The DPDP Act takes effect on January 1, 2025.

The DPDP Act gives Delaware residents important rights over their personal data and establishes responsibilities and privacy protection standards for businesses collecting and storing that data.

These rights fall into four general principles: Transparency, Data Minimization, Security, and Accountability.

The law applies to Delawareans acting in an individual or household context, such as browsing the Internet or making a purchase at a store. It does not protect an individual acting in an employment context, such as applying for a job.

Read more of the specific requirements for businesses here

The DPDP Act applies to entities who conduct business in Delaware or who produce products or services targeted to Delaware residents and that, during the prior calendar year, controlled or processed the personal data of:

• at least 35,000 consumers; or
• 10,000 or more consumers and derived over 20% of gross revenue from the sale of personal data.

It also applies to service providers (called “processors”) that maintain or provide services involving personal data on behalf of covered businesses.

The DPDP Act provides some limited exemptions for businesses who must meet data privacy standards under another law. If you believe your regulated business may be exempt you should contact your own legal counsel.

The DPDP Act and other laws like it provide different obligations depending on the businesses relationship to the personal data that is collected.

Controllers are the entities that determine what personal data is collected and how it will be used. Specifically, a controller is defined as an individual or legal entity that, independently or jointly with others, collects and processes personal data and is responsible for responding to consumer requests about the collection and processing of personal data.

The key distinction between a controller and a processor is their decision-making authority over personal data. Under the DPDP Act, a processor may only process data at the request and under the direction of a controller. The processor is contractually bound by the controller’s instructions as to what the processor must and may do with personal data.

If a processor were to begin exercising decision-making authority with respect to the purposes and means of personal data processing, it would become a controller with respect to that processing and subject to the obligations imposed on controllers under the DPDPA.

Personal data is any information that can be linked to an identifiable individual, excluding publicly available information. Some examples of personal data include: a home address, a driver’s license or state identification number, passport information, a financial account number, login credentials, and payment card information.

Sensitive data is a subset of personal data that includes:

• Any data revealing racial or ethnic origins, religious beliefs, mental or physical health conditions or diagnoses, sexual activity or orientation, citizenship, or immigration status;
• Genetic or biometric data used to uniquely identify an individual;
• Personal data of a child; or
• Information that identifies an individual’s specific location with a defined degree of precision and accuracy (called “precise geolocation data”).

Under the DPDPA, a controller needs a consumer’s consent to process sensitive data.

Processing refers to any action a business may take with respect to personal data, including collecting, using, storing, selling, sharing, analyzing, or modifying the data.

The following entities are exempt from the DPDPA:

• State and local governments and other governmental subdivisions and agencies
• Financial institutions subject to the Gramm-Leach-Bliley Act (“GLBA”)
• National securities associations registered under the Securities Exchange Act of 1934

The DPDPA also does not apply to certain types of personal data maintained in compliance with other laws, such as the GLBA, HIPAA, the Fair Credit Reporting Act, as well as personal data processed for certain specified purposes.

The DPDPA provides Delawareans the following privacy rights:

• The right to access personal data that a controller has collected about them.
• The right to correct inaccuracies in their personal data.
• The right to delete their personal data, including personal data that a controller collected through third parties.
• The right to obtain a copy of their personal data in a portable and readily usable format that allows them to transfer the data to another controller with ease.
• The right to opt-out of:
  •  the sale of their personal data;
  • the processing of personal data for the purposes of targeted advertising; and
  • profiling that may have a legal or other significant impact.

A consumer may directly contact the business—through the channel(s) described in the controller’s required privacy notice—and request that it confirm whether it processes the consumer’s personal data.

A controller’s privacy notice must clearly describe how consumers may exercise their rights under the DPDPA. Among other methods, a controller must provide an easily accessible link on its website through which consumers can opt-out of targeted advertising or the sale of their personal data. Soon, consumers will also be able to opt-out through universal opt-out mechanisms.

Universal opt-out mechanisms give consumers the ability to communicate a request to opt-out of the processing of their personal data across multiple websites at once, rather than having to make individual opt-out requests through each controller’s website. Under the DPDPA, universal opt-out mechanisms must be recognized by controllers as valid consumer requests beginning January 1, 2026.

