Applies to businesses processing personal data of 35,000+ Delaware residents, or 10,000+ if you derive 20%+ of revenue from data sales. Cure period ended December 31, 2025.
Effective
2025-01-01
Penalty max
$10,000
Cure period
None
Honor GPC
Required
Overview
The Delaware Personal Data Privacy Act (DPDPA) took effect January 1, 2025. Delaware took an aggressive consumer-protection approach: a low 35,000-resident threshold (or 10,000 + 20% data-sales revenue), the right for consumers to request a list of specific third-party recipients (like Oregon), a requirement to honor browser-level Global Privacy Control (GPC) signals, and a cure period that sunset on December 31, 2025 — the AG can now bring enforcement actions immediately. Delaware also has specific protections for minors aged 13-17 requiring opt-in consent before targeted advertising or sale.
Who it applies to
Businesses processing personal data of 35,000+ Delaware residents annually.
Businesses processing personal data of 10,000+ Delaware residents AND deriving 20%+ of revenue from selling personal data.
Consumer rights
Right to access
Consumers can request a copy of the personal data you hold about them.
Right to correction
Consumers can request you correct inaccurate personal data.
Right to deletion
Consumers can request you delete their personal data, subject to limited exceptions.
Right to portability
Consumers can request a machine-readable copy of their data to transfer elsewhere.
Right to opt out of sale
Consumers can opt out of the sale of their personal data to third parties.
Right to opt out of targeted advertising
Consumers can opt out of personalized ad targeting based on their behavior.
Right to opt out of profiling
Consumers can opt out of automated profiling for decisions with legal or similarly significant effects.
Right to know specific third-party recipients
Consumers can request a list of the specific third parties to whom you have disclosed their personal data.
What this means for e-commerce
Delaware has one of the lowest thresholds in the country (35,000 residents