Skip to content

Manage privacy requirements of the Delaware Personal Data Protection Act (DPDPA)

Handle privacy notices, opt-outs, and cookie consent without disrupting analytics, ads, or revenue. Meet Delaware’s privacy requirements with Usercentrics Consent Management Platform (CMP). More businesses need to comply than you might expect, with no minimum revenue threshold and a low consumer data volume trigger.
Start freeContact Sales

WHAT IS THE DPDPA?

The Delaware Personal Data Protection Act (DPDPA) is a comprehensive consumer privacy law that took effect on January 1, 2025. It governs how businesses collect, process, share, and sell the personal data of Delaware residents, granting new rights to individuals and placing obligations on businesses that meet its thresholds.

The DPDPA shares structural similarities with other U.S. state privacy laws, but stands out for its broad sensitive data definition and its protections for minors, including requirements for prior consent from teens for certain uses of their data.

Common DPDPA questions and answers
  • The Delaware Personal Data Protection Act (DPDPA) took effect on January 1, 2025.
  • Applies to: For-profit businesses that process personal data of at least 35,000 Delaware residents, or at least 10,000 Delaware residents if they derive more than 20 percent of gross revenue from the sale of personal data.
  • Delaware residents have rights of access and disclosure; correction; deletion; portability; opt-out of data sales, targeted advertising, or certain types of profiling; and non-discrimination.
  • Businesses must provide clear privacy notices and respond to consumer rights requests within 45 days.
  • Enforcement:Delaware Attorney General, civil penalties for violations.
  • Cure period: The Department of Justice can provide a cure period at its discretion, but there is no longer a right to cure.

What does the DPDPA require from businesses?

The DPDPA applies to for-profit organizations that process personal data of at least 35,000 Delaware consumers per year, or at least 10,000 while deriving more than 20 percent of gross revenue from selling personal data.

Covered businesses must provide a clear privacy notice explaining how personal data is collected, used, shared, or sold, and offer opt-out mechanisms for data sales, targeted advertising, and certain profiling. Affirmative opt-in consent is required before processing sensitive personal data, including the personal data of known children.

Businesses must also respond to consumer rights requests within 45 days (extendable by a further 45 when reasonably necessary), conduct Data Protection Assessments before higher-risk processing activities such as data sales, targeted advertising, or profiling (if they process the personal data of 100,000 or more consumers), and implement reasonable security measures throughout the data lifecycle.

Bank icon with various currency coins falling in

What are the risks of ignoring the DPDPA?

Failing to meet DPDPA requirements can result in enforcement by the Delaware Attorney General, with civil penalties of up to USD 10,000 per violation. The original 60-day cure period expired at the end of 2025, so the Department of Justice may now grant an opportunity to cure at its discretion, based on the nature and scope of the violation.

Beyond financial penalties, gaps in consent management, opt-out mechanisms, or required notices can increase legal risk, disrupt advertising and data-driven revenue, and weaken customer trust.

Many businesses operating under the DPDPA also face obligations under other U.S. state privacy laws. A single, well-configured consent management platform can address Delaware’s requirements while supporting compliance readiness across jurisdictions.

As privacy expectations rise, inadequate data practices can also damage reputation, reduce customer engagement, and cost business.

Analytics and ads behave predictably based on real user choices. A well-configured cookie banner helps prevent broken tracking, data gaps, and last-minute fixes — your insights stay dependable.

Automatic cookie scanning and updates can keep your banner accurate as your site and legal requirements change. Less manual upkeep, fewer headaches, and more time for your team to focus on growth.

A clear, customized cookie banner gives visitors transparent choices from the first interaction. The result: less friction, more trust, and reduced legal risk from the start.

The DPDPA is rarely the only law your company answers to. A single, scalable CMP and cookie banner helps keep you covered across jurisdictions without rework as requirements shift.