Yes, a consumer can opt-out of the sale of personal data to third parties. A consumer can also designate a third party to opt-out on his or her behalf.

Yes. If a child’s personal data is being processed by a controller, the child’s parent or legal guardian may exercise rights on the child’s behalf. Controllers must follow all regulations concerning children’s online privacy established pursuant to the Children’s Online Privacy Protection Act (“COPPA”), including parental consent requirements. In addition, the DPDP Act requires controllers to obtain opt-in consent before selling a consumer’s personal data, or processing personal data for the purposes of targeted advertising, when the consumer is under 18 years old.

Yes, for certain specified reasons under the DPDPA. For example, a controller may deny a consumer’s request if fulfilling the request would restrict the controller’s ability to:

• Provide a product or service specifically requested by the consumer.
• Perform certain internal operations that reasonably align with consumer expectations.
• Issue a product recall or repair technical errors.
• Respond to and prevent security incidents, identity theft, and fraud.
• Comply with federal, state, or local law.

For more exceptions, see Section 110 of the DPDP Act. 6 Del. C. § 12D-110.

Yes. The DPDP Act grants consumers the right to appeal a controller’s decision denying a consumer rights request. A controller has 45 days after receipt of an appeal to write back to the consumer, explaining any actions it has taken and reasons for refusing a consumer request. If the appeal is denied, the controller must give the consumer information to contact the Attorney General’s office should the consumer wish to file a complaint. Delawareans can contact privacy@delaware.gov

A consumer can request information from a controller free once every 12 months. Under certain circumstances beyond the annual request, the controller may charge an administrative fee.

Among other obligations, controllers must:

• Provide notice regarding the types of personal data the controller processes, the purpose(s) for processing, whether and why the controller shares personal data with third parties, and information about how consumers can exercise their various rights (e.g. access, deletion) over their personal data.
• Limit collection of personal data to what is adequate, relevant, and reasonably necessary for the specific purpose(s) for which the data is processed (also known as “data minimization”).
• Obtain consent before processing a consumer’s sensitive data.
• Respond to requests to exercise consumer rights granted under the DPDPA.
• Conduct assessments before processing personal data in a manner that presents a heightened risk of harm to consumers (called “Data Protection Assessments”). This includes processing personal data for the purposes of targeted advertising, sale, or profiling, and processing sensitive data.
• Use reasonable safeguards to secure personal data.
• Not discriminate against consumers who exercise their rights under DPDPA or process personal data in a manner that would otherwise result in unlawful discrimination.

The Attorney General has exclusive authority to enforce violations of the Act.

No, the DPDPA does not include a private cause of action.

Yes. If the Attorney General determines that a controller could remedy a violation of the DPDPA, the Attorney General must give the controller notice of the violation before initiating a lawsuit. The controller then has 60 days to remedy the violation (called “the right to cure”). If, however, the Attorney General determines that it would not be possible for the controller to remedy the violation, no such notice or remedial opportunity is required. The right to cure sunsets on December 31, 2025.

Entities or individuals that violate the DPDPA may face civil penalties up to $10,000 per violation. In addition to civil penalties, the Attorney General can also seek injunctive relief, restitution, and/or disgorgement.

A controller determines the purpose for and means of collecting and processing personal data.​ For example, retailers like Walmart and Target are considered controllers because they collect consumer information when customers make their purchases, and then decide how that information will be used. Controllers make the primary decisions to manage, collect, and utilize data.

A processor maintains and processes consumer personal data on behalf of a controller. For example, a cloud services provider could act as a processor by storing personal data collected by a controller, as directed by that controller.

The general distinguishing factor between a processor and a controller is the entity’s autonomy and decision-making authority over data. Under the DPDP Act, a processor may only process data under the direct authorization and command of a controller. The CPA requires a controller and processor to define their respective responsibilities and obligations in a contractually binding processing agreement.

Some processors act as both controllers and processors depending on their role, and if a Processor begins to determine the purpose and means of the data processing, it becomes a controller with respect to that processing.

The DPDA does not apply to data maintained for employment records purposes. Furthermore, the term “consumer” means an Delaware resident acting only in an individual or household context and does not include an individual acting as an employee or job applicant.

