Delaware
Delaware Personal Data Privacy Act (DPDPA)
| Passed | June 30, 2023 |
| Effective Date | January 1, 2026 |
| Who it applies to |
Entities that (1) control or process the personal data of more than 35,000 consumers (excluding payment transactions); or (2) control or process the personal data of more than 10,000 consumers and derive more than 20% of gross revenue from the sale of personal data. Exemptions include, government agencies, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), and protected health information under HIPAA |
| Penalties | Up to $10,000 |
What’s notable about it:
Delaware modeled its law on the Virginia general privacy law framework and is casting the net wide with its privacy law. The DPDPA hits companies processing personal data about just 35,000 consumers (one of the lowest application thresholds)—and is also the only comprehensive state privacy law to cover nonprofits and universities.
Notably, the DPDPA is slightly broader in its definition of sensitive data. Similar to Oregon, Delaware’s law explicitly includes status as transgender or nonbinary as a sensitive data category. Moreover, the DPDPA is unique in explicitly listing pregnancy as an enumerated physical health condition
It does not provide entity level exemptions for covered entities and business associates regulated under the Health Insurance Portability and Accountability Act (HIPAA), and also does not provide a broad exception for nonprofits.