Delaware Personal Data Privacy Act (DPDPA) 

Who is excluded from compliance with the Delaware Personal Data Privacy Act? 

The Delaware Personal Data Privacy Act (DPDPA) excludes several types of entities and of data as follows: 

• any regulatory, administrative, advisory, executive, appointive, legislative, or judicial body or a political subdivision of Delaware, including any board, bureau, commission, agency of the state or a political subdivision, but excluding any institution of higher education;
• any financial institution or affiliate of a financial institution, as well as any data subject to Title V of the Gramm Leach Bliley Act ;
• any nonprofit organization dedicated exclusively to preventing and addressing insurance crime;
• a national securities association registered under the Securities Exchange Act of 1934; 
• protected health information under HIPAA;
• patient-identifying information;
• identifiable private information, to the extent that it is used for purposes of the federal policy for the protection of human subjects;
• identifiable private information to the extent it is collected and used as part of human subjects research;
• patient safety work product, that is created and used for purposes of patient safety improvement;
• information used for public health, community health, or population health activities and purposes, as authorized by HIPAA, when provided by or to a Covered Entity or when provided by or to a Business Associate pursuant to a Business Associate Agreement with a Covered Entity;
• the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act; 
• personal data collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act of 1994;
• personal data regulated by the Family Educational Rights and Privacy Act;
• personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act;
• data processed or maintained in the context of employment; as the emergency contact information of an individual, used for emergency contact purposes; or data necessary for administering employment related benefits for another individual relating to the individual who is the main employment subject and used for the purposes of administering such benefits.
• personal data collected, processed, sold, or disclosed as regulated by the Airline Deregulation Act;
• personal data of a victim of or witness to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking that is collected, processed, or maintained by a nonprofit organization that provides services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking.

How can I keep my organization compliant with the Delaware Personal Data Privacy Act? 

The Delaware Personal Data Privacy Act (DPDPA) mandates a series of controller duties as follows: 

• limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer;
• except as otherwise permitted by this chapter, do not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless you obtain the consumer’s consent;
• establish implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data;
• do not process sensitive data about a consumer without obtaining their consent, or, in the case of the processing of sensitive data concerning a known child, without first obtaining consent from the child’s parent or lawful guardian;
• do not process personal data in violation of the laws of this State and federal laws that prohibit unlawful discrimination;
• provide an effective mechanism for a consumer to revoke their consent that is at least as easy as the mechanism by which they provided their consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than 15 days after the receipt of such request;
• do not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without their consent, under circumstances where you have actual knowledge or willfully disregard that the consumer is at least thirteen years of age but younger than 18 years of age. 
• do not discriminate against a consumer for exercising any of their consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services.
• provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes all of the following:
  • the categories of personal data you process;
  • the purpose for processing personal data;
  • one or more secure and reliable means through which consumers can exercise their rights, including how they can appeal your decision with regard to their request. Such means have to consider how consumers normally interact with you, the need for secure and reliable communication of such requests, and your ability to verify the identity of the consumer making the request.
  • the categories of personal data that you share with third parties, and the categories of third parties you share personal data with, if any;
  • an active electronic mail address or other online mechanism that consumers can use to contact you; 
  • if you sell personal data to third parties or process personal data for targeted advertising, you are required to clearly and conspicuously disclose such processing, as well as the manner in which consumers can exercise the right to opt out of such processing.

Processor duties under the Delaware Personal Data Privacy Act (DPDPA) are to “adhere to the instructions of a controller” and to “assist the controller in meeting the controller’s obligations under this chapter” and the processor’s data processing procedures with respect to processing performed on behalf of the controller has to be governed by a contract between the controller and the processor. The contract must be “binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties.”

Data controllers have an obligation under the Delaware Personal Data Privacy Act (DPDPA) to respect the right to opt out of data processing of a consumer for purposes of “targeted advertising; the sale of personal data; or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.” As regards this consumer right, according to the text of the law, “a consumer may designate an authorized agent to exercise the rights of such consumer to opt out of the processing of such consumer’s personal data on behalf of the consumer. In the case of processing personal data of a known child, the parent or legal guardian may exercise such consumer rights on the child’s behalf. In the case of processing personal data concerning a consumer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the consumer may exercise such rights on the consumer’s behalf.” This authorized agent can be designated “by way of, among other things, a platform, technology, or mechanism, including an Internet link or a browser setting, browser extension, or global device setting, indicating such consumer’s intent to opt out of such processing. For the purposes of such designation, the platform, technology, or mechanism may function as the agent to convey the consumer’s decision to opt-out.” 