Only in specific circumstances. The DPDPA requires controllers to get affirmative consent from consumers prior to (1) collecting and processing sensitive data, (2) processing personal data for reasons other than those specified when the data was collected, or (3) selling or processing personal data for targeted advertising after a consumer has opted out of such uses. Such consent must be affirmative, freely given, specific, informed, and unambiguous. Acceptance of broad terms of service, hovering over, pausing, or otherwise interacting with content generally, and agreement obtained through deceptive webpage design is not considered consent under the DPDPA.

The Delaware Personal Data Privacy Act requires that consumer disclosures are understandable and accessible. Data controllers shall use plain, straightforward language and provide communications in languages generally used by the business. Communications must be provided in a readable format on all devices through which consumer normally or regularly interact with the controller, including on smaller screens and through mobile applications, if applicable. In considering whether disclosures must be provided in a readable format on a specific device, controllers should consider whether the consumer receives other communications, disclosures and notifications from the controller on that device in the normal course of business.

Notifications and disclosures must also be reasonably accessible to consumers with disabilities by following standard web accessibility guidelines and by providing information on how customers with disabilities may access the communication or request it in an alternative format.

The Delaware Personal Data Privacy Act gives Delawareans specific rights including a right of access to their personal data. The DPDPA also permits consumers to authorize an agent to act on their behalf. So, no, other third parties may not rely on the DPDPA to compel disclosure about an individual.

A controller may, however, provide information about the individual in certain circumstances provided the type of disclosure is stated in the privacy policy and the individual has not opted out of the sale of personal data.

Methods for consumers to opt-out or to make requests should consider the ways that consumers normally interact with the controller. Exclusively online companies that interact directly with consumers need only provide an email address for submitting requests. Controllers with a website or mobile app that also interact with consumers offline should have one method such as a webform on that website or app, and another method as well. Controllers with an in-person presence should consider offline methods like printed forms, in-store tablets, or telephone options. Whichever methods a controller chooses, the process must be available at any time, must be easy to execute, and must require a minimal number of steps.

The obligations of controllers under the DPDPA are the same whether the personal data is collected offline, such as in-store or over the phone, or online, such as on a website.

Two key obligations for controllers are the duty of transparency via clear and accessible privacy notices and the duty to respond to consumers who wish to exercise their rights under the DPDPA. Other obligations include: a duty to minimize unnecessary data collection and avoid secondary use, a duty of care in processing data, a duty to avoid unlawful discrimination, and a duty to obtain consent before processing sensitive data.

The DPDP Act applies to both for- and non-profit businesses. Both controllers and processors have responsibilities under the DPDPA. A controller is a person or entity who determines the purposes for and means of processing personal data. A processor is a person or entity that processes personal data on behalf of a controller. Processors must adhere to instructions of the controller and assist the controller to meet its obligations under the DPDP Act. Processors must also ensure the confidentiality of anyone processing personal data and take measures to allow for the fulfillment of consumer data requests.

It is possible that a covered entity could be both a controller and processor. In those cases, any personal data collected by the entity for which they determine and control the processing purposes would be subject to controller obligations. Any personal data they receive from a third-party and only handle as a processor would be subject to processor obligations.

Both controllers and processors are responsible for entering into a contract governing the processing relationship and for implementing appropriate measures to ensure an appropriate level of security with established allocations of responsibilities.

No. Private citizens are not entitled to file lawsuits or enforce legal rights under the DPDP Act.

The Delaware Department of Justice will engage Delaware consumers, businesses, and other stakeholders related to the DPDP Act,

While the Department can not provide legal advice, additional questions with general applicability can be asked and if appropriate we may provide the question and response on this page.

While this law is new to Delaware, other states also have personal data protection statutes and there are experienced legal counsel who should be able to answer your questions.

If you believe you have a question of general concern or clarification, you can contact our office at privacy@delaware.gov.

Many businesses throughout the country and around the world collect and maintain personal data on Delawareans. On some occasions, Delawareans may not have even interacted with the business because the data was sold to them. If the business meets the threshold where the statute becomes applicable, the Attorney General will not hesitate to seek enforcement for violations of the statute when needed.