Delaware
Delaware Personal Data Privacy Act (DPDPA)
Passed | September 11, 2023 |
Effective Date | January 1, 2025 |
Who it applies to |
Entities that (1) control or process the personal data of more than 35,000 consumers (excluding payment transactions); or (2) control or process the personal data of more than 10,000 consumers and derive more than 20% of gross revenue from the sale of personal data. Exemptions include, government agencies, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), and protected health information under HIPAA. |
Penalties | Up to $10,000 per violation. |
What’s notable about it:
Delaware modeled its law on the Virginia general privacy law framework and is casting the net wide with its privacy law. The DPDPA applies to companies processing personal data of just 35,000 consumers, which is one of the lowest thresholds among state privacy laws. Notably, Delaware’s DPDPA is one of the few that does not provide entity-level exemptions for most nonprofit organizations and institutions of higher education. While many other states exclude these entities from privacy regulations, Delaware’s law applies to them, making it a more comprehensive approach. However, there are exceptions for certain nonprofit data, particularly data held by organizations offering services to victims of sensitive crimes like child abuse, domestic violence, or human trafficking. Notably, the DPDPA is slightly broader in its definition of sensitive data. Similar to Oregon, Delaware’s law explicitly includes status as transgender or nonbinary as a sensitive data category. Moreover, the DPDPA is unique in explicitly listing pregnancy as an enumerated physical health condition.
Another key aspect of the DPDPA is its lack of entity-level exemptions for HIPAA-covered entities and business associates, meaning these organizations are not excluded from the law’s provisions. Furthermore, the law introduces a new privacy right by requiring businesses to disclose the categories of third parties to whom they have shared consumer data in response to a data subject request (DSR). This provision is similar to Oregon's law but is less stringent, as it focuses on the categories rather than naming specific third parties. Finally, like other state laws such as Colorado's, Delaware’s law mandates that businesses provide a universal opt-out option for consumers, effective in 2026, which allows consumers to manage their data preferences across multiple platforms. This addition is part of a growing trend toward empowering consumers with more control over their personal data.