Delaware Consumer Privacy Act (DPDPA): An Overview

Delaware’s was the eighth state-level data privacy law passed in the United States in 2023 from House Bill 154, and the twelfth comprehensive privacy law passed to date. Florida’s Digital Bill of Rights is more narrow in scope and not always included. Nevada’s Privacy of Information Collected on the Internet from Consumers Act (NPICICA) and Amendment SB-260 are also limited in scope and the original Act was passed in 2018.

The United States does not have a federal data privacy law, though as of July 10, 2023 it does have the new EU-U.S. Data Privacy Framework adequacy agreement with the European Union. The EU and US had been without such an agreement since 2020 when the previous Privacy Shield was struck down.

Signed into law by Governor John Carney on September 11, 2023, the Delaware privacy regulation goes into effect January 1, 2025, the same date as Iowa’s Consumer Data Protection Act (ICDPA). It also provides for an additional year for organizations to begin recognizing universal opt-out mechanisms. Delaware’s Department of Justice (DOJ) plans to initiate an outreach period no later than July 1, 2024 to inform businesses of their obligations and consumers of their rights under the DPDPA.

Delaware’s privacy law is one of the more consumer-friendly state-level data privacy laws, though not quite as strict as California’s Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). It does apply to a broader range of companies of all sizes as well, and doesn’t specifically target large businesses, like Florida’s law, or exclude small ones, like the Texas Data Privacy and Security Act (TDPSA).

Delaware’s data privacy law protects the privacy and personal data rights of the state’s one-million residents, i.e. people acting in individual or household contexts, not in any employment capacity. The law also establishes data privacy responsibilities for companies conducting business in the state and/or providing goods and services targeted to Delaware residents.

Data controllers, defined under the law as “a person that, alone or jointly with others, determines the purpose and means of processing personal data” must provide consumers with a privacy notice that is “accessible, clear, and meaningful”. The notice has to describe the organization’s data processing operations, and include:

• categories of personal data collected and processed
• purposes of processes
• categories of personal data shared with third parties
• categories of recipients of personal data
• how consumers can exercise their data privacy rights, including opt-out
• how consumers can appeal a controller’s decision (e.g. denial of a data subject access request)
• an active email address or other “secure and reliable” digital mode of contact for the controller
• “clear and conspicuous disclosure if the controller sells personal data or uses it for targeted purposes

Like all other US data privacy laws, the DPDPA uses an opt-out model, so controllers can collect personal data without needing data subjects’ consent in many cases. Consumers do have the right to opt out of data collection and use, which includes sale, targeted advertising, or profiling “in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer”, and must be provided with information about and mechanisms to do so.

The law notes that controllers must provide “a clear and conspicuous link on the controller’s Internet web site to an Internet web page that enables a consumer, or an agent of the consumer, to opt out of the targeted advertising or the sale of the consumer’s personal data.”

Additionally, “Not later than [one year following the effective date of this Act], allowing a consumer to opt out of any processing of the consumer’s personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer’s consent, by a platform, technology, or mechanism to the controller indicating such consumer’s intent to opt out of any such processing or sale.”

Personal data under the DPDPA

Refers to “any information that is linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data or publicly available information”.

It should be noted that personal data (also called personal information) and personally identifiable data are not always the same thing, and distinctions are often made in data privacy laws.

Sensitive data is a category that includes types of personal data that could be embarrassing or used to do harm if unlawfully accessed or misused, and thus requires special handling and under the DPDPA cannot be collected or used without prior user consent. Delaware’s privacy law specifically refers to personal data that would reveal any of the following:

• racial or ethnic origin
• religious beliefs
• mental or physical health condition or diagnosis (including pregnancy)
• sex life or sexual orientation, including status as transgender or nonbinary
• national origin
• citizenship or immigration status
• genetic or biometric data
• personal data of a known child
• precise geolocation data (with precision and accuracy within a radius of 1,750 feet)

Delaware’s law is the second of the US privacy laws, after Oregon’s, to include transgender or nonbinary gender expression as sensitive data.

Like many other data privacy laws, the Delaware data privacy law follows the European Union’s General Data Protection Regulation (GDPR) with regards to the definition of valid consent: “a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.”

To provide additional clarity, “Consent” may include a written statement, including by electronic means, or any other unambiguous affirmative action.” Under the DPDPA, consent does not include:

• acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information
• hovering over, muting, pausing, or closing a given piece of content
• agreement obtained through the use of dark patterns

Consumer under the DPDPA

Refers to “an individual who is a resident of [Delaware]”.

The definition does not include “an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit organization, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or government agency.”

Controller under the DPDPA

Businesses and other organizations that collect and use personal data will likely qualify as controllers, though the law uses the word “person”. Controller is defined as “a person that, alone or jointly with others, determines the purpose and means of processing personal data.”

