Last updated: January 2025

Please note this is a highlighted overview and not a complete overview of privacy laws for this state. If you would like a complete review of this state's privacy laws or a multi-state privacy compliance cheat sheet on specific topics, please contact Vivien Peaden at vpeaden@bakerdonelson.com.

Disclaimer: These materials do not constitute legal advice and should not be substituted for the advice of legal counsel.

The Delaware Personal Data Protection Act (DPDPA)

Effective Date: January 1, 2025

1. Applicability Thresholds:

Subject to certain entity-level and data-level exemptions, this law applies to persons who conduct business in the State of Delaware, or produce products or services that are targeted to Delaware residents (consumer); and, during the preceding calendar year, control or process either:

• 35,000+ Delaware consumers' personal data (excluding payment transaction data); or
• 10,000+ Delaware consumers' personal data and derive more than 20 percent of its gross revenue from the sale of personal data.

2. Key Definitions:

Sales of Personal Data: Similar to California, "sale of personal data" is broadly defined to include the exchange of personal data for not only monetary compensation but also "other valuable consideration," subject to certain exemptions.

3. Business Obligations:

The DPDPA imposes additional obligations on persons who, alone or jointly with others, determine the purpose and means of processing personal data (Controller):

• Heightened Protection for Minors Under the Age of 18:
  • Delaware introduces heightened protection for teenagers between the ages of 13 and 18, so that a Controller is prohibited from, without consumer consent, processing their personal data for targeted advertising or selling personal data if the Controller has actual knowledge or willfully disregards that the consumer is at least 13 but younger than 18 years of age.
• Data Processing Agreement (DPA): Processing activities by a supplier (Processor) shall be governed by a DPA between the Controller and Processor.
• Data Protection Assessment. Required: A Controller who controls or processes personal data of not less than 100,000 DE consumers shall conduct and document, on a regular basis, a data protection assessment for certain high-risk data processing activities.
• Privacy Notice: A Controller must provide consumers with a privacy notice.
• Universal Opt-out Mechanism: By January 1, 2026, i.e., one year following the effective date of the DPDPA, Controllers must allow consumers to opt out of any data processing for targeted advertising and/or sale of personal data.

4. Consumer Rights:

Subject to certain exceptions, a DE consumer has the right to:

• Confirm whether a Controller is processing their personal data, and accessing the personal data being processed;
• Correct inaccuracies in the consumer's personal data;
• Delete personal data provided by, or obtained about the consumer;
• Obtain a copy of the personal data of a consumer, broadly defined to include not only those provided by the consumer but also those obtained and processed by the Controller (from third parties), in a portable and readily usable format, if the processing is carried out by automated means; and obtain a list of categories of third parties, to which the controller has disclosed personal data; and
• Opt-out of data processing for targeted advertising, certain sales of personal data, and profiling for solely automated decisions producing legal or similarly significant effects.

5. Enforcement and Penalties:

Private Right of Action: None

Penalties: Not more than $10,000 per violation.

Cure Period: 60-day cure period. Such a cure period may sunset after December 31, 2025, subject to the sole discretion of the Delaware Department of Justice.