Delaware Personal Data Privacy Act (DPDPA)
The twelfth consumer privacy law in the US.
Innovative Privacy and Accessibility Website Scanner
What is the Delaware Personal Data Privacy Act?
The Delaware Personal Data Privacy Act (DPDPA), or HB 154, is Delaware’s data privacy law, passed on June 30, 2023, signed into law by the Governor on September 11, 2023, and effective as of January 1, 2025. In passing this law, Delaware becomes the twelfth state to do so across the United States.
What is Personal Information and what are other key definitions?
Under the Delaware Personal Data Privacy Act (DPDPA) ‘personal information’ is defined as “any information that is linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data or publicly available information.” Delaware’s privacy law also offers a definition for ‘sensitive data’ as “personal data that includes any of the following: data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status; genetic or biometric data; personal data of a known child; or precise geolocation data.”
‘Biometric data’ refers to “data generated by automatic measurements of an individual’s unique biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual” but excludes digital or physical photographs, audio or video recordings, and any other types of data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.
Consent is “a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer” which “may include a written statement, including by electronic means, or any other unambiguous affirmative action,” but does not include “acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; hovering over, muting, pausing, or closing a given piece of content; or agreement obtained through the use of dark patterns.”
Just like with other US privacy regulations, a data subject is here called a ‘consumer’ and defined as “an individual who is a resident of this State,” a ‘controller’ is “a person that, alone or jointly with others, determines the purpose and means of processing personal data,” a ‘processor’ is “a person that processes personal data on behalf of a controller,” and the activity of ‘profiling’ means “any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, demographic characteristics, personal preferences, interests, reliability, behavior, location, or movements.”
The Delaware Personal Data Privacy Act (DPDPA) also offers a definition for what is considered ‘sale of personal data,’ namely “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.” However, it excludes from the definition several types of disclosure as follows:
- “The disclosure of personal data to a processor that processes the personal data on behalf of the controller where limited to the purpose of such processing.
- The disclosure of personal data to a third party for purposes of providing a product or service affirmatively requested by the consumer.
- The disclosure or transfer of personal data to an affiliate of the controller.
- The disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party.
- The disclosure of personal data that the consumer intentionally made available to the general public via a channel of mass media, and did not restrict to a specific audience.
- The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller’s assets, or a proposed merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller’s assets.”
Who has to comply with the Delaware Personal Data Privacy Act?
The Delaware Personal Data Privacy Act (DPDPA) applies to entities that conduct business in Delaware or persons that produce products or services that are targeted to residents of Delaware who during the preceding calendar year met any of the following:
- controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data.
It is noteworthy that the Delaware Personal Data Privacy Act (DPDPA) also includes nonprofit organizations, with the exception of a few specific types.
Who is excluded from compliance with the Delaware Personal Data Privacy Act?
The Delaware Personal Data Privacy Act (DPDPA) excludes several types of entities and of data as follows:
- any regulatory, administrative, advisory, executive, appointive, legislative, or judicial body or a political subdivision of Delaware, including any board, bureau, commission, agency of the state or a political subdivision, but excluding any institution of higher education;
- any financial institution or affiliate of a financial institution, as well as any data subject to Title V of the Gramm Leach Bliley Act ;
- any nonprofit organization dedicated exclusively to preventing and addressing insurance crime;
- a national securities association registered under the Securities Exchange Act of 1934;
- protected health information under HIPAA;
- patient-identifying information;
- identifiable private information, to the extent that it is used for purposes of the federal policy for the protection of human subjects;
- identifiable private information to the extent it is collected and used as part of human subjects research;
- patient safety work product, that is created and used for purposes of patient safety improvement;
- information used for public health, community health, or population health activities and purposes, as authorized by HIPAA, when provided by or to a Covered Entity or when provided by or to a Business Associate pursuant to a Business Associate Agreement with a Covered Entity;
- the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act;
- personal data collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act of 1994;
- personal data regulated by the Family Educational Rights and Privacy Act;
- personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act;
- data processed or maintained in the context of employment; as the emergency contact information of an individual, used for emergency contact purposes; or data necessary for administering employment related benefits for another individual relating to the individual who is the main employment subject and used for the purposes of administering such benefits.
- personal data collected, processed, sold, or disclosed as regulated by the Airline Deregulation Act;
- personal data of a victim of or witness to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking that is collected, processed, or maintained by a nonprofit organization that provides services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking.
How can I keep my organization compliant with the Delaware Personal Data Privacy Act?