Processor under the DPDPA

Like controller, while the law references a person, in most cases this is likely to be done by a company or other organization. Processor is defined as “a person that processes personal data on behalf of a controller.” It could include third parties like advertising partners or fulfillment companies.

Profiling under the DPDPA

Profiling is increasingly becoming a standard inclusion in data privacy laws, particularly as it can relate to “automated decision-making” or the use of AI technologies. The Delaware data protection law defines profiling as “any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, demographic characteristics, personal preferences, interests, reliability, behavior, location, or movements.”

Targeted advertising under the DPDPA

This is also increasingly becoming a standard inclusion in data privacy laws, and can refer to the use of emerging technologies like AI tools. The Delaware data privacy law defines targeted advertising as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated Internet web sites or online applications to predict such consumer’s preferences or interests.”

The following are not included in the definition of targeted advertising:

• advertisements based on activities within a controller’s own Internet web sites or online applications
• advertisements based on the context of a consumer’s current search query, visit to an Internet web site, or online application
• advertisements directed to a consumer in direct response to the consumer’s request for information or feedback
• processing personal data solely to measure or report advertising frequency, performance or reach

Sale under the DPDPA

Refers to “the exchange or transfer of personal data for monetary or other valuable consideration by the controller to a third party”.

Exclusions to the definition of sale include disclosures of personal data:

• to a processor that processes the personal data on behalf of the controller where limited to the purpose of such processing
• to a third party for purposes of providing a product or service affirmatively requested by the consumer
• or transfer of personal data to an affiliate of the controller
• where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party
• that the consumer intentionally made available to the general public via a channel of mass media, and did not restrict to a specific audience
• or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other similar transaction in which the third party
• assumes control of all or part of the controller’s assets, or a proposed merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller’s assets

The DPDPA mainly affects commercial companies, but it can potentially apply to any organization processing personal data that meets the compliance threshold criteria.

The Delaware privacy law’s compliance thresholds have some smaller numbers than other comparable laws in the US, but this is not surprising given the state’s small population of one million people. California, by comparison, has 40 million. The smaller numbers will also mean that the law will apply to more smaller businesses.

Delaware’s law continues a trend of recent US state-level privacy laws in that it has no revenue-only threshold for compliance, i.e. a company making X amount of revenue has to comply, solely based on that dollar amount.

The compliance thresholds are for the preceding calendar year if an organization:

• controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

or

• controlled or processed the personal data of not less than 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data

The DPDPA’s exemptions are fairly standard, and include exemptions for data processing governed by federal law, e.g. Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA).

Exempted entities and their services/activities include:

• governmental agencies, including regulatory, administrative, legislative or judicial bodies
• public health organizations
• financial institutions (also entities and affiliates subject to the GLBA)
• press, wire, or other information service (and non-commercial activities of media entities)
• victims or witnesses of criminal activities

Exempted regulations (and data processed relevant to them) include:

• Health Insurance Portability and Accountability Act (HIPAA)
• Gramm-Leach-Bliley Act (GLBA)
• Fair Credit Reporting Act (FCRA)
• Driver’s Privacy Protection Act
• Family Educational Rights and Privacy Act (FERPA)
• Farm Credit Act
• Airline Deregulation Act

Consumers’ rights under the DPDPA are fairly standard compared to other comprehensive privacy laws in the US:

• Right to access: confirmation if the controller is processing the consumer’s personal information and access to that data and information about third parties it’s shared with, with exceptions
• Right to disclosure: a list of the categories of third parties to which the controller has disclosed the consumer’s personal data
• Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
• Right to delete: any personal data the controller has about or from the consumer (with some exceptions)
• Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
• Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
• Right to opt out: of sale of personal data, targeted advertising, or profiling “in furtherance of solely automated decisions that produce legal or similarly significant effects” concerning the consumer

Consumers can designate an authorized agent to opt out of personal data processing for them. This is particularly relevant as the DPDPA includes a requirement for controllers to recognize the universal opt-out signal, which will come into effect a year after the law takes effect.

Parents or legal guardians of children can exercise the rights of children, whose data is considered sensitive by default. Because of this designation, consent is required before children’s data can be collected or used. Like a number of the other US data privacy laws, Delaware’s law defers to the federal Children’s Online Privacy Protection Act (COPPA) regarding rights, responsibilities and protections for children and their data online, including for the definition of a child, which is a person under the age of 13.

Consumers can make one free request to a controller to exercise their rights, e.g. getting a copy of their data, every 12 months. A controller can deny requests from a consumer that are “manifestly unfounded, excessive or repetitive”. Reasonable reasons to deny a request could also include if the consumer’s identity cannot reasonably be verified, or if too many requests are received in a 12-month period.