“Honestly, it was click, click, click, done.”
— Web Application Development Manager, Gilson
Read full review
Get your websites and apps ready for Delaware privacy rules

The DPDPA’s low threshold means more businesses are covered than you might expect. Try Usercentrics for free to address privacy notice and opt-out obligations, without touching analytics or ads.

start free

TALK TO OUR PRIVACY EXPERTS

With no minimum revenue threshold, the DPDPA can apply to businesses of almost any size that process the personal data of Delaware residents. Usercentrics helps you provide clear notice, the right opt-out mechanisms, and audit-ready consent records. Without slowing down your websites, apps, or adtech. 

Managing obligations under multiple U.S. or global privacy laws? We’ll help you with a setup that scales.

  • Stable tracking and marketing performance as privacy rules evolve
  • Required opt-out mechanisms for data sales and targeted advertising, ready to deploy
  • Automated scanning designed to keep your privacy notice and cookie banner accurate
  • A single platform to manage U.S. and global privacy laws, updated automatically
Contact sales
Contact chat bubble at the bottom right corner of a chat illustration

Learn more

Checklist
May 29, 2025
Our DPDPA compliance checklist will help you achieve and maintain privacy compliance. Build user trust and achieve high opt-in rates.
Read more
Article
Feb 7, 2025
In 2025 more US state privacy laws will come into effect than in any previous year, though federal legislation remains stalled. We compare what US state-level data privacy laws mean for consumers and businesses.
Read more
Article
Jan 16, 2026
Compliance with the Children’s Online Privacy Protection Act (COPPA) is required for any business handling the personal information of children under age 13 in the United States. This article discloses the key provisions of COPPA to help organizations take the necessary steps to achieve and maintain compliance and build trust with families.
Read more

Frequently asked questions

The Delaware Personal Data Protection Act (DPDPA) applies to for-profit businesses that conduct business in Delaware or produce products or services targeted to Delaware residents, and that during a calendar year:

  • Process the personal data of at least 35,000 Delaware consumers, or
  • Process the personal data of at least 10,000 Delaware consumers and derive more than 20 percent of gross revenue from the sale of personal data.

The DPDPA does not have a minimum annual revenue threshold, making it potentially relevant to a wider range of businesses than under laws like those in California and other states.

Delaware consumers have the right to:

  • Know whether personal data is being processed about them and receive confirmation
  • Access a copy of their personal data
  • Correct inaccuracies in their personal data
  • Delete personal data collected about them (with exceptions)
  • Data portability to receive their data in a portable, readily usable format
  • Opt out of the sale of personal data, targeted advertising, and certain profiling
  • Non-discrimination for exercising their privacy rights
  • Restrict collection or use of sensitive personal information

For consumers under the age of 13, a parent or guardian must provide consent before personal data is collected. Controllers are prohibited from processing personal data of consumers between the ages of 13 and 17 for targeted advertising or selling such data without the consumer’s consent. Covered businesses must provide clear, accessible ways for consumers to exercise these rights.

The Delaware Attorney General enforces the DPDPA. The Department of Justice has discretion over whether to issue a notice of violation, but if it does, businesses are guaranteed at least 60 days to cure before enforcement action may follow, including civil penalties up to USD 10,000 per violation.There is no private right of action under the DPDPA.

Covered businesses must provide a clear and accessible privacy notice that explains:

  • Categories of personal data collected and processed
  • Purposes of processing
  • Categories of personal data shared with third parties (if any)
  • Categories of recipients of personal data (if any)
  • How consumers can exercise their data privacy rights, including opt-out
  • How consumers can appeal a controller’s decision (e.g. denial of a data subject access request)
  • An active email address or other “secure and reliable” digital mode of contact for the controller
  • Clear and conspicuous disclosure if the controller sells personal data or uses it for targeted purposes

Potentially, yes. The DPDPA applies to businesses that target Delaware residents or offer products and services to them, even if the business is headquartered elsewhere. What matters is whether you process the personal data of Delaware consumers above the applicable thresholds, not where your company is located.

Businesses must obtain opt-in consent before processing sensitive personal data. The DPDPA defines sensitive personal data to include:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis (including pregnancy)
  • Sex life or sexual orientation
  • Status as transgender or nonbinary
  • National origin
  • Citizenship or immigration status
  • Genetic or biometric data
  • Personal data of a known child
  • Precise geolocation data (with precision and accuracy within a radius of 1,750 feet)