The Delaware Personal Data Privacy Act (DPDPA) mandates a series of controller duties as follows:
- limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer;
- except as otherwise permitted by this chapter, do not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless you obtain the consumer’s consent;
- establish implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data;
- do not process sensitive data about a consumer without obtaining their consent, or, in the case of the processing of sensitive data concerning a known child, without first obtaining consent from the child’s parent or lawful guardian;
- do not process personal data in violation of the laws of this State and federal laws that prohibit unlawful discrimination;
- provide an effective mechanism for a consumer to revoke their consent that is at least as easy as the mechanism by which they provided their consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than 15 days after the receipt of such request;
- do not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without their consent, under circumstances where you have actual knowledge or willfully disregard that the consumer is at least thirteen years of age but younger than 18 years of age.
- do not discriminate against a consumer for exercising any of their consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services.
- provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes all of the following:
- the categories of personal data you process;
- the purpose for processing personal data;
- one or more secure and reliable means through which consumers can exercise their rights, including how they can appeal your decision with regard to their request. Such means have to consider how consumers normally interact with you, the need for secure and reliable communication of such requests, and your ability to verify the identity of the consumer making the request.
- the categories of personal data that you share with third parties, and the categories of third parties you share personal data with, if any;
- an active electronic mail address or other online mechanism that consumers can use to contact you;
- if you sell personal data to third parties or process personal data for targeted advertising, you are required to clearly and conspicuously disclose such processing, as well as the manner in which consumers can exercise the right to opt out of such processing.
Processor duties under the Delaware Personal Data Privacy Act (DPDPA) are to “adhere to the instructions of a controller” and to “assist the controller in meeting the controller’s obligations under this chapter” and the processor’s data processing procedures with respect to processing performed on behalf of the controller has to be governed by a contract between the controller and the processor. The contract must be “binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties.”
Data controllers have an obligation under the Delaware Personal Data Privacy Act (DPDPA) to respect the right to opt out of data processing of a consumer for purposes of “targeted advertising; the sale of personal data; or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.” As regards this consumer right, according to the text of the law, “a consumer may designate an authorized agent to exercise the rights of such consumer to opt out of the processing of such consumer’s personal data on behalf of the consumer. In the case of processing personal data of a known child, the parent or legal guardian may exercise such consumer rights on the child’s behalf. In the case of processing personal data concerning a consumer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the consumer may exercise such rights on the consumer’s behalf.” This authorized agent can be designated “by way of, among other things, a platform, technology, or mechanism, including an Internet link or a browser setting, browser extension, or global device setting, indicating such consumer’s intent to opt out of such processing. For the purposes of such designation, the platform, technology, or mechanism may function as the agent to convey the consumer’s decision to opt-out.”
Controllers are required to comply with an opt-out request received from an authorized agent if they are able to verify, “with commercially reasonable effort, the identity of the consumer and the authorized agent’s authority to act on such consumer’s behalf.” This obligation becomes effective one year after the official effective date of the Delaware Personal Data Privacy Act (DPDPA), on January 1, 2026, and before this date “the Department of Justice may publish or reference on its website a list of agents who presumptively shall have such authority unless the controller has established a reasonable basis to conclude that the agent lacks such authority.”
One final controller duty mandated by the Delaware Personal Data Privacy Act (DPDPA) is that of conducting a data protection assessment. However, this only applies to “a controller that controls or processes the data of not less than 100,000 consumers, excluding data controlled or processed solely for the purpose of completing a payment transaction” and to “the controller’s processing activities that present a heightened risk of harm to a consumer,” such as
- the processing of personal data for the purposes of targeted advertising;
- the sale of personal data;
- the processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of any of the following:
- unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
- financial, physical, or reputational injury to consumers;
- a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person;
- other substantial injury to consumers;
- the processing of sensitive data.
What data access rights does Delaware Personal Data Privacy Act grant?
Under the Delaware Personal Data Privacy Act (DPDPA), consumers have to be allowed to do the following:
- confirm whether a controller is processing the consumer’s personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret;
- correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data;
- delete personal data provided by, or obtained about, the consumer;
- obtain a copy of the consumer’s personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means, provided such controller shall not be required to reveal any trade secret;
- obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data;
- opt out of the processing of the personal data for purposes of any of the following:
- targeted advertising;
- the sale of personal data, unless exceptions apply; or
- profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
Summed up, this means they have the following rights:
- Right to Know
- Right to Access
- Right to Correct
- Right to Delete
- Right to Data Portability
- Right to Opt Out of personal data processing for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
Delaware Personal Data Privacy Act (DPDPA) compliant website with Clym
How to address data subject access requests under Delaware Personal Data Privacy Act?
