Clym Logo
US flag

US

Delaware Personal Data Privacy Act (DPDPA)

Overview

The Delaware Personal Data Privacy Act (DPDPA), enacted on June 30, 2023, and effective January 1, 2025, aims to protect the privacy rights of Delaware residents by regulating the collection, processing, and sale of personal data. It gives consumers the right to know, access, correct, or request the deletion of their data held by businesses. The act is inspired by existing data privacy frameworks and sets specific requirements for businesses conducting data-related activities in Delaware.

Regulation Summary

  • June 2023: DPDPA introduced.
  • September 11, 2023: Signed into law.
  • January 1, 2025: Law becomes effective.

  • Applies to businesses operating in or targeting Delaware residents.
  • Businesses that meet one of the following criteria:
    • Process data of 35,000+ consumers annually.
    • Process data of 10,000+ consumers and derive more than 20% of revenue from data sales.

  • Data regulated by HIPAA, GLBA, FERPA, and other federal laws.
  • Employment and household data.
  • Nonprofit organizations exclusively preventing insurance fraud.

  • Data Minimization: Only collect data necessary for disclosed purposes.
  • Transparency: Provide clear and accessible privacy notices.
  • Purpose Limitation: Avoid secondary uses without consent.
  • Security: Implement reasonable safeguards to protect data.
  • Non-discrimination: Prohibit unfair treatment of consumers exercising their rights.

  • Opt-Out Mechanism: Provide options to opt out of targeted advertising, data sales, and profiling.
  • Privacy Notices: Include detailed information on data collection and sharing practices.
  • Universal Opt-Out: By January 1, 2026, support browser-based and universal opt-out mechanisms.

  • Data Protection Assessments: Required for high-risk processing activities (e.g., targeted advertising, sale of personal data).
  • Sensitive Data: Consent required for processing sensitive data (e.g., health data, precise geolocation).

  • Access: Request a copy of personal data.
  • Correction: Request corrections to inaccuracies.
  • Deletion: Request deletion of personal data.
  • Portability: Receive data in a portable format.
  • Opt-Out: Refuse data processing for advertising, sales, and profiling.

  • Enforced by the Delaware Department of Justice (DOJ).
  • Cure period: Until 2026, businesses have 60 days to address violations.
  • No private right of action (individual lawsuits).
  • Violations are considered deceptive trade practices.