{"id":444,"date":"2024-01-05T15:33:41","date_gmt":"2024-01-05T14:33:41","guid":{"rendered":"https:\/\/stage.usercentrics.com\/?post_type=knowledge&#038;p=32689"},"modified":"2025-06-26T11:53:26","modified_gmt":"2025-06-26T09:53:26","slug":"delaware-digital-personal-data-protection-act-dpdpa","status":"publish","type":"knowledge","link":"https:\/\/usercentrics.com\/us\/knowledge-hub\/delaware-digital-personal-data-protection-act-dpdpa\/","title":{"rendered":"Delaware Personal Data Privacy Act (DPDPA): An Overview"},"content":{"rendered":"\n\n<h2 class=\"wp-block-heading\">Introduction to the Delaware Data Privacy Act <\/h2>\n<p>Delaware\u2019s was the eighth state-level data privacy law passed in the United States in 2023 from <a href=\"https:\/\/legis.delaware.gov\/BillDetail?LegislationId=140388\" target=\"_blank\" rel=\"noopener\">House Bill 154<\/a>, and the twelfth comprehensive privacy law passed to date. <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/florida-digital-bill-of-rights-fdbr\/\">Florida\u2019s Digital Bill of Rights<\/a> is more narrow in scope and not always included. <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/nevada-privacy-of-information-collected-on-the-internet-from-consumers-act-amendment-sb-260\/\">Nevada\u2019s Privacy of Information Collected on the Internet from Consumers Act (NPICICA)<\/a> and Amendment SB-260 are also limited in scope and the original Act was passed in 2018.<\/p>\n<p>The United States does not have a federal data privacy law, though as of July 10, 2023 it does have the new <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/eu-us-data-privacy-framework\/\">EU-U.S. Data Privacy Framework<\/a> adequacy agreement with the European Union. The EU and US had been without such an agreement since 2020 when the previous Privacy Shield was struck down.<\/p>\n<p>Signed into law by Governor John Carney on September 11, 2023, the Delaware privacy regulation goes into effect January 1, 2025, the same date as <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/iowa-consumer-data-protection-act-icdpa\/\">Iowa\u2019s Consumer Data Protection Act (ICDPA)<\/a>. It also provides for an additional year for organizations to begin recognizing universal opt-out mechanisms. Delaware\u2019s Department of Justice (DOJ) plans to initiate an outreach period no later than July 1, 2024 to inform businesses of their obligations and consumers of their rights under the DPDPA.<\/p>\n<p>Delaware\u2019s privacy law is one of the more consumer-friendly state-level data privacy laws, though not quite as strict as <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/california-consumer-privacy-act\/\">California\u2019s Consumer Privacy Act (CCPA)<\/a> and <a href=\"\/knowledge-hub\/california-privacy-rights-act-cpra-enforcement-begins\/\">California Privacy Rights Act (CPRA)<\/a>. It does apply to a broader range of companies of all sizes as well, and doesn\u2019t specifically target large businesses, like Florida\u2019s law, or exclude small ones, like the <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/texas-data-privacy-and-security-act\/\">Texas Data Privacy and Security Act (TDPSA)<\/a>.<\/p>\n\n\n<h2 class=\"wp-block-heading\">What is the Delaware data privacy act?<\/h2>\n<p>Delaware\u2019s data privacy law protects the privacy and personal data rights of the state\u2019s one-million residents, i.e. people acting in individual or household contexts, not in any employment capacity. The law also establishes data privacy responsibilities for companies conducting business in the state and\/or providing goods and services targeted to Delaware residents.<\/p>\n<h4>Privacy notice requirements<\/h4>\n<p>Data controllers, defined under the law as \u201ca person that, alone or jointly with others, determines the purpose and means of processing personal data\u201d must provide consumers with a privacy notice that is \u201caccessible, clear, and meaningful\u201d. The notice has to describe the organization\u2019s data processing operations, and include:<\/p>\n<ul>\n<li>categories of personal data collected and processed<\/li>\n<li>purposes of processes<\/li>\n<li>categories of personal data shared with third parties<\/li>\n<li>categories of recipients of personal data<\/li>\n<li>how consumers can exercise their data privacy rights, including opt-out<\/li>\n<li>how consumers can appeal a controller\u2019s decision (e.g. denial of a data subject access request)<\/li>\n<li>an active email address or other \u201csecure and reliable\u201d digital mode of contact for the controller<\/li>\n<li>\u201cclear and conspicuous disclosure if the controller sells personal data or uses it for targeted purposes<\/li>\n<\/ul>\n<h4>Opt-out consent model<\/h4>\n<p>Like all other US data privacy laws, the DPDPA uses an opt-out model, so controllers can collect personal data without needing data subjects\u2019 consent in many cases. Consumers do have the right to opt out of data collection and use, which includes sale, targeted advertising, or profiling \u201cin furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer\u201d, and must be provided with information about and mechanisms to do so.<\/p>\n<p>The law notes that controllers must provide <em>\u201ca clear and conspicuous link on the controller\u2019s Internet web site to an Internet web page that enables a consumer, or an agent of the consumer, to opt out of the targeted advertising or the sale of the consumer\u2019s personal data.\u201d<\/em><\/p>\n<p>Additionally,<em> \u201cNot later than [one year following the effective date of this Act], allowing a consumer to opt out of any processing of the consumer\u2019s personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer\u2019s consent, by a platform, technology, or mechanism to the controller indicating such consumer\u2019s intent to opt out of any such processing or sale.\u201d<\/em><\/p>\n<h4>Definitions in the Delaware Personal Data Privacy Act<\/h4>\n<p><strong>Personal data under the DPDPA<\/strong><\/p>\n<p>Refers to<em> \u201cany information that is linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data or publicly available information\u201d<\/em>.