What You Need To Know About Delaware’s New Data Privacy Law

Nothing rings in the New Year like five new state privacy laws. The Delaware Personal Data Privacy Act (DPDPA) is one of them, and is set to take effect on January 1, 2025.

Designed to give residents greater control over their personal information, this law applies to any organization doing business in Delaware or marketing to Delawareans. Importantly, this includes nonprofits and institutions of higher education, which are often exempt under other state laws. The DPDPA introduces important consumer rights, including the ability to access, delete, or correct personal data, as well as opt-out of targeted ads and sales.

These changes are set to impact thousands of companies based all over the world. We’re here to help you prepare for them.

Understanding the DPDPA | Scope of Application | Rights Granted to Consumers | Key Obligations for Businesses Under Delaware’s Privacy Law | Enforcement of The DPDPA | How DataGrail Can Help

Understanding the DPDPA

On September 11, 2023, Delaware Governor John Carney officially signed House Bill No. 154, also known as the Delaware Personal Data Privacy Act, into law. This new legislation positions Delaware alongside a growing list of states that have enacted their own consumer privacy laws. Together, these states are shaping the landscape of U.S. data privacy regulation.

The Delaware Personal Data Privacy Act  is one of several state-level privacy laws designed to safeguard consumer data. Like other state privacy laws, it establishes specific requirements for organizations regarding the collection, use, and sharing of personal data. Designed to enhance consumer rights, the DPDPA addresses key privacy concerns like data transparency, targeted advertising, and data sales.

Scope of Application

The DPDPA applies to any organization that:

1. Conducts business in Delaware – This includes entities physically located in Delaware or those offering goods and services to Delaware residents.
2. Processes the personal data of Delaware residents – If you collect, process, or store personal data of individuals in Delaware, this law applies to you.
3. And meets one of the following criteria in the previous calendar year:
   1. Controls or processes the personal data of at least 35,000 Delaware residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or
   2. Controls or processes the personal data of at least 10,000 Delaware residents and derives more than 20% of gross revenue from the sale of personal data.

Importantly, the DPDPA extends beyond commercial enterprises to include nonprofits and educational institutions, which often benefit from exemptions in other states’ privacy laws. However, nonprofits must comply with the provisions of the DPDPA unless they meet specific exemption criteria, including:

• Nonprofits dedicated exclusively to preventing and addressing insurance crime.
• Nonprofits offering services to victims or witnesses of child abuse, domestic violence, human trafficking, sexual assault, violent felonies, or stalking.

Even if you are a nonprofit or educational institution, you must comply with the provisions of the DPDPA unless your organization qualifies for one of those exemptions.

Rights Granted to Consumers

The DPDPA grants several key consumer rights aimed at giving Delaware residents greater control over their personal data. These include:

1. Right to Access: Consumers can request access to the personal data that organizations hold about them, providing transparency on what data is being collected.
2. Right to Delete: Consumers can request that businesses delete their personal data, which can help mitigate the risks of unauthorized access or data breaches.
3. Right to Correct: Consumers can request corrections to any inaccurate personal data held by a company.
4. Right to Portability: Consumers have the right to obtain a copy of their personal data processed by the controller (i.e. data portability).
5. Right to Obtain a List of Third Parties: Consumers can request a list of third parties to which their personal data has been disclosed. 
6. Right to Opt-Out: Consumers can opt-out of the sale of their personal data, profiling, or the use of their data for targeted advertising, giving them more control over how their information is shared.

Most notably, the DPDPA  establishes a new privacy right by requiring businesses to disclose the categories of third parties to whom they have shared a consumer’s personal data in response to a data subject request (DSR). This third-party disclosure requirement is a distinct addition to Delaware’s law and mirrors Oregon’s law but is less stringent, as it focuses on categories rather than specific entities. Joining Colorado and five other active laws, the DPDPA also requires businesses to provide a universal opt-out option for consumers, effective 2026, allowing them to manage their data preferences across platforms. 

