The Delaware Personal Data Privacy Act (DPDPA) is Delaware's comprehensive consumer privacy law, effective January 1, 2025. It gives Delaware residents rights over their personal data and applies to qualifying businesses at some of the lowest thresholds in the US.
This guide covers who must comply, consumer rights, the universal opt-out deadline, business obligations, and DOJ enforcement. It closes with how Consently supports the opt-out side of compliance.
What Is the Delaware Personal Data Privacy Act (DPDPA)?
The Delaware Personal Data Privacy Act is a Delaware state law that creates personal-data rights for Delaware consumers. It also sets compliance duties for the businesses that collect their data. Governor John Carney signed it into law on September 11, 2023, as House Bill 154, and it took effect January 1, 2025.
Delaware was the seventh state to enact a comprehensive consumer privacy law in 2023 alone, joining Indiana, Iowa, Montana, Oregon, Tennessee, and Texas. The DPDPA sits inside a broader wave of US state privacy laws that followed California's lead. It shares the same controller-and-processor structure used across most of that wave and the EU's data privacy laws.
A "comprehensive" privacy law covers the full lifecycle of personal data: collection, use, sale, and deletion. It does not regulate a single sector like health or finance. The DPDPA follows that model, and its distinguishing feature is how few consumers a business needs to touch before the law applies.
Who Must Comply with the DPDPA?
A business must comply with the DPDPA if it conducts business in Delaware or targets Delaware residents, and meets one of two consumer-data thresholds. There is no minimum revenue floor, so a relatively small business can be covered.
A business is covered if it, during the preceding calendar year:
- Controlled or processed the personal data of at least 35,000 consumers, excluding data processed solely to complete a payment transaction
- Controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of its gross revenue from selling personal data
The low applicability thresholds
The DPDPA's 35,000-consumer threshold is among the lowest of any US state privacy law.
- 35,000 consumers, excluding payment-only data. Peer states set this far higher: Colorado, Virginia, Indiana, and Connecticut all use 100,000.
- 10,000 consumers plus more than 20% of gross revenue from data sales. Connecticut's equivalent revenue prong is 25%. Virginia's is 50%, both higher bars than Delaware's 20%.
Delaware sets no minimum annual revenue threshold at all. A small business with no meaningful revenue can still trigger DPDPA compliance duties purely by touching 35,000 Delawareans' data.
These thresholds may soon drop even lower. House Bill 380 is a pending 2026 amendment, not yet law. It passed the Delaware House 30 to 9 on May 21, 2026, and now sits in the Senate.
HB 380 would cut the thresholds to 10,000 consumers, or 5,000 consumers plus 20% of revenue from data sales. It would also extend direct obligations to third-party vendors and data brokers regardless of size. If signed, the changes take effect January 1, 2027.
Nonprofits and higher education are covered
Most nonprofits and public universities must comply with the DPDPA, a broader reach than many peer state laws.
The law exempts state and local government entities, except institutions of higher education, so public universities in Delaware are covered. It also exempts Gramm-Leach-Bliley Act financial institutions and national securities or futures associations at the entity level.
Nonprofits get only two narrow carve-outs. The first exempts organizations dedicated exclusively to preventing or addressing insurance crime. The second exempts data nonprofits collect about victims or witnesses of child abuse, domestic violence, human trafficking, sexual assault, a violent felony, or stalking. Every other nonprofit operating in Delaware is covered from the law's effective date.
The DPDPA also has no HIPAA entity-level exemption. Most peer state privacy laws exempt HIPAA-covered entities and business associates outright. Delaware only exempts specific categories of health data itself, not the organizations that hold it.
What Rights Does the DPDPA Give Delaware Consumers?
Delaware consumers get six core rights under the DPDPA, including one that goes further than most peer state laws.
- Confirm and access: confirm whether a controller is processing their personal data and access that data
- Correct: fix inaccuracies in their personal data
- Delete: delete personal data a controller collected directly or obtained through third parties
- Portability: obtain a copy of their personal data in a portable, readily usable format
- Opt out: opt out of the sale of personal data, processing for targeted advertising, and profiling that produces legal or similarly significant effects
- Third-party categories list: obtain a list of the categories of third parties the controller disclosed that specific consumer's personal data to
That last right is unusually granular. Most state privacy laws only require a controller to disclose the categories of third parties it shares data with in general. The DPDPA ties the disclosure to the individual consumer making the request. Oregon's law provides a similar right, but few other states do.
Controllers must also give consumers a way to appeal a denied rights request. They must respond to that appeal within 60 days, and if they deny it again, provide a way to contact the Delaware Department of Justice.
Opt-Out Rights and the Universal Opt-Out Signal
Delaware consumers can opt out of data sales and targeted advertising through a clear website link today. From January 1, 2026, controllers must also honor a universal opt-out signal sent automatically by the consumer's browser.
A universal opt-out mechanism, sometimes called an opt-out preference signal, is a browser or extension setting. It broadcasts a consumer's opt-out choice to every site it visits, without the consumer clicking an individual link on each one. Global Privacy Control (GPC) is the best-known example.
By no later than January 1, 2026, DPDPA-covered controllers must treat a valid signal the same as a manual opt-out request.
What Businesses Must Do to Comply
Covered businesses have to build both a public-facing notice and internal processing controls, since a single missing piece breaks compliance on either side.