<\/p>\n<p>It should be noted that personal data (also called personal information) and <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/personally-identifiable-information-vs-personal-data\/\">personally identifiable data<\/a> are not always the same thing, and distinctions are often made in data privacy laws.<\/p>\n<h4>Sensitive data under the DPDPA<\/h4>\n<p>Sensitive data is a category that includes types of personal data that could be embarrassing or used to do harm if unlawfully accessed or misused, and thus requires special handling and under the DPDPA cannot be collected or used without prior user consent. Delaware\u2019s privacy law specifically refers to personal data that would reveal any of the following:<\/p>\n<ul>\n<li>racial or ethnic origin<\/li>\n<li>religious beliefs<\/li>\n<li>mental or physical health condition or diagnosis (including pregnancy)<\/li>\n<li>sex life or sexual orientation, including status as transgender or nonbinary<\/li>\n<li>national origin<\/li>\n<li>citizenship or immigration status<\/li>\n<li>genetic or biometric data<\/li>\n<li>personal data of a known child<\/li>\n<li>precise geolocation data (with precision and accuracy within a radius of 1,750 feet)<\/li>\n<\/ul>\n<p>Delaware\u2019s law is the second of the US privacy laws, after Oregon\u2019s, to include transgender or nonbinary gender expression as sensitive data.<\/p>\n<h4>Consent under the DPDPA<\/h4>\n<p>Like many other data privacy laws, the Delaware data privacy law follows the <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/the-eu-general-data-protection-regulation\/\">European Union\u2019s General Data Protection Regulation (GDPR)<\/a> with regards to the definition of valid consent: \u201c<em>a clear affirmative act signifying a consumer\u2019s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.\u201d<\/em><\/p>\n<p>To provide additional clarity,<em> \u201cConsent\u201d may include a written statement, including by electronic means, or any other unambiguous affirmative action.\u201d<\/em> Under the DPDPA, consent does not include:<\/p>\n<ul>\n<li><em>acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information<\/em><\/li>\n<li><em>hovering over, muting, pausing, or closing a given piece of content<\/em><\/li>\n<li><em>agreement obtained through the use of <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/dark-patterns-and-how-they-affect-consent\/\">dark patterns<\/a><\/em><\/li>\n<\/ul>\n<p><strong>Consumer under the DPDPA<\/strong><\/p>\n<p>Refers to <em>\u201can individual who is a resident of [Delaware]\u201d<\/em>.<\/p>\n<p>The definition does not include <em>\u201can individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit organization, or government agency whose communications or transactions with the controller occur solely within the context of that individual\u2019s role with the company, partnership, sole proprietorship, nonprofit organization, or government agency.\u201d<\/em><\/p>\n<p><strong>Controller under the DPDPA<\/strong><\/p>\n<p>Businesses and other organizations that collect and use personal data will likely qualify as controllers, though the law uses the word \u201cperson\u201d. Controller is defined as <em>\u201ca person that, alone or jointly with others, determines the purpose and means of processing personal data.\u201d<\/em><\/p>\n<p><strong>Processor under the DPDPA<\/strong><\/p>\n<p>Like controller, while the law references a person, in most cases this is likely to be done by a company or other organization. Processor is defined as <em>\u201ca person that processes personal data on behalf of a controller.\u201d<\/em> It could include third parties like advertising partners or fulfillment companies.<\/p>\n<p><strong>Profiling under the DPDPA<\/strong><\/p>\n<p>Profiling is increasingly becoming a standard inclusion in data privacy laws, particularly as it can relate to \u201cautomated decision-making\u201d or the use of AI technologies. The Delaware data protection law defines profiling as <em>\u201cany form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual\u2019s economic situation, health, demographic characteristics, personal preferences, interests, reliability, behavior, location, or movements.\u201d<\/em><\/p>\n<p><strong>Targeted advertising under the DPDPA<\/strong><\/p>\n<p>This is also increasingly becoming a standard inclusion in data privacy laws, and can refer to the use of emerging technologies like AI tools. The Delaware data privacy law defines targeted advertising as <em>\u201cdisplaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer\u2019s activities over time and across nonaffiliated Internet web sites or online applications to predict such consumer\u2019s preferences or interests.\u201d<\/em><\/p>\n<p>The following are not included in the definition of targeted advertising:<\/p>\n<ul>\n<li>advertisements based on activities within a controller\u2019s own Internet web sites or online applications<\/li>\n<li>advertisements based on the context of a consumer\u2019s current search query, visit to an Internet web site, or online application<\/li>\n<li>advertisements directed to a consumer in direct response to the consumer\u2019s request for information or feedback<\/li>\n<li>processing personal data solely to measure or report advertising frequency, performance or reach<\/li>\n<\/ul>\n<p><strong>Sale under the DPDPA<\/strong><\/p>\n<p>Refers to <em>\u201cthe exchange or transfer of personal data for monetary or other valuable consideration by the controller to a third party\u201d<\/em>.