The controller may charge the consumer a reasonable fee to cover the administrative costs of complying with such a request if it’s “manifestly unfounded, excessive or repetitive”. However, in such an instance, the controller is responsible for demonstrating that it is.

An organization has 45 days to respond, though should respond without “undue delay”, though they have the option to extend that by another 45 days if reasonably necessary.

California continues to be the only US state that enables privacy right of action under their data privacy law. That means that consumers can sue controllers in the event of a violation of the law. Delaware’s law does not include private right of action, and enforcement falls under the state’s Department of Justice.

The DPDPA is fairly similar to other US privacy law requirements regarding notifications, data access, use, and security. Because of the lower threshold numbers for compliance, it will also likely affect more businesses. The law also includes particular responsibilities for data processors, particularly relating to complying with controllers’ requirements, assisting with enabling consumers to exercise their rights, e.g. with access requests, and ensuring adequate safeguards for collected data.

Notifications defined by the DPDPA

Controllers must provide a privacy notice that is “accessible, clear, and meaningful”, and describes the organization’s data processing activities, including information about the data collected, processing purposes, parties data is shared with, and ways to exercise consumer rights. Companies’ contact method must be secure, reliable, and easy for consumers to use to make requests or appeal controllers’ decisions, and be able to verify their identities as needed.

Purpose limitation defined by the DPDPA

Controllers can process personal data for the purpose(s) that they have communicated, as long as the processing is “adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer” If the purposes for processing change, the controller must provide new notification, and, where relevant, obtain new data subject consent. In some cases, like with children’s data, consent must be obtained from a parent or guardian before processing, rather than enabling opt-out later.

Data security defined by the DPDPA

Controllers must establish and maintain reasonable administrative, technical, and physical data security practices for personal data under their control, including deidentified data, and “protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue”. Processors working with/for controllers are also responsible for safeguarding personal data they have access to, and obligations should be established contractually prior to processing.

Data protection assessments (DPA) defined by the DPDPA

Controllers are required to perform data protection assessments (DPA), also known as data protection impact assessments, for “processing activities that present a heightened risk of harm to a consumer.” Such activities could include:

• processing for the purposes of targeted advertising
• processing sensitive data
• sale of personal data
• processing for the purposes of profiling if there is a reasonably foreseeable or heightened risk of harm to consumers

The DPDPA also generally requires a controller that processes the data of at least 100,000 consumers to perform DPAs.

The Attorney General can require a data controller to conduct or disclose a DPA and share the results of one in the course of an investigation. The AG can also weigh a DPA to determine if it is sufficient for compliance purposes.

Consent requirements defined by the DPDPA

For many circumstances user consent is not required by Delaware’s privacy law before personal data is collected or processed. Prior consent is required to access sensitive data or children’s data, for example, or if the organization’s data processing purposes change. Controllers must provide clear notification about what data is collected and processed, purposes for use, who it’s shared with, consumers’ rights and how to exercise them, etc. to ensure that consumers are reasonably informed and able to make requests or opt out of data processing.

In addition to providing information about how consumers can opt out, controllers must provide information so consumers know that they can change or revoke previous consent later. Revoking consent must be as easy to do as giving it. If a consumer does this, data processing should stop immediately, but at most no more than 15 days after receipt of the request.

Nondiscrimination defined by the DPDPA
Like other US privacy laws, Delaware’s regulation prohibits discrimination against consumers, including discrimination for exercising their rights under the law. For example, if a consumer opts out of data processing on a website, that individual cannot be blocked from accessing the site or its functions.There are, however, some web or app features and functions that will not work without certain cookies or trackers being activated, so if a consumer opts out and they no longer work optimally, this is not discriminatory.

Processing personal data is also prohibited if doing so would violate other state or federal laws governing discrimination.

Controllers can offer voluntary incentives to consumers for their participation in activities that collect personal data, e.g. newsletter signups, surveys, or loyalty programs. Such offers must be reasonable and proportionate to the request and type and amount of data collected so, though, as not to look like payments for consent, which data protection authorities frown upon. Consumers who decline such offers also cannot be discriminated against, e.g. by not having access to comparable offers or being charged a different price for goods or services.

Third-party contracts defined by the DPDPA

Processors need to assist controllers in meeting their obligations under the law, which include restricting processes to publicized purposes, safeguarding personal data, and providing information enabling data protection assessments.

There needs to be a contract in place between the controller and processor prior to data collection. Such contracts are binding on both sides and need to include:

Universal opt-out mechanism

Not all US state-level privacy laws include requirements for a universal opt-out mechanism, aka global opt-out signal or Global Privacy Control, however it’s becoming more common with some of the more recently passed data privacy laws. The Delaware Personal Data Privacy Act does include this mechanism, though organizations have a year from when the law comes into effect to begin accepting it, beginning in January 2025.