- Publish a clear, accessible privacy notice covering the categories of data collected, the purpose, and how consumers exercise their rights
- Disclose the categories of data shared with third parties and the categories of those third parties
- Honor consumer rights requests within 45 days, with a working appeal process for denials
- Get opt-in consent before processing sensitive data, including for a known child's data
- Get verifiable parental consent before processing any personal data for a consumer under 13
- Get consent for consumers 13 to 17 before selling their data or using it for targeted advertising
- Apply data minimization: collect only what is reasonably necessary for the disclosed purpose
- Maintain reasonable administrative, technical, and physical security measures
- Conduct a data protection assessment for heightened-risk processing once the controller processes 100,000 or more consumers' data, for activity on or after July 1, 2025
- Enter a binding processor contract for any data handled by a vendor on the controller's behalf
Sensitive data under the DPDPA covers race or ethnic origin, religion, and mental or physical health conditions. It also covers sex life or sexual orientation, transgender or nonbinary status, and citizenship or immigration status. Genetic or biometric data, a known child's personal data, and precise geolocation round out the category.
Processing any of it requires the consumer's opt-in consent first, not an after-the-fact opt-out.
How Is the DPDPA Enforced, and What Are the Penalties?
The Delaware Department of Justice has exclusive authority to enforce the DPDPA, and Delaware consumers cannot sue a business directly under the law.
The Consumer Protection Unit, under the Attorney General, brings violations under Delaware's Consumer Fraud Act. Willful violations carry civil penalties of up to $10,000 per violation, plus the possibility of injunctive relief, restitution, and disgorgement.
A 60-day right to cure applied through December 31, 2025. Before suing, the Attorney General had to notify the controller of a violation and give it 60 days to fix it. That mandatory cure period sunset on that date.
From January 1, 2026 onward, the Attorney General can pursue violations directly. Offering a controller the chance to cure first is now discretionary, not required. Delaware DPDPA enforcement is fully live, with no automatic grace period standing between a violation and a penalty.
How Does the DPDPA Differ from CCPA and GDPR?
The DPDPA sits closer to the CCPA's opt-out model than the GDPR's opt-in model, but its consumer-count threshold is far lower than either.
| Law | Who it covers | Consent model | Universal opt-out | Enforcement |
|---|---|---|---|---|
| DPDPA (Delaware) | 35,000+ consumers, or 10,000+ with 20%+ revenue from data sales; no revenue floor | Opt-out for sale and ads; opt-in for sensitive data | Required from January 1, 2026 | Delaware DOJ only, no private right of action |
| CCPA (California) | $26.625 million+ revenue (2026 inflation-adjusted), or 100,000+ consumers' data, or 50%+ revenue from data sales | Opt-out by default | Required (Global Privacy Control) | California AG and CPPA, limited private right of action for breaches |
| GDPR (EU) | Any organization processing EU residents' data | Opt-in required before collection | Not applicable (consent-first model) | EU data protection authorities |
The DPDPA's opt-out-plus-sensitive-data-opt-in structure closely mirrors California's CCPA opt-out model, just with a much lower entry threshold. It shares almost nothing with the opt-in-by-default consent model of the GDPR. A site built to satisfy the GDPR still needs the DPDPA's separate opt-out link and universal opt-out signal handling for Delaware visitors.
For the EU-side cookie mechanics, see cookie consent under the GDPR. For the full compliance build, see how to make a website GDPR compliant.
How Consently Helps You Comply with the DPDPA
Consently supports the consumer-facing side of DPDPA compliance with a US-state opt-out banner, automatic tracker scanning, and exportable consent records.
Consently shows Delaware visitors a CCPA and US state-law opt-out banner with a built-in Do Not Sell or Share control. Automatic geotargeting displays the right banner model to the right visitor. The same account can run a GDPR opt-in banner for EU visitors alongside it, with no separate setup required.
Two features back the required disclosures. Automatic cookie and tracker scanning identifies what your site collects. Consent logs with export give a timestamped record of opt-out choices you can produce if the Delaware DOJ ever asks for proof. The privacy policy and cookie policy generators help produce the notice content the DPDPA requires.
One requirement Consently does not handle automatically: honoring a visitor's browser-level universal opt-out signal, such as Global Privacy Control. That is a separate DPDPA obligation, required from January 1, 2026, that a business must meet through its own configuration.
Consently's CCPA and US state-law opt-out solution is free to try for 14 days, no credit card required. Start your free trial to see the opt-out banner and consent logs in your own dashboard.
FAQs
What is the Delaware Personal Data Privacy Act?
The Delaware Personal Data Privacy Act is Delaware's comprehensive consumer privacy law, effective January 1, 2025. It gives Delaware residents rights over their personal data. Qualifying businesses must honor those rights at some of the lowest applicability thresholds in the US.
When did the Delaware Personal Data Privacy Act take effect?
Governor John Carney signed the DPDPA into law on September 11, 2023, as House Bill 154. It took effect January 1, 2025, and its universal opt-out signal requirement was added on top, effective January 1, 2026.
Does the DPDPA apply to small businesses?
Yes, potentially. The DPDPA sets no minimum revenue threshold, so a small business can still be covered. What matters is the consumer-data test: 35,000 or more consumers' data, or 10,000 or more consumers' data plus over 20% of revenue from sales.
Is there a private right of action under the DPDPA?
No. Only the Delaware Department of Justice can enforce the DPDPA. Delaware consumers cannot sue a business directly for a violation of the law.
What is sensitive data under the DPDPA?
Sensitive data includes race or ethnicity, religion, and health conditions. It also includes sexual orientation, transgender or nonbinary status, citizenship or immigration status, genetic or biometric data, a known child's data, and precise geolocation. A business needs the consumer's opt-in consent before processing any of it.
Does the DPDPA require a cookie banner?
The DPDPA does not name "cookie banners" specifically. Honoring opt-out requests, recognizing universal opt-out signals, and getting opt-in consent for sensitive data make a consent banner the practical way most sites comply.