<\/p>\n<p>Exclusions to the definition of sale include disclosures of personal data:<\/p>\n<ul>\n<li>to a processor that processes the personal data on behalf of the controller where limited to the purpose of such processing<\/li>\n<li>to a third party for purposes of providing a product or service affirmatively requested by the consumer<\/li>\n<li>or transfer of personal data to an affiliate of the controller<\/li>\n<li>where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party<\/li>\n<li>that the consumer intentionally made available to the general public via a channel of mass media, and did not restrict to a specific audience<\/li>\n<li>or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other similar transaction in which the third party<\/li>\n<li>assumes control of all or part of the controller\u2019s assets, or a proposed merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller\u2019s assets<\/li>\n<\/ul>\n\n\n<h2 class=\"wp-block-heading\">What is covered in the Delaware data privacy act?<\/h2>\n<p>The DPDPA mainly affects commercial companies, but it can potentially apply to any organization processing personal data that meets the compliance threshold criteria.<\/p>\n<h4>Who has to comply with the Delaware data privacy law?<\/h4>\n<p>The Delaware privacy law\u2019s compliance thresholds have some smaller numbers than other comparable laws in the US, but this is not surprising given the state\u2019s small population of one million people. California, by comparison, has 40 million. The smaller numbers will also mean that the law will apply to more smaller businesses.<\/p>\n<p>Delaware\u2019s law continues a trend of recent US state-level privacy laws in that it has no revenue-only threshold for compliance, i.e. a company making X amount of revenue has to comply, solely based on that dollar amount.<\/p>\n<p>The compliance thresholds are for the preceding calendar year if an organization:<\/p>\n<ul>\n<li>controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction<\/li>\n<\/ul>\n<p>or<\/p>\n<ul>\n<li>controlled or processed the personal data of not less than 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data<\/li>\n<\/ul>\n<h4>Exemptions to Delaware Personal Data Privacy Act compliance<\/h4>\n<p>The DPDPA\u2019s exemptions are fairly standard, and include exemptions for data processing governed by federal law, e.g. Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA).<\/p>\n<p><strong>Exempted entities and their services\/activities include:<\/strong><\/p>\n<ul>\n<li>governmental agencies, including regulatory, administrative, legislative or judicial bodies<\/li>\n<li>public health organizations<\/li>\n<li>financial institutions (also entities and affiliates subject to the GLBA)<\/li>\n<li>press, wire, or other information service (and non-commercial activities of media entities)<\/li>\n<li>victims or witnesses of criminal activities<\/li>\n<\/ul>\n<p><strong>Exempted regulations (and data processed relevant to them) include:<\/strong><\/p>\n<ul>\n<li>Health Insurance Portability and Accountability Act (HIPAA)<\/li>\n<li>Gramm-Leach-Bliley Act (GLBA)<\/li>\n<li>Fair Credit Reporting Act (FCRA)<\/li>\n<li>Driver\u2019s Privacy Protection Act<\/li>\n<li>Family Educational Rights and Privacy Act (FERPA)<\/li>\n<li>Farm Credit Act<\/li>\n<li>Airline Deregulation Act<\/li>\n<\/ul>\n\n\n<h2 class=\"wp-block-heading\">Consumers\u2019 rights under the Delaware personal data protection law <\/h2>\n<p>Consumers\u2019 rights under the DPDPA are fairly standard compared to other comprehensive privacy laws in the US:<\/p>\n<ul style=\"list-style-type: square;\">\n<li>Right to access: confirmation if the controller is processing the consumer\u2019s personal information and access to that data and information about third parties it\u2019s shared with, with exceptions<\/li>\n<li>Right to disclosure: a list of the categories of third parties to which the controller has disclosed the consumer\u2019s personal data<\/li>\n<li>Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer<\/li>\n<li>Right to delete: any personal data the controller has about or from the consumer (with some exceptions)<\/li>\n<li>Right to portability: obtain a copy of the consumer\u2019s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions<\/li>\n<li>Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights<\/li>\n<li>Right to opt out: of sale of personal data, targeted advertising, or profiling \u201cin furtherance of solely automated decisions that produce legal or similarly significant effects\u201d concerning the consumer<\/li>\n<\/ul>\n<p>Consumers can designate an authorized agent to opt out of personal data processing for them. This is particularly relevant as the DPDPA includes a requirement for controllers to recognize the universal opt-out signal, which will come into effect a year after the law takes effect.<\/p>\n<h4>Coverage for children under the DPDPA<\/h4>\n<p>Parents or legal guardians of children can exercise the rights of children, whose data is considered sensitive by default. Because of this designation, consent is required before children\u2019s data can be collected or used. Like a number of the other US data privacy laws, Delaware\u2019s law defers to the federal <a href=\"\/knowledge-hub\/childrens-online-privacy-protection-act-coppa\/\">Children\u2019s Online Privacy Protection Act (COPPA)<\/a> regarding rights, responsibilities and protections for children and their data online, including for the definition of a child, which is a person under the age of 13.<\/p>\n<h4>Consumer requests under the DPDPA<\/h4>\n<p>Consumers can make one free request to a controller to exercise their rights, e.g. getting a copy of their data, every 12 months. A controller can deny requests from a consumer that are \u201cmanifestly unfounded, excessive or repetitive\u201d. Reasonable reasons to deny a request could also include if the consumer\u2019s identity cannot reasonably be verified, or if too many requests are received in a 12-month period.<\/p>\n<p>The controller may charge the consumer a reasonable fee to cover the administrative costs of complying with such a request if it\u2019s \u201cmanifestly unfounded, excessive or repetitive\u201d. However, in such an instance, the controller is responsible for demonstrating that it is.<\/p>\n<p>An organization has 45 days to respond, though should respond without \u201cundue delay\u201d, though they have the option to extend that by another 45 days if reasonably necessary.