Last year, Delaware became the 13th state to pass a comprehensive data privacy law in the United States. Now the Delaware Personal Data Privacy Act (DPDPA) is one of four laws set to take effect on January 1, 2025, creating another watershed moment in the history of American data privacy.

Delaware Data Privacy Law at a Glance 

Delaware’s privacy law, DPDPA, has incredibly low applicability thresholds to account for its small population. While the default compliance floor sits at 100,000 consumers, businesses operating in Delaware or targeting state residents must comply if they:

• Control or process personal data of 35,000+ Delaware consumers annually, OR
• Control or process personal data of 10,000+ consumers while deriving over 20% of annual gross revenue from data sales

This approach ensures everything from local startups to large corporations fall under the law's umbrella – a far cry from the more limited scopes we've seen in previous state privacy regulations. It is also noteworthy that Delaware opted to lower the standard annual gross percentage from 25% to 20%.

Delaware Data Privacy Law Exemptions

Most state privacy laws feature extensive exemption lists, which is nothing new. However, Delaware’s DPDPA truly shakes things up, choosing to NOT EXEMPT most nonprofit organizations and higher education institutions.

Delaware becomes the first state to force higher education to comply with data privacy requirements. 

Another notable difference? DPDPA exempts only HIPAA-related data and not a broader HIPAA-related entity exemption that most states have.

That leaves a much more limited list of overall exemptions, including just:

• State government and administrative organizations
• Data subject to the Gramm-Leach-Bliley Act (GLBA)
• A limited exemption for health information protected under HIPAA
• Health records & research data

Delaware Consumer Data Rights 

States that have passed laws in 2024 such as Maryland and Minnesota might have more progressive privacy laws, but when the Delaware Personal Data Privacy Act passed in Autumn 2023, it was quite a contrast to the dozen laws that had come before it.

That forward thinking extends to the set of data rights Delaware consumers have, which include:

• Confirm
• Delete
• Correct inaccuracies
• Access
• Revoke consent
• Portability
• Opt-out of processing personal data for targeted advertising
• Opt-out of selling data
• Appeal
• Right to see which third parties a controller has shared their specific data with

Along with this list, businesses cannot process sensitive data until a consumer opts in, following the standard state model in that regard. However, Delaware has expanded the categories of what constitutes sensitive data, becoming the first state to define “Status as transgender or nonbinary” as sensitive data.

Delaware also offers the right to appeal a controller’s refusal to take action on a data subject request–along with Oregon–though it lacks the right of private action, meaning California remains the only state to grant citizens that particular right. 

Another cue the state took from Oregon is the right to see which third parties a controller has shared their specific data with. Maryland and Minnesota’s laws also include this right, but seeing as the DPDPA is the first law featuring this right to enter into force, it will be a trendsetter for how companies need to readjust their approach to completing data subject requests (and prompt many to adopt data mapping technology to properly track where consumer data is being shared, actively or passively). 

Data subject rights are exercised on a standard 45-day timeline.

Delaware Data Privacy Law Requirements

 The law imposes several key requirements on businesses seen across other state laws:

• Data protection impact assessments
• Clear and transparent privacy policies
• Data minimization principles
• Consent management mechanisms
• Baseline data security measures
• Data processing agreements
• Enhanced protections for children's data

One wrinkle to Delaware’s data protection assessment requirements: it acts as a two-tiered approach.

Given the applicability threshold of just 35,000, some organizations will need to conduct assessments on a semi-frequent timeline. However, any company processing the data of over 100,000 consumers within Delaware (population 1.01 million) must conduct and document data protection impact assessments on “a regular basis,” per the law. 

That timeline is not explicitly defined, but it will create a sense of urgency in keeping up with assessments that most laws currently do not.

Additionally, the law aims to beef up children's privacy, requiring parental consent for processing data of minors aged 13-17 for targeted advertising or data sales by way of an opt-in.

Delaware Data Privacy Law Enforcement 

The Delaware Personal Data Privacy Act will enter into force on January 1, 2025. The state Attorney General has enforcement rights alongside the Delaware Department of Justice. While we will need to wait and see how enforcement actually plays out, this potentially promises a sharper eye and more resources for compelling compliance.

Each violation could potentially carry a $10,000 fine, as opposed to the American standard of $7500 seen in virtually every other state law, another figure Delaware has adapted to place a higher emphasis on privacy and compliance. 

The state offers a 60-day cure period until December 31, 2025, meaning full enforcement begins in 2026. Data controllers will also need to recognize Universal Opt-out Mechanisms by January 1, 2026, making New Years Day over the next two years quite significant in Delaware.

Preparing for the Delaware Data Privacy Act

As the privacy landscape continues to evolve, businesses must proactively prepare for numerous new laws, not only the DPDPA. This means:

• Conducting comprehensive data mapping
• Developing robust privacy programs
• Implementing consent management solutions
• Preparing for increased data subject requests

Businesses should view this as an opportunity to build trust through transparent data practices, rather than a mere compliance checkbox.

Not sure where to start with your privacy compliance journey? 

Come talk with MineOS' experts on data mapping, DSR management, and AI governance to see how we're helping organizations navigate this complex landscape.