This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
header image


Delaware Personal Data Privacy Act (DPDPA)

Passed June 30, 2023
Effective Date January 1, 2026
Who it applies to

Entities that (1) control or process the personal data of more than 35,000 consumers (excluding payment transactions); or (2) control or process the personal data of more than 10,000 consumers and derive more than 20% of gross revenue from the sale of personal data. Exemptions include, government agencies, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), and protected health information under HIPAA

Penalties Up to $10,000

What’s notable about it:

Delaware modeled its law on the Virginia general privacy law framework and is casting the net wide with its privacy law. The DPDPA hits companies processing personal data about just 35,000 consumers (one of the lowest application thresholds)—and is also the only comprehensive state privacy law to cover nonprofits and universities.

Notably, the DPDPA is slightly broader in its definition of sensitive data. Similar to Oregon, Delaware’s law explicitly includes status as transgender or nonbinary as a sensitive data category. Moreover, the DPDPA is unique in explicitly listing pregnancy as an enumerated physical health condition

It does not provide entity level exemptions for covered entities and business associates regulated under the Health Insurance Portability and Accountability Act (HIPAA), and also does not provide a broad exception for nonprofits.

The Strict Spectrum

Less Strict