<\/p>\n<h4>Private right of action under the DPDPA<\/h4>\n<p>California continues to be the only US state that enables privacy right of action under their data privacy law. That means that consumers can sue controllers in the event of a violation of the law. Delaware\u2019s law does not include private right of action, and enforcement falls under the state\u2019s Department of Justice.<\/p>\n\n\n<h2 class=\"wp-block-heading\">How does the new Delaware data privacy act affect businesses?<\/h2>\n<p>The DPDPA is fairly similar to other US privacy law requirements regarding notifications, data access, use, and security. Because of the lower threshold numbers for compliance, it will also likely affect more businesses. The law also includes particular responsibilities for data processors, particularly relating to complying with controllers\u2019 requirements, assisting with enabling consumers to exercise their rights, e.g. with access requests, and ensuring adequate safeguards for collected data.<\/p>\n<h4>How to comply with the Delaware data privacy act<\/h4>\n<p><strong>Notifications defined by the DPDPA<\/strong><\/p>\n<p>Controllers must provide a privacy notice that is \u201caccessible, clear, and meaningful\u201d, and describes the organization\u2019s data processing activities, including information about the data collected, processing purposes, parties data is shared with, and ways to exercise consumer rights. Companies\u2019 contact method must be secure, reliable, and easy for consumers to use to make requests or appeal controllers\u2019 decisions, and be able to verify their identities as needed.<\/p>\n<p><strong>Purpose limitation defined by the DPDPA<\/strong><\/p>\n<p>Controllers can process personal data for the purpose(s) that they have communicated, as long as the processing is <em>\u201cadequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer\u201d<\/em> If the purposes for processing change, the controller must provide new notification, and, where relevant, obtain new data subject consent. In some cases, like with children\u2019s data, consent must be obtained from a parent or guardian before processing, rather than enabling opt-out later.<\/p>\n<p><strong>Data security defined by the DPDPA<\/strong><\/p>\n<p>Controllers must establish and maintain reasonable administrative, technical, and physical data security practices for personal data under their control, including deidentified data, and <em>\u201cprotect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue\u201d<\/em>. Processors working with\/for controllers are also responsible for safeguarding personal data they have access to, and obligations should be established contractually prior to processing.<\/p>\n<p><strong>Data protection assessments (DPA) defined by the DPDPA<\/strong><\/p>\n<p>Controllers are required to perform data protection assessments (DPA), also known as data protection impact assessments, for <em>\u201cprocessing activities that present a heightened risk of harm to a consumer.\u201d<\/em> Such activities could include:<\/p>\n<ul>\n<li>processing for the purposes of targeted advertising<\/li>\n<li>processing sensitive data<\/li>\n<li>sale of personal data<\/li>\n<li>processing for the purposes of profiling if there is a reasonably foreseeable or heightened risk of harm to consumers<\/li>\n<\/ul>\n<p>The DPDPA also generally requires a controller that processes the data of at least 100,000 consumers to perform DPAs.<\/p>\n<p>The Attorney General can require a data controller to conduct or disclose a DPA and share the results of one in the course of an investigation. The AG can also weigh a DPA to determine if it is sufficient for compliance purposes.<\/p>\n<p><strong>Consent requirements defined by the DPDPA<\/strong><\/p>\n<p>For many circumstances user consent is not required by Delaware\u2019s privacy law before personal data is collected or processed. Prior consent is required to access sensitive data or children\u2019s data, for example, or if the organization\u2019s data processing purposes change. Controllers must provide clear notification about what data is collected and processed, purposes for use, who it\u2019s shared with, consumers\u2019 rights and how to exercise them, etc. to ensure that consumers are reasonably informed and able to make requests or opt out of data processing.<\/p>\n<p>In addition to providing information about how consumers can opt out, controllers must provide information so consumers know that they can change or revoke previous consent later. Revoking consent must be as easy to do as giving it. If a consumer does this, data processing should stop immediately, but at most no more than 15 days after receipt of the request.<\/p>\n<p><strong>Nondiscrimination defined by the DPDPA<\/strong><br \/>\nLike other US privacy laws, Delaware\u2019s regulation prohibits discrimination against consumers, including discrimination for exercising their rights under the law. For example, if a consumer opts out of data processing on a website, that individual cannot be blocked from accessing the site or its functions.There are, however, some web or app features and functions that will not work without certain cookies or trackers being activated, so if a consumer opts out and they no longer work optimally, this is not discriminatory.<\/p>\n<p>Processing personal data is also prohibited if doing so would violate other state or federal laws governing discrimination.<\/p>\n<p>Controllers can offer voluntary incentives to consumers for their participation in activities that collect personal data, e.g. newsletter signups, surveys, or loyalty programs. Such offers must be reasonable and proportionate to the request and type and amount of data collected so, though, as not to look like payments for consent, which data protection authorities frown upon. Consumers who decline such offers also cannot be discriminated against, e.g. by not having access to comparable offers or being charged a different price for goods or services.<\/p>\n<p><strong>Third-party contracts defined by the DPDPA<\/strong><\/p>\n<p>Processors need to assist controllers in meeting their obligations under the law, which include restricting processes to publicized purposes, safeguarding personal data, and providing information enabling data protection assessments.