Delaware Personal Data Privacy Act (DPDPA)

    Overview

    The Delaware Personal Data Privacy Act (DPDPA), enacted on June 30, 2023, and effective January 1, 2025, aims to protect the privacy rights of Delaware residents by regulating the collection, processing, and sale of personal data. It gives consumers the right to know, access, correct, or request the deletion of their data held by businesses. The act is inspired by existing data privacy frameworks and sets specific requirements for businesses conducting data-related activities in Delaware.

     

     

    Regulation Summary

    Timeline
    • June 2023: DPDPA introduced.
    • September 11, 2023: Signed into law.
    • January 1, 2025: Law becomes effective.
    What Businesses Are Affected
    • Applies to businesses operating in or targeting Delaware residents.
    • Businesses that meet one of the following criteria:
      • Process data of 35,000+ consumers annually.
      • Process data of 10,000+ consumers and derive more than 20% of revenue from data sales.
    Exemptions
    • Data regulated by HIPAA, GLBA, FERPA, and other federal laws.
    • Employment and household data.
    • Nonprofit organizations exclusively preventing insurance fraud.
    Responsibilities for Businesses
    • Data Minimization: Only collect data necessary for disclosed purposes.
    • Transparency: Provide clear and accessible privacy notices.
    • Purpose Limitation: Avoid secondary uses without consent.
    • Security: Implement reasonable safeguards to protect data.
    • Non-discrimination: Prohibit unfair treatment of consumers exercising their rights.
    Specific Responsibilities for Website Owners
    • Opt-Out Mechanism: Provide options to opt out of targeted advertising, data sales, and profiling.
    • Privacy Notices: Include detailed information on data collection and sharing practices.
    • Universal Opt-Out: By January 1, 2026, support browser-based and universal opt-out mechanisms.
    Additional Requirements
    • Data Protection Assessments: Required for high-risk processing activities (e.g., targeted advertising, sale of personal data).
    • Sensitive Data: Consent required for processing sensitive data (e.g., health data, precise geolocation).
    Data Subject Rights
    • Access: Request a copy of personal data.
    • Correction: Request corrections to inaccuracies.
    • Deletion: Request deletion of personal data.
    • Portability: Receive data in a portable format.
    • Opt-Out: Refuse data processing for advertising, sales, and profiling.
    Enforcement
    • Enforced by the Delaware Department of Justice (DOJ).
    • Cure period: Until 2026, businesses have 60 days to address violations.
    • No private right of action (individual lawsuits).
    • Violations are considered deceptive trade practices.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you..

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596