Key Obligations for Businesses Under Delaware’s Privacy Law

As Delaware’s new privacy law takes effect, organizations will have several important responsibilities to ensure compliance. The DPDPA mandates specific actions for both controllers and processors of personal data, aiming to enhance consumer privacy and ensure proper data protection. Here’s what your organization needs to know:

Controllers’ Responsibilities

Controllers—those who determine the purposes and means of processing personal data—are required to:

• Limit Data Collection: Only collect personal data that is adequate, relevant, and necessary for the disclosed purposes.
• Implement Data Security Measures: Establish robust administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of consumers’ personal data.
• Sensitive Data Processing: Process sensitive data only after obtaining explicit consent. Sensitive data includes genetic information, precise geolocation, and other deeply personal details such as health conditions or sexual orientation.
• Transparency and Privacy Notice: Provide consumers with an accessible, clear privacy policy that outlines data collection practices, the categories of third parties with whom data is shared, and the rights consumers have, including opt-out options.
• Opt-Out Opportunities: Ensure consumers can opt-out of the sale of their personal data and its use for targeted advertising. By January 1, 2026, consumers must also be able to exercise these rights via an opt-out preference signal.
• Data Protection Assessments: Companies processing personal data of 100,000 or more consumers must conduct regular data protection assessments, particularly for activities that present heightened risks, like targeted advertising or profiling.

Processors’ Responsibilities

For processors—entities that handle data on behalf of controllers—the DPDPA requires them to assist in meeting the controller’s obligations, including managing consumer rights requests and ensuring data security. Importantly, all processing activities must be governed by a contract between the controller and processor, detailing privacy provisions and ensuring compliance with the DPDPA.

Enforcement of The DPDPA

The Delaware Department of Justice will be the primary enforcement body for the DPDPA. Organizations that fail to comply with the law could face penalties, including fines; however, the law offers a 60-day cure period. Meaning that if a company is notified of a violation, it has 60 days to correct the issue before penalties are applied. But beware: Delaware’s cure period sunsets on December 31, 2025. After that, granting an opportunity to cure will be at the AG’s discretion.

Under this law, the Delaware DOJ has the authority to investigate and enforce violations under the state’s consumer protection laws. This power includes issuing cease and desist orders, pursuing administrative remedies, initiating legal actions, and creating rules and regulations as needed. If a violation results in a judicial proceeding, courts can impose civil penalties of up to $10,000 for each willful violation. 

That’s why it’s essential for organizations to be proactive and address any compliance gaps well before the DPDPA takes effect in 2025 to avoid enforcement actions.

How DataGrail Can Help

Obtaining valid consent is a cornerstone of DPDPA compliance, and DataGrail makes this process effortless. Our customizable, no-code consent management platform allows you to collect, store, and manage consent with accuracy—automatically syncing to platforms like Google Tag Manager for seamless updates and compliance.

DataGrail Consent helps you manage consent dynamically, ensuring the right message reaches the right person at the right time. With a fully customizable interface, you can offer a smooth, transparent experience that strengthens customer trust while maintaining compliance with evolving regulations like the DPDPA. We ensure that you’re automatically adjusted to new privacy laws, eliminating the need for constant manual updates. With solid support and integrations, your organization can easily scale its consent management and stay compliant, without the added complexity.

Moreover, DataGrail’s Live Data Map lets you effortlessly uncover where personal data resides across your systems, helping you stay ahead of potential risks. DataGrail continuously scans your systems to identify and categorize personal data, ensuring you know exactly where sensitive information lives and how it’s being used. By automating data discovery and classification, you save time, reduce errors, and ensure compliance with the DPDPA, GDPR, and other privacy regulations.

With automatic updates and seamless integrations into your tech stack, DataGrail ensures that your data privacy efforts stay aligned with DPDPA requirements, without the manual effort. By continuously identifying and classifying personal data, you mitigate risks and maintain a clear, accessible data map.

Request a demo here.

You may be thinking that the Delaware Personal Data Privacy Act does not deviate significantly from prior U.S. privacy laws. However, U.S. businesses should pay attention to its key differences—particularly the lack of general exclusions for nonprofits and higher education institutions, which are often exempt under other state laws.

Delaware isn’t the only one noticing the growing trend towards people wanting more control over their personal data. Four other states–– Iowa, Nebraska, New Hampshire, and New Jersey–– are all joining the wave of privacy laws hitting the U.S. coming into effect January 2025. Get The Guide to State Privacy Laws for key effective dates, coverage details, and potential penalties for non-compliance.

For questions, please reach out directly to your CSM or email [email protected]. If you’d like a demo of the DataGrail platform, reach out to us here.