<\/p>\n<p>There needs to be a contract in place between the controller and processor prior to data collection. Such contracts are binding on both sides and need to include:<\/p>\n\n\n<div class=\"uc-notice\">\n    <div class=\"uc-notice__icon\">\n        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M10.8177 17.0093H12.8177V11.0093H10.8177V17.0093ZM11.8177 9.00928C12.1011 9.00928 12.3386 8.91344 12.5302 8.72178C12.7219 8.53011 12.8177 8.29261 12.8177 8.00928C12.8177 7.72594 12.7219 7.48844 12.5302 7.29678C12.3386 7.10511 12.1011 7.00928 11.8177 7.00928C11.5344 7.00928 11.2969 7.10511 11.1052 7.29678C10.9136 7.48844 10.8177 7.72594 10.8177 8.00928C10.8177 8.29261 10.9136 8.53011 11.1052 8.72178C11.2969 8.91344 11.5344 9.00928 11.8177 9.00928ZM11.8177 22.0093C10.4344 22.0093 9.13442 21.7468 7.91775 21.2218C6.70108 20.6968 5.64275 19.9843 4.74275 19.0843C3.84275 18.1843 3.13025 17.1259 2.60525 15.9093C2.08025 14.6926 1.81775 13.3926 1.81775 12.0093C1.81775 10.6259 2.08025 9.32594 2.60525 8.10928C3.13025 6.89261 3.84275 5.83428 4.74275 4.93428C5.64275 4.03428 6.70108 3.32178 7.91775 2.79678C9.13442 2.27178 10.4344 2.00928 11.8177 2.00928C13.2011 2.00928 14.5011 2.27178 15.7177 2.79678C16.9344 3.32178 17.9928 4.03428 18.8927 4.93428C19.7927 5.83428 20.5052 6.89261 21.0302 8.10928C21.5552 9.32594 21.8177 10.6259 21.8177 12.0093C21.8177 13.3926 21.5552 14.6926 21.0302 15.9093C20.5052 17.1259 19.7927 18.1843 18.8927 19.0843C17.9928 19.9843 16.9344 20.6968 15.7177 21.2218C14.5011 21.7468 13.2011 22.0093 11.8177 22.0093Z\" fill=\"black\"\/>\n<\/svg>\n    <\/div>\n    <div class=\"uc-notice__content\">\n                <ul>\n<li>duty of confidentiality<\/li>\n<li>clear instructions for processing data, including:\n<ul>\n<li>nature and purpose of the processing<\/li>\n<li>type of data that is subject to processing<\/li>\n<li>duration of the processing<\/li>\n<\/ul>\n<\/li>\n<li>rights and obligations of both parties<\/li>\n<li>the processor must delete or return the personal data to the controller at the controller\u2019s direction or at the end of the provision of services, unless there are superseding legal requirements for the processor<\/li>\n<li>the processor must provide the controller (upon request) all information needed to verify that the processor has complied with all of their contractual obligations to the controller<\/li>\n<li>if the processor engages any subcontractors, they must have contracts in place as well to ensure they comply with all requirements of the controller<\/li>\n<\/ul>\n            <\/div>\n<\/div>\n\n\n\n\n<p><strong>Universal opt-out mechanism<\/strong><\/p>\n<p>Not all US state-level privacy laws include requirements for a universal opt-out mechanism, aka global opt-out signal or <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/what-is-global-privacy-control\/\">Global Privacy Control<\/a>, however it\u2019s becoming more common with some of the more recently passed data privacy laws. The Delaware Personal Data Privacy Act does include this mechanism, though organizations have a year from when the law comes into effect to begin accepting it, beginning in January 2025.<\/p>\n<p>This mechanism enables consumers to set and communicate their preferences with regards to the processing of their personal data once, e.g. in their web browser, and then they\u2019re communicated to all websites or other platforms or services that the consumer uses that can detect the signal.<\/p>\n\n\n<h2 class=\"wp-block-heading\">What happens if you violate the Delaware data privacy regulation?<\/h2>\n<p>Delaware\u2019s enforcement for the DPDPA will be similar to that of other US states in that it is centralize, though there is some coordination with existing consumer protection laws in the state as well.<\/p>\n<h4>DPDPA enforcement<\/h4>\n<p>Enforcement of the Delaware Personal Data Privacy Act is under the Attorney General and Department of Justice.<\/p>\n<p>Consumer complaints about controllers\u2019 data processing or denial of consumer requests can be submitted to the Attorney General, which will notify an organization of any complaint and if an investigation is launched. The Attorney General can require data protection assessments and other information from controllers in the course of investigation or to ensure they are being done compliantly.<\/p>\n<h4>Consumer complaints under the DPDPA<\/h4>\n<p>Controllers have to provide information and a process to consumers not only to exercise their rights, but to lodge an appeal if the controller refuses to take action on a request, either within a reasonable amount of time or at all. This appeal process must be similar to the process to make a request and just as easy to do.<\/p>\n<p>If a consumer complains, the controller has 60 days from receiving this appeal to reply to the consumer about any action taken, including written explanation of reasons for the decision. Controllers also have to provide consumers with an online mechanism, if possible, or another way to contact the Department of Justice to submit a further complaint if the controller does not resolve issues with the consumer.<\/p>\n<p>The DOJ can decide to issue a notice of violation to a controller, e.g. resulting from a complaint. As previously noted, consumers do not have private right of action under the DPDPA.<\/p>\n<h4>Cure period and sunset provision under the DPDPA<\/h4>\n<p>If the Department of Justice determines a violation has occurred, but can be \u201ccured\u201d, in addition to notifying the controller of the violation, they can provide 60 days for the controller to fix the issue and prevent it from recurring.