Discover the Delaware Personal Data Privacy Act (DDPA) and its impact on businesses in Delaware. Learn about compliance, sensitive data, consumer rights, and penalties under this comprehensive privacy law.
On September 11, 2023, Delaware Governor John Carney signed the Delaware Personal Data Privacy Act (DDPA), making Delaware the 13th state to enact a consumer privacy law. If you're a business in Delaware or selling to Delaware consumers, it's crucial to familiarize yourself with the DPDPA and its implications.
Explore more privacy compliance insights and best practices
The Delaware Personal Data Privacy Act (DDPA) aims to protect the consumer privacy rights of Delaware residents. The law grants specific rights to consumers and places obligations on businesses. Non-compliance with this law can lead to severe penalties for businesses.
The DPDPA shares similarities with consumer data privacy laws from other US states but has its unique provisions. The law emphasizes the protection of consumer data privacy, excluding employment-related data from its purview.
The DPDPA is set to take effect on 1 January 2025.
Delaware is the home of many businesses, but the state privacy law won't affect all of them. Your business falls under the DPDPA's jurisdiction if:
Remember, tools like Google Analytics or Facebook Pixel, which process user data, can quickly help you reach these thresholds, making you subject to the DPDPA. Although there are thresholds, most of the companies operating online will be affected by the comprehensive privacy law.
The DPDPA has a long definition of personal data, which covers "any personally identifiable information about a user of a commercial internet website, online or cloud computing service, online application, or mobile application that is collected online by the operator of that commercial internet website, online service, online application, or mobile application from that user and maintained by the operator in an accessible form, including a first and last name, a physical address, an e-mail address, a telephone number, a Social Security number, or any other identifier that permits the physical or online contacting of the user, and any other information concerning the user collected by the operator of the commercial internet website, online service, online application, or mobile application from the user and maintained in personally identifiable form in combination with any identifier described in this paragraph."
This broad definition covers various categories of personal data for the purposes of being processed by companies, from the collection of personal data such as names and email addresses to health records, online behavior, and more. However, employment data and information protected by the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act are explicitly excluded from the DDPA's scope.
The DDPA definition of sensitive data includes:
Under the DPDPA, businesses must obtain clear consent from users before processing sensitive data.
Controllers must:
Processors are responsible for:
A data processing agreement defines the relationship between the controller and processor. This contract ensures DPDPA compliance and should cover:
Your DPDPA privacy policy, also known as privacy notice, should transparently communicate your data practices. It must include:
The DPDPA requires explicit consumer consent only for sensitive data processing. Collecting such data without consent can lead to penalties. For children's data, obtaining parental consent as per COPPA standards is essential.
Businesses must respect universal opt-out mechanisms like the Global Privacy Controls (GPC). If a GPC signal is received, treat it as a valid opt-out request.
This provision becomes effective from February 1, 2026.
A Data Protection Assessment helps businesses identify and mitigate data processing risks. While not always mandatory, it's a recommended practice. The law specifically mandates this assessment for businesses that control or process the data of 100,000 or more consumers, excluding data controlled or processed solely for completing payment transactions. These controllers must conduct and document, on a regular basis, a data protection assessment on the processing of personal data that poses a heightened risk of harm to consumers, particularly about
Consumers have rights, including the rights to:
Businesses have 45 days to respond to these requests, with a possible 45-day extension for complex cases.
Delaware Department of Justice enforces the law. There is no right to action for consumers. Businesses receive a 60-day notice to rectify violations. Failure to comply can result in fines of up to $10,000 per violation, which is the highest in the US. From 2026 onwards, immediate penalties apply without any cure period.
Until December 31, 2025, the Delaware Department of Justice must issue a notice of violation and allow controllers 60 days to cure the violation, if it determines that such violation could be cured. Beginning January 1, 2026, the Delaware Department of Justice may choose but is not required, to provide an opportunity to cure an alleged violation.
