HB-380 proposes lowering Delaware’s DPDPA threshold from 35,000 to 15,000 consumers, expanding scope and adding new data protection assessment requirements.
Delaware’s Privacy Law is Tightening: What HB-380 Means for Your Business
On April 21, 2026, Delaware’s House Technology Committee voted 4-0 to advance HB-380, a bill that would cut the Delaware Personal Data Privacy Act (DPDPA) applicability threshold nearly in half. If it passes, tens of thousands more businesses will fall under the law’s scope.
That number includes companies that have been operating under the assumption that they are too small to be caught.
In this post, we are looking at exactly what HB-380 proposes to change, why the 4-0 committee vote matters, and what steps your business should take right now to get ahead of it.
What is the Delaware Personal Data Privacy Act (DPDPA)?
The Delaware Personal Data Privacy Act is a state-level consumer data privacy law that took effect on January 1, 2025. It gives Delaware residents rights over their personal data, including the right to access, correct, delete, and opt-out of the sale of their data and targeted advertising. Businesses that meet specific processing thresholds must comply with its requirements.
Under the current law, the DPDPA applies to any entity that conducts business in Delaware or produces products or services targeted to Delaware residents and, during a calendar year, either:
Controls or processes the personal data of 35,000 or more consumers, or
Controls or processes the personal data of 10,000 or more consumers while deriving more than 20% of gross revenue from the sale of personal data.
It follows the same structural playbook as privacy laws in states like Connecticut, Virginia, and Colorado. Consumer rights, controller obligations, data processor agreements, and opt-out mechanisms are all part of the framework.
Clym’s consent management platform already supports businesses working toward DPDPA requirements, covering 150+ global regulations with pre-configured settings so you do not have to rebuild your setup for each jurisdiction.
What HB-380 proposes to change
HB-380 is not a wholesale rewrite of the DPDPA. It is a targeted amendment that adjusts four areas: the applicability threshold, the definition of sensitive data, data protection assessment requirements, and third-party contracting obligations.
Here is how the key provisions compare:
Provision | Current DPDPA | Proposed HB-380 |
|---|---|---|
General consumer threshold | 35,000 consumers per year | 15,000 consumers per year |
Revenue-based threshold | 10,000 consumers + >20% revenue from data sales | 5,000 consumers + >20% revenue from data sales |
Sensitive data definition | Health, biometrics, geolocation, race, religion, and similar categories | Expands to include inferences drawn from personal data |
Data protection assessments | Required for high-risk processing activities | Also required for targeted advertising and sales of personal data |
Third-party contracts | Required data processing agreements with processors | Enhanced due diligence and stricter contract requirements for third parties receiving personal data |
The threshold change is the most impactful for the widest range of businesses. But the addition of data protection assessments for targeted advertising is significant for any company running behavioral advertising on its website.
Why this matters now
A 4-0 committee vote is not ceremonial. Bills with unanimous committee support move forward, and HB-380 has real political momentum behind it.
The threshold reduction from 35,000 to 15,000 consumers is deliberate. Delaware has a population of roughly one million people. At 15,000, the threshold aligns on a population-percentage basis with the thresholds in Connecticut and New Jersey. The bill’s sponsor, Rep. Krista Griffith, and the ACLU of Delaware both supported it, though the ACLU pushed for even stronger data-minimisation standards closer to Maryland’s model. That signals further tightening is possible in subsequent amendments.
The data backs this up. More than 20 US states now have active comprehensive privacy laws. Delaware is not an outlier; it is catching up. Businesses that have taken a wait-and-see approach to state privacy law compliance are running out of runway.
The 2026 changes are already in effect
HB-380 does not exist in isolation. The DPDPA already changed significantly on January 1, 2026, before this amendment was introduced. Two changes are especially important:
1. Universal opt-out mechanisms are now required
As of January 1, 2026, DPDPA controllers must recognize opt-out signals, including the Global Privacy Control (GPC). If a Delaware consumer has activated GPC in their browser, your website must honor it automatically. This is a current legal requirement, not a future one.
Clym’s platform includes built-in Global Privacy Control support, automatically detecting and honoring GPC signals without requiring manual configuration for each jurisdiction.
2. The cure period is gone
The mandatory 60-day cure period for DPDPA violations expired on December 31, 2025. From January 1, 2026, the Delaware Department of Justice has discretion on whether to offer a cure opportunity before pursuing enforcement. The safety net that existed in year one is no longer automatic.
That means a business that receives an enforcement notice today may have no cure window to fix the issue before facing penalties.
Three additional changes in HB-380 are worth knowing
Beyond the threshold reduction, HB-380 introduces three further obligations that affect how businesses handle personal data.
Sensitive data expands to include inferences
Under the current DPDPA, sensitive personal data covers specific categories: health data, biometric identifiers, precise geolocation, and similar protected characteristics. HB-380 would expand this definition to include inferences drawn from personal data.