<\/p>\n<p>If the controller fails to cure the violation within 60 days, the DOJ may initiate enforcement proceedings. The DOJ considers the following in determining if enforcement is warranted:<\/p>\n<ul>\n<li>number of violations<\/li>\n<li>size and complexity of the controller or processor<\/li>\n<li>nature and extent of the controller\u2019s or processor\u2019s processing activities<\/li>\n<li>substantial likelihood of injury to the public<\/li>\n<li>safety of persons or property<\/li>\n<li>whether such alleged violation was likely caused by human or technical error<\/li>\n<li>extent to which the controller or processor has violated this or similar laws in the past<\/li>\n<\/ul>\n<p>The cure period for the DPDPA sunsets on January 1, 2026, the consideration being that by then organizations should know their responsibilities and be ensuring compliance. The DOJ can still decide to offer a cure period, but it will be entirely at their discretion.<\/p>\n<h4>Fines and penalties<\/h4>\n<p>The DPDPA doesn\u2019t provide a specific amount for fines, however it does reference <a href=\"https:\/\/delcode.delaware.gov\/title29\/c025\/sc02\/index.html\" target=\"_blank\" rel=\"noopener\">Subchapter II of Chapter 25 of Title 29<\/a>, which states that the Attorney General has standing to investigate, initiate administrative proceedings, sanction unlawful conduct, and\/or seek remedies on behalf of the state for violations (of a variety of provisions relating to consumer protection).<\/p>\n<p>Entities found to have willfully violated the law can be ordered to pay up to US $10,000 per violation.<\/p>\n\n\n<h2 class=\"wp-block-heading\">The Delaware Personal Data Privacy Act and consent management<\/h2>\n<p>Delaware\u2019s law is based on an opt out consent model, so consent does not need to be obtained before collecting or processing personal data in many circumstances like it does in the European Union, for example.<\/p>\n<p>Consumers do have to be informed about data collection and use, parties with access, and what their rights are and how to exercise them. This information and a comprehensive privacy notice need to be clear and easily accessible, e.g. on the organization\u2019s website.<\/p>\n<p>Consumers do need to be able to opt out of processing of their data or be able to change or revoke their previous consent preferences. This can be managed via a consent management platform like <a href=\"https:\/\/usercentrics.com\/website-consent-management\/\">Usercentrics CMP for Website Consent Management<\/a> or <a href=\"https:\/\/usercentrics.com\/in-app-sdk\/\">App Consent Management<\/a>.<\/p>\n<p>As of 2026, organizations must also recognize and respect consumers\u2019 consent preferences as expressed via a universal opt-out signal.<\/p>\n<p>Use of a CMP can streamline provision of information about categories of data and specific services in use by the controller and\/or processor(s), and third parties with whom data is shared. The DPDPA does require providing consumers with clear, granular information about this.<\/p>\n<p>The United States still only has a patchwork of state-level privacy laws and not a single federal one, so many companies doing business across the country, or foreign organizations doing business in the US, may need to comply with a variety of state data protection laws.<\/p>\n\n\n<div class=\"uc-notice\">\n    <div class=\"uc-notice__icon\">\n        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M10.8177 17.0093H12.8177V11.0093H10.8177V17.0093ZM11.8177 9.00928C12.1011 9.00928 12.3386 8.91344 12.5302 8.72178C12.7219 8.53011 12.8177 8.29261 12.8177 8.00928C12.8177 7.72594 12.7219 7.48844 12.5302 7.29678C12.3386 7.10511 12.1011 7.00928 11.8177 7.00928C11.5344 7.00928 11.2969 7.10511 11.1052 7.29678C10.9136 7.48844 10.8177 7.72594 10.8177 8.00928C10.8177 8.29261 10.9136 8.53011 11.1052 8.72178C11.2969 8.91344 11.5344 9.00928 11.8177 9.00928ZM11.8177 22.0093C10.4344 22.0093 9.13442 21.7468 7.91775 21.2218C6.70108 20.6968 5.64275 19.9843 4.74275 19.0843C3.84275 18.1843 3.13025 17.1259 2.60525 15.9093C2.08025 14.6926 1.81775 13.3926 1.81775 12.0093C1.81775 10.6259 2.08025 9.32594 2.60525 8.10928C3.13025 6.89261 3.84275 5.83428 4.74275 4.93428C5.64275 4.03428 6.70108 3.32178 7.91775 2.79678C9.13442 2.27178 10.4344 2.00928 11.8177 2.00928C13.2011 2.00928 14.5011 2.27178 15.7177 2.79678C16.9344 3.32178 17.9928 4.03428 18.8927 4.93428C19.7927 5.83428 20.5052 6.89261 21.0302 8.10928C21.5552 9.32594 21.8177 10.6259 21.8177 12.0093C21.8177 13.3926 21.5552 14.6926 21.0302 15.9093C20.5052 17.1259 19.7927 18.1843 18.8927 19.0843C17.9928 19.9843 16.9344 20.6968 15.7177 21.2218C14.5011 21.7468 13.2011 22.0093 11.8177 22.0093Z\" fill=\"black\"\/>\n<\/svg>\n    <\/div>\n    <div class=\"uc-notice__content\">\n                <p><strong>Learn more:<\/strong> <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/comparison-guide-to-us-state-level-data-privacy-laws\/\">Comparing US state-level data privacy laws<\/a><\/p>\n            <\/div>\n<\/div>\n\n\n\n\n<p>A CMP can make this easier by enabling banner customization and geotargeting. Data processing, consent information and choices for specific regulations can be presented based on specific user location. Geotargeting can also improve clarity and user experience by presenting this information in the user\u2019s preferred language.<\/p>\n\n\n<div class=\"uc-notice\">\n    <div class=\"uc-notice__icon\">\n        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M10.8177 17.0093H12.8177V11.0093H10.8177V17.0093ZM11.8177 9.00928C12.1011 9.00928 12.3386 8.91344 12.5302 8.72178C12.7219 8.53011 12.8177 8.29261 12.8177 8.00928C12.8177 7.72594 12.7219 7.48844 12.5302 7.29678C12.3386 7.10511 12.1011 7.00928 11.8177 7.00928C11.5344 7.00928 11.2969 7.10511 11.1052 7.29678C10.9136 7.48844 10.8177 7.72594 10.8177 8.00928C10.8177 8.29261 10.9136 8.53011 11.1052 8.72178C11.2969 8.91344 11.5344 9.00928 11.8177 9.00928ZM11.8177 22.0093C10.4344 22.0093 9.13442 21.7468 7.91775 21.2218C6.70108 20.6968 5.64275 19.9843 4.74275 19.0843C3.84275 18.1843 3.13025 17.1259 2.60525 15.9093C2.08025 14.6926 1.81775 13.3926 1.81775 12.0093C1.81775 10.6259 2.08025 9.32594 2.60525 8.10928C3.13025 6.89261 3.84275 5.83428 4.74275 4.93428C5.64275 4.03428 6.70108 3.32178 7.91775 2.79678C9.13442 2.27178 10.4344 2.00928 11.8177 2.00928C13.2011 2.00928 14.5011 2.27178 15.7177 2.79678C16.9344 3.32178 17.9928 4.03428 18.8927 4.93428C19.7927 5.83428 20.5052 6.89261 21.0302 8.10928C21.5552 9.32594 21.8177 10.6259 21.8177 12.0093C21.8177 13.3926 21.5552 14.6926 21.0302 15.9093C20.5052 17.1259 19.7927 18.1843 18.8927 19.0843C17.9928 19.9843 16.9344 20.6968 15.7177 21.2218C14.5011 21.7468 13.2011 22.0093 11.8177 22.0093Z\" fill=\"black\"\/>\n<\/svg>\n    <\/div>\n    <div class=\"uc-notice__content\">\n                <p><strong>Check out our on-demand webinar:<\/strong> <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/comparison-guide-to-us-state-level-data-privacy-laws\/\">US Data Privacy Legislation<\/a><\/p>\n            <\/div>\n<\/div>\n\n\n\n\n<h2 class=\"wp-block-heading\">Preparing for the Delaware Personal Data Privacy Act <\/h2>\n<p>Organizations doing business in Delaware have until January 2025 to prepare for compliance with the DPDPA. The Department of Justice will be conducting educational outreach by July 2024.