The Delaware Personal Data Privacy Act mandates that controllers have to respond to a consumer request “without undue delay, but not later than 45 days after receipt of the request.” This period may be extended by an additional period of 45 days “when reasonably necessary, considering the complexity and number of the consumer’s requests,” provided that you inform the consumer of the extension within the initial 45-day response period and of the reason for the extension.
If you decide to refuse a consumer request, you are required to inform the consumer within the 45 days timeframe of the refusal, providing them with both the justification and instructions on how your decision can be appealed.
Information provided in response to a consumer request has to be provided “free of charge, once per consumer during any 12-month period,” however if requests from a consumer are “manifestly unfounded, excessive or repetitive,” you may charge the consumer “a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request” but you you have to demonstrate the manifestly unfounded, excessive or repetitive nature of the request.
If you are unable to authenticate a request to exercise any of the consumer rights afforded by the Delaware Personal Data Privacy Act using “commercially reasonable efforts” then you have no obligation to comply with the request but you must provide notice to the consumer that you are unable to authenticate the request to exercise such right or rights until the consumer provides additional information to authenticate themselves and their request.
Regarding appeals of your decision, you are required to establish a process for a consumer to appeal your refusal to take action on a request within a reasonable period after the consumer’s receipt of the decision. This appeal process has to be “conspicuously available and similar to the process for submitting requests.” After receiving an appeal, you have 60 days to “inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision.” If the appeal is denied, you will also have to provide the consumer with an online mechanism, if available, or other methods through which they may contact the Department of Justice to submit a complaint.
Enforcement and penalties
The enforcing authority of the Delaware Personal Data Privacy Act (DPDPA) is the Department of Justice who can investigate and prosecute violations of the law.
Between January 1, 2025 and December 31, 2025, according to the text of the law, “the Department of Justice shall, prior to initiating any action for a violation of any provision of this chapter, issue a notice of violation to the controller if the Department of Justice determines that a cure is possible. If the controller fails to cure such violation within 60 days of receipt of the notice of violation, the Department of Justice may bring an enforcement proceeding.” After this period, beginning January 1, 2026, the Department of Justice might grant controllers a cure period and in doing so will consider the following factors:
- number of violations;
- size and complexity of the controller or processor;
- nature and extent of the controller’s or processor’s processing activities;
- the substantial likelihood of injury to the public;
- the safety of persons or property;
- whether such alleged violation was likely caused by human or technical error;
- the extent to which the controller or processor has violated this or similar laws in the past.
A violation under the Delaware Personal Data Privacy Act (DPDPA) is considered an unlawful practice, which under Subchapter II of Chapter 25 of the Delaware Code comes with a civil penalty of up to $10,000 for each violation.
Data Subject Rights - GDPR vs. the Delaware Personal Data Privacy Act
GDPR
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
Delaware Personal Data Privacy Act
- Right to know
- Right to access
- Right to correct
- Right to delete
- Right to data portability
- Right to Opt Out of personal data processing for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- ReadyCompliance™: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.
FAQs about the Delaware Personal Data Privacy Act
What does the Delaware Personal Data Privacy Act apply to?
The Delaware Personal Data Privacy Act (DPDPA) applies to businesses in the state of Delaware or businesses that target residents of Delaware who, during the previous year, either controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data. Aditionally, the Delaware Personal Data Privacy Act (DPDPA) also applies to nonprofit organizations, with the exception of a few specific types.
What does the Delaware Personal Data Privacy Act exempt?
The Delaware Personal Data Privacy Act excludes both types or entities and types of data such as, for example, financial institutions and data regulated by Title V of the Gramm Leach Bliley Act, any nonprofit organization dedicated exclusively to preventing and addressing insurance crime, protected health information under HIPAA, or personal data of a victim of or witness to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking that is collected, processed, or maintained by a nonprofit organization that provides services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking.
What rights does the Delaware Personal Data Privacy Act provide to Delaware residents?
Under the Delaware Personal Data Privacy Act (DPDPA), consumers have the following rights:
- Right to Know
- Right to Access
- Right to Correct
- Right to Delete
- Right to Data Portability
- Right to Opt Out of personal data processing for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
Who enforces the Delaware Personal Data Privacy Act?
The enforcing authority of the Delaware Personal Data Privacy Act (DPDPA) is the Department of Justice who can investigate and prosecute violations of the law.
What are the penalties for violations of the Delaware Personal Data Privacy Act?
A violation under the Delaware Personal Data Privacy Act (DPDPA) is considered an unlawful practice, which under Subchapter II of Chapter 25 of the Delaware Code comes with a civil penalty of up to $10,000 for each violation.
Table of contents
Questions?
If you would like to learn more, our compliance experts are happy to support you.
Leave us a Message