This mechanism enables consumers to set and communicate their preferences with regards to the processing of their personal data once, e.g. in their web browser, and then they’re communicated to all websites or other platforms or services that the consumer uses that can detect the signal.

Delaware’s enforcement for the DPDPA will be similar to that of other US states in that it is centralize, though there is some coordination with existing consumer protection laws in the state as well.

Enforcement of the Delaware Personal Data Privacy Act is under the Attorney General and Department of Justice.

Consumer complaints about controllers’ data processing or denial of consumer requests can be submitted to the Attorney General, which will notify an organization of any complaint and if an investigation is launched. The Attorney General can require data protection assessments and other information from controllers in the course of investigation or to ensure they are being done compliantly.

Controllers have to provide information and a process to consumers not only to exercise their rights, but to lodge an appeal if the controller refuses to take action on a request, either within a reasonable amount of time or at all. This appeal process must be similar to the process to make a request and just as easy to do.

If a consumer complains, the controller has 60 days from receiving this appeal to reply to the consumer about any action taken, including written explanation of reasons for the decision. Controllers also have to provide consumers with an online mechanism, if possible, or another way to contact the Department of Justice to submit a further complaint if the controller does not resolve issues with the consumer.

The DOJ can decide to issue a notice of violation to a controller, e.g. resulting from a complaint. As previously noted, consumers do not have private right of action under the DPDPA.

If the Department of Justice determines a violation has occurred, but can be “cured”, in addition to notifying the controller of the violation, they can provide 60 days for the controller to fix the issue and prevent it from recurring.

If the controller fails to cure the violation within 60 days, the DOJ may initiate enforcement proceedings. The DOJ considers the following in determining if enforcement is warranted:

• number of violations
• size and complexity of the controller or processor
• nature and extent of the controller’s or processor’s processing activities
• substantial likelihood of injury to the public
• safety of persons or property
• whether such alleged violation was likely caused by human or technical error
• extent to which the controller or processor has violated this or similar laws in the past

The cure period for the DPDPA sunsets on January 1, 2026, the consideration being that by then organizations should know their responsibilities and be ensuring compliance. The DOJ can still decide to offer a cure period, but it will be entirely at their discretion.

The DPDPA doesn’t provide a specific amount for fines, however it does reference Subchapter II of Chapter 25 of Title 29, which states that the Attorney General has standing to investigate, initiate administrative proceedings, sanction unlawful conduct, and/or seek remedies on behalf of the state for violations (of a variety of provisions relating to consumer protection).

Entities found to have willfully violated the law can be ordered to pay up to US $10,000 per violation.

Delaware’s law is based on an opt out consent model, so consent does not need to be obtained before collecting or processing personal data in many circumstances like it does in the European Union, for example.

Consumers do have to be informed about data collection and use, parties with access, and what their rights are and how to exercise them. This information and a comprehensive privacy notice need to be clear and easily accessible, e.g. on the organization’s website.

Consumers do need to be able to opt out of processing of their data or be able to change or revoke their previous consent preferences. This can be managed via a consent management platform like Usercentrics CMP for Website Consent Management or App Consent Management.

As of 2026, organizations must also recognize and respect consumers’ consent preferences as expressed via a universal opt-out signal.

Use of a CMP can streamline provision of information about categories of data and specific services in use by the controller and/or processor(s), and third parties with whom data is shared. The DPDPA does require providing consumers with clear, granular information about this.

The United States still only has a patchwork of state-level privacy laws and not a single federal one, so many companies doing business across the country, or foreign organizations doing business in the US, may need to comply with a variety of state data protection laws.

A CMP can make this easier by enabling banner customization and geotargeting. Data processing, consent information and choices for specific regulations can be presented based on specific user location. Geotargeting can also improve clarity and user experience by presenting this information in the user’s preferred language.

Organizations doing business in Delaware have until January 2025 to prepare for compliance with the DPDPA. The Department of Justice will be conducting educational outreach by July 2024.

Companies that achieve compliance with other state-level regulations, like California’s CCPA/CPRA have done much of the work toward DPDPA compliance. Organizations always need to be clear on specific states’ laws’ unique stipulations and should always consult qualified legal counsel and/or their own data protection officer (DPO) or privacy expert. A privacy by design approach will also benefit an organizations’ operations beyond data privacy compliance.

Being proactive about protecting user privacy is valuable in business operations. It builds user engagement and trust, improves user experiences, and strengthens customer relationships long-term. These help produce more high-quality data for marketing operations and contribute to increased revenue.

If you have questions or interest in implementing a consent management platform to help achieve compliance with privacy laws in the United States and around the world, talk to one of our experts.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.