<\/p>\n<p>Companies that achieve compliance with other state-level regulations, like <a href=\"https:\/\/usercentrics.com\/ccpa\/\">California\u2019s CCPA\/CPRA<\/a> have done much of the work toward DPDPA compliance. Organizations always need to be clear on specific states\u2019 laws\u2019 unique stipulations and should always consult qualified legal counsel and\/or their own data protection officer (DPO) or privacy expert. A <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/what-is-privacy-by-design\/\">privacy by design<\/a> approach will also benefit an organizations\u2019 operations beyond data privacy compliance.<\/p>\n<p>Being proactive about protecting user privacy is valuable in business operations. It builds user engagement and trust, improves user experiences, and strengthens customer relationships long-term. These help produce more high-quality data for marketing operations and contribute to increased revenue.<\/p>\n<p>If you have questions or interest in implementing a consent management platform to help achieve compliance with privacy laws in the United States and around the world, <a href=\"https:\/\/usercentrics.com\/book-a-consultation\/\">talk to one of our experts<\/a>.<\/p>\n\n\n<div id=\"uc-cta_69e8c929bebed\" class=\"uc-cta uc-cta--button uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                                        <div class=\"uc-cta__heading no-default-margin\">Get started on DPDPA compliance with Usercentrics web and app CMP<\/div>\n                                                                                <\/div>\n                            <div class=\"uc-cta__section\">\n                                        <a id=\"04cfa2db-771d-424c-8b96-4343e8af59e2\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"https:\/\/usercentrics.com\/free-trial\/\" target=\"\"><span>Free trial for web<\/span><\/a>                                    <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69e8c929bebed\"));\n    <\/script>\n\n\n<p><em>Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.<\/em><\/p>\n\n\n","protected":false},"excerpt":{"rendered":"<p>The Delaware Personal Data Privacy Act is the twelfth state-level data privacy law passed in the United States. It\u2019s considered one of the more consumer-friendly state-level data privacy laws. The DPDPA was signed by Delaware\u2019\u2019s governor on September 11, 2023 and comes into effect January 1, 2025.<\/p>\n","protected":false},"featured_media":2207,"template":"","meta":{"_acf_changed":false,"editor_notices":[],"footnotes":""},"tags":[],"magazine_issue":[],"magazine_tag":[],"resource_tag":[13],"class_list":["post-444","knowledge","type-knowledge","status-publish","has-post-thumbnail","hentry","resource_tag-regulations"],"acf":[],"yoast_head":"<title>Delaware Personal Data Protection Act (DPDPA) | Usercentrics<\/title>\n<meta name=\"description\" content=\"Usercentrics explains the Delaware Personal Data Protection Act (DPDPA) and what the Delaware personal data protection law means for consumers and companies.\" \/>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Delaware Personal Data Protection Act (DPDPA) | Usercentrics\" \/>\n<meta property=\"og:description\" content=\"Usercentrics explains the Delaware Personal Data Protection Act (DPDPA) and what the Delaware personal data protection law means for consumers and companies.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/usercentrics.com\/us\/knowledge-hub\/delaware-digital-personal-data-protection-act-dpdpa\/\" \/>\n<meta property=\"og:site_name\" content=\"Usercentrics - US\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/usercentrics\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-26T09:53:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/usercentrics.com\/wp-content\/uploads\/2024\/01\/Delaware-privacy.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Delaware Personal Data Protection Act (DPDPA) | Usercentrics\" \/>\n<meta name=\"twitter:site\" content=\"@usercentrics\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"20 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/delaware-digital-personal-data-protection-act-dpdpa\\\/\",\"url\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/delaware-digital-personal-data-protection-act-dpdpa\\\/\",\"name\":\"Delaware Personal Data Protection Act (DPDPA) | Usercentrics\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/delaware-digital-personal-data-protection-act-dpdpa\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/delaware-digital-personal-data-protection-act-dpdpa\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/wp-content\\\/uploads\\\/sites\\\/7\\\/2024\\\/01\\\/Delaware-privacy.png\",\"datePublished\":\"2024-01-05T14:33:41+00:00\",\"dateModified\":\"2025-06-26T09:53:26+00:00\",\"description\":\"Usercentrics explains the Delaware Personal Data Protection Act (DPDPA) and what the Delaware personal data protection law means for consumers and companies.