferences and how their data is used in marketing.

The DPDPA is a landmark step for data privacy in Delaware, giving consumers more control and transparency over their personal information. By requiring clear consent, protection measures, and response timelines, Delaware aims to create a safer and more transparent data environment.