In practice, this means that if your platform uses behavioral data to make predictions or classifications about users, those inferences could become classified as sensitive data, triggering heightened obligations around processing and consent.
Data protection assessments for targeted advertising
HB-380 would require data protection assessments specifically for targeted advertising and the sale of personal data. Currently, assessments are required only for high-risk processing activities. If you run behavioral advertising campaigns on your website, you may need to conduct and formally document these assessments as a condition of continuing that activity under Delaware law.
This is a meaningful operational change for any marketing team that relies on cookie-based or cross-site tracking for ad targeting.
Stricter third-party contracting
HB-380 introduces enhanced due diligence requirements for third parties that receive personal data. This goes beyond the existing requirement to have data processing agreements with processors. It means reviewing your vendor relationships, auditing what data flows to which third parties, and ensuring contracts include the protections Delaware now demands.
For businesses with complex martech or adtech stacks, this vendor review process is likely the most time-intensive part of HB-380 compliance preparation.
Does HB-380 affect your business?
Ask yourself three questions:
Do you have Delaware residents in your user base or customer list?
Do you process the personal data of more than 15,000 consumers in a calendar year? (Or more than 5,000 if more than 20% of your revenue comes from selling personal data?)
Do you run targeted advertising, behavioral tracking, or sell user data to third parties?
If the answer to any of those is yes, or could become yes once HB-380 passes, you are in scope. The 4-0 committee vote means this is no longer a speculative legislative event. It is a bill with momentum that warrants proactive attention now.
What to do right now
You do not need to wait for HB-380 to pass to take action. Here are five steps you can take today:
1. Audit your consumer threshold
Count how many Delaware consumers you process personal data for in a calendar year. If you are currently at 20,000 to 35,000, you are close to the proposed new threshold. Model out whether growth or additional data flows would bring you in scope under 15,000.
2. Verify GPC compliance today
Global Privacy Control recognition is a current DPDPA requirement, not a future one. If your website is not already honoring GPC signals, you are out of step with the law as it stands right now. This should be your first priority.
3. Review your vendor contracts
Identify every third party that receives personal data from your systems. Review your data processing agreements and assess whether they include the protections HB-380 would require. Flag any gaps before the bill passes.
4. Prepare for data protection assessments
If you run targeted advertising, begin documenting the basis for it now. Under HB-380, a formal data protection assessment would be required before you can lawfully run targeted ads at Delaware consumers. Building that documentation now means you are not scrambling if the bill passes quickly.
5. Monitor the bill’s progress
The House Technology Committee advanced HB-380 on April 21, 2026. The next step is a full House vote. Set an alert on the Delaware General Assembly website and check back regularly. The 4-0 committee result suggests this is moving.
Conclusion
Delaware’s HB-380 is a significant proposed amendment to an already active privacy law. The threshold reduction from 35,000 to 15,000 consumers will bring many businesses into scope that previously assumed they were exempt. The additional changes around sensitive data definitions, data protection assessments for targeted advertising, and stricter third-party contracting add further operational obligations on top of that expanded reach.
The 4-0 committee vote is a signal. This bill has political support, and the cure period that gave businesses a soft landing in year one is already gone. The time to prepare is before HB-380 passes, not after.
The good news is you do not have to build a privacy programme from scratch. If you already have consent and data management infrastructure, the question is whether it covers Delaware’s specific requirements and whether it is ready for what HB-380 adds.
Frequently asked questions
The Delaware Personal Data Privacy Act (DPDPA) is a state consumer privacy law that took effect January 1, 2025. It grants Delaware residents rights over their personal data and requires businesses that meet specific processing thresholds to comply with obligations around transparency, consent, data security, and consumer rights.
HB-380 proposes to lower the general applicability threshold from 35,000 to 15,000 consumers and from 10,000 to 5,000 for the revenue-based threshold. It also expands the definition of sensitive data to include inferences, adds data protection assessment requirements for targeted advertising, and introduces stricter third-party contracting obligations.
The DPDPA took effect on January 1, 2025. Significant additional changes came into force on January 1, 2026, including the requirement to honor Global Privacy Control opt-out signals and the end of the automatic 60-day cure period for violations.
Under HB-380, any business that processes the personal data of 15,000 or more Delaware consumers annually, or 5,000 or more if more than 20% of gross revenue comes from selling personal data, would be subject to the DPDPA. This is a significant expansion from current thresholds and will bring many previously exempt mid-sized businesses into scope.
Yes. The DPDPA has been in force since January 1, 2025. As of January 1, 2026, the mandatory 60-day cure period no longer applies automatically, meaning the Delaware Department of Justice has discretion to pursue enforcement without first offering a cure window.
Adam is the Head of Digital Marketing at Clym, where he leverages his diverse expertise in marketing to support businesses with their compliance needs and drive awareness about data privacy and web accessibility. As one of the company’s original team members, Adam has been instrumental in shaping its journey from the very beginning. When he’s not diving into marketing strategies, Adam can be found cheering on his favorite sports teams or enjoying fishing.