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/delaware-digital-personal-data-protection-act-dpdpa\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/delaware-digital-personal-data-protection-act-dpdpa\\\/\"}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/delaware-digital-personal-data-protection-act-dpdpa\\\/#primaryimage\",\"url\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/wp-content\\\/uploads\\\/sites\\\/7\\\/2024\\\/01\\\/Delaware-privacy.png\",\"contentUrl\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/wp-content\\\/uploads\\\/sites\\\/7\\\/2024\\\/01\\\/Delaware-privacy.png\",\"caption\":\"Delaware Consumer Privacy Act (DPDPA)\",\"copyrightNotice\":\"\u00a9 Copyright 2026 Usercentrics GmbH\",\"creator\":{\"@type\":\"Organization\",\"name\":\"Usercentrics GmbH\"},\"creditText\":\"Image: Usercentrics GmbH\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/delaware-digital-personal-data-protection-act-dpdpa\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Resources\",\"item\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/resources\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog\",\"item\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Delaware Personal Data Privacy Act (DPDPA): An Overview\",\"item\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/delaware-digital-personal-data-protection-act-dpdpa\\\/\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/#website\",\"url\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/\",\"name\":\"Usercentrics - US\",\"description\":\"Consent Management Platform (CMP) Usercentrics\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/?s={search_term_string}\"}}],\"inLanguage\":\"en-US\"}]}<\/script>","yoast_head_json":{"title":"Delaware Personal Data Protection Act (DPDPA) | Usercentrics","description":"Usercentrics explains the Delaware Personal Data Protection Act (DPDPA) and what the Delaware personal data protection law means for consumers and companies.","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"Delaware Personal Data Protection Act (DPDPA) | Usercentrics","og_description":"Usercentrics explains the Delaware Personal Data Protection Act (DPDPA) and what the Delaware personal data protection law means for consumers and companies.","og_url":"https:\/\/usercentrics.com\/us\/knowledge-hub\/delaware-digital-personal-data-protection-act-dpdpa\/","og_site_name":"Usercentrics - US","article_publisher":"https:\/\/www.facebook.com\/usercentrics","article_modified_time":"2025-06-26T09:53:26+00:00","og_image":[{"url":"https:\/\/usercentrics.com\/wp-content\/uploads\/2024\/01\/Delaware-privacy.png","type":"","width":"","height":""}],"twitter_card":"summary_large_image","twitter_title":"Delaware Personal Data Protection Act (DPDPA) | Usercentrics","twitter_site":"@usercentrics","twitter_misc":{"Est. reading time":"20 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/delaware-digital-personal-data-protection-act-dpdpa\/","url":"https:\/\/usercentrics.com\/us\/knowledge-hub\/delaware-digital-personal-data-protection-act-dpdpa\/","name":"Delaware Personal Data Protection Act (DPDPA) | Usercentrics","isPartOf":{"@id":"https:\/\/usercentrics.com\/us\/#website"},"primaryImageOfPage":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/delaware-digital-personal-data-protection-act-dpdpa\/#primaryimage"},"image":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/delaware-digital-personal-data-protection-act-dpdpa\/#primaryimage"},"thumbnailUrl":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2024\/01\/Delaware-privacy.png","datePublished":"2024-01-05T14:33:41+00:00","dateModified":"2025-06-26T09:53:26+00:00","description":"Usercentrics explains the Delaware Personal Data Protection Act (DPDPA) and what the Delaware personal data protection law means for consumers and companies.","breadcrumb":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/delaware-digital-personal-data-protection-act-dpdpa\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":"https:\/\/usercentrics.com\/us\/knowledge-hub\/delaware-digital-personal-data-protection-act-dpdpa\/"}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/delaware-digital-personal-data-protection-act-dpdpa\/#primaryimage","url":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2024\/01\/Delaware-privacy.png","contentUrl":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2024\/01\/Delaware-privacy.png","caption":"Delaware Consumer Privacy Act (DPDPA)","copyrightNotice":"\u00a9 Copyright 2026 Usercentrics GmbH","creator":{"@type":"Organization","name":"Usercentrics GmbH"},"creditText":"Image: Usercentrics GmbH"},{"@type":"BreadcrumbList","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/delaware-digital-personal-data-protection-act-dpdpa\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Resources","item":"https:\/\/usercentrics.com\/us\/resources\/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https:\/\/usercentrics.com\/us\/knowledge-hub\/"},{"@type":"ListItem","position":3,"name":"Delaware Personal Data Privacy Act (DPDPA): An Overview","item":"https:\/\/usercentrics.com\/us\/knowledge-hub\/delaware-digital-personal-data-protection-act-dpdpa\/"}]},{"@type":"WebSite","@id":"https:\/\/usercentrics.com\/us\/#website","url":"https:\/\/usercentrics.com\/us\/","name":"Usercentrics - US","description":"Consent Management Platform (CMP) Usercentrics","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/usercentrics.com\/us\/?s={search_term_string}"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge\/444","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge"}],"about":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/types\/knowledge"}],"version-history":[{"count":0,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge\/444\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/media\/2207"}],"wp:attachment":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/media?parent=444"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/tags?post=444"},{"taxonomy":"magazine_issue","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/magazine_issue?post=444"},{"taxonomy":"magazine_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/magazine_tag?post=444"},{"taxonomy":"resource_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/resource_tag?post=444"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}