← Back to Blog

Delaware Personal Data Privacy Act (DPDPA): What Online Businesses Need to Know

Delaware's privacy law has low thresholds and covers nonprofits. Here's what it requires and how it compares to other state privacy laws.

2026-03-01

The Delaware Personal Data Privacy Act (DPDPA) took effect on January 1, 2025. Delaware stands out for two reasons: it has some of the lowest applicability thresholds among state privacy laws, and it explicitly covers nonprofits — an uncommon feature.

Who Does the DPDPA Apply To?

The DPDPA applies to businesses that conduct business in Delaware or target Delaware residents and meet either threshold:

  • Control or process personal data of at least 35,000 Delaware consumers (excluding payment-only data), OR
  • Control or process personal data of at least 10,000 Delaware consumers and derive more than 20% of gross revenue from selling personal data

These thresholds are among the lowest in the country — matching Rhode Island and Maryland. The 20% revenue threshold is also lower than most states (Virginia uses 50%, Connecticut uses 25%).

Notable: Delaware does not exempt nonprofits. If a nonprofit meets the thresholds, it must comply.

Consumer Rights

Delaware consumers have the right to:

  • Access their personal data
  • Correct inaccurate data
  • Delete their personal data
  • Data portability — obtain a copy in a portable format
  • Opt out of sale, targeted advertising, and profiling

Response deadline: 45 days, with a possible 45-day extension.

Key Requirements

Privacy Notice

Your privacy policy must disclose:

  • Categories of personal data processed
  • Purposes for processing
  • How consumers can exercise their rights
  • Categories of third parties receiving data
  • Whether you sell data or use it for targeted advertising

Sensitive Data

Opt-in consent required before processing:

  • Racial or ethnic origin
  • Religious beliefs
  • Health data
  • Sexual orientation
  • Citizenship or immigration status
  • Biometric and genetic data
  • Children's data (under 13)
  • Precise geolocation

Data Protection Assessments

Required for controllers processing data of 100,000+ consumers. Assessments must cover targeted advertising, data sales, profiling, and sensitive data processing.

Data Minimization

Delaware requires that data collection be limited to what is adequate, relevant, and reasonably necessary for the disclosed purpose.

Enforcement

Enforced by the Delaware Attorney General. No private right of action. The cure period expired on December 31, 2025 — the AG can now pursue enforcement directly.

Penalties can reach $10,000 per violation.

DPDPA Compliance Checklist

  • Privacy policy with all required disclosures
  • Cookie consent banner with opt-out capabilities
  • Data minimization — only collect what's necessary
  • Consumer request process — 45-day response window
  • Sensitive data consent — opt-in before processing
  • Data protection assessments (if processing 100K+ consumers)

Check Your Compliance

ClearConsent scans your site against all 19 US state privacy laws including Delaware's DPDPA.

Scan your site free — no signup required.

Ready to check your site's compliance?

ClearConsent scans your website against 21 privacy laws in under 60 seconds.

Scan Your Site Free