Controllers are required to comply with an opt-out request received from an authorized agent if they are able to verify, “with commercially reasonable effort, the identity of the consumer and the authorized agent’s authority to act on such consumer’s behalf.” This obligation becomes effective one year after the official effective date of the Delaware Personal Data Privacy Act (DPDPA), on January 1, 2026, and before this date “the Department of Justice may publish or reference on its website a list of agents who presumptively shall have such authority unless the controller has established a reasonable basis to conclude that the agent lacks such authority.”

One final controller duty mandated by the Delaware Personal Data Privacy Act (DPDPA) is that of conducting a data protection assessment. However, this only applies to “a controller that controls or processes the data of not less than 100,000 consumers, excluding data controlled or processed solely for the purpose of completing a payment transaction” and to “the controller’s processing activities that present a heightened risk of harm to a consumer,” such as 

• the processing of personal data for the purposes of targeted advertising;
• the sale of personal data;
• the processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of any of the following:
  • unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
  • financial, physical, or reputational injury to consumers;
  • a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person;
  • other substantial injury to consumers;
• the processing of sensitive data.

What data access rights does Delaware Personal Data Privacy Act grant? 

Under the Delaware Personal Data Privacy Act (DPDPA), consumers have to be allowed to do the following:

• confirm whether a controller is processing the consumer’s personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret;
• correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data;
• delete personal data provided by, or obtained about, the consumer;
• obtain a copy of the consumer’s personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means, provided such controller shall not be required to reveal any trade secret;
• obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data;
• opt out of the processing of the personal data for purposes of any of the following:
  • targeted advertising;
  • the sale of personal data, unless exceptions apply; or
  • profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Summed up, this means they have the following rights: 

• Right to Know
• Right to Access
• Right to Correct
• Right to Delete
• Right to Data Portability
• Right to Opt Out of personal data processing for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

How to address data subject access requests under Delaware Personal Data Privacy Act?

The Delaware Personal Data Privacy Act mandates that controllers have to respond to a consumer request “without undue delay, but not later than 45 days after receipt of the request.” This period may be extended by an additional period of 45 days “when reasonably necessary, considering the complexity and number of the consumer’s requests,” provided that you inform the consumer of the extension within the initial 45-day response period and of the reason for the extension.

If you decide to refuse a consumer request, you are required to inform the consumer within the 45 days timeframe of the refusal, providing them with both the justification and instructions on how your decision can be appealed. 

Information provided in response to a consumer request has to be provided “free of charge, once per consumer during any 12-month period,” however if requests from a consumer are “manifestly unfounded, excessive or repetitive,” you may charge the consumer “a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request” but you you have to demonstrate the manifestly unfounded, excessive or repetitive nature of the request.

If you are unable to authenticate a request to exercise any of the consumer rights afforded by the Delaware Personal Data Privacy Act using “commercially reasonable efforts” then you have no obligation to comply with the request but you must provide notice to the consumer that you are unable to authenticate the request to exercise such right or rights until the consumer provides additional information to authenticate themselves and their request.

Regarding appeals of your decision, you are required to establish a process for a consumer to appeal your refusal to take action on a request within a reasonable period after the consumer’s receipt of the decision. This appeal process has to be “conspicuously available and similar to the process for submitting requests.” After receiving an appeal, you have 60 days to “inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision.” If the appeal is denied, you will also have to provide the consumer with an online mechanism, if available, or other methods through which they may contact the Department of Justice to submit a complaint.

Enforcement and penalties

The enforcing authority of the Delaware Personal Data Privacy Act (DPDPA) is the Department of Justice who can investigate and prosecute violations of the law. 

Between January 1, 2025 and December 31, 2025, according to the text of the law, “the Department of Justice shall, prior to initiating any action for a violation of any provision of this chapter, issue a notice of violation to the controller if the Department of Justice determines that a cure is possible. If the controller fails to cure such violation within 60 days of receipt of the notice of violation, the Department of Justice may bring an enforcement proceeding.” After this period, beginning January 1, 2026, the Department of Justice might grant controllers a cure period and in doing so will consider the following factors: 

• number of violations;
• size and complexity of the controller or processor;
• nature and extent of the controller’s or processor’s processing activities;
• the substantial likelihood of injury to the public;
• the safety of persons or property;
• whether such alleged violation was likely caused by human or technical error; 
• the extent to which the controller or processor has violated this or similar laws in the past.

A violation under the Delaware Personal Data Privacy Act (DPDPA) is considered an unlawful practice, which under Subchapter II of Chapter 25 of the Delaware Code comes with a civil penalty of up to $10,000 for each violation.

Data Subject Rights - GDPR vs. the Delaware Personal Data Privacy Act 

FAQs about the Delaware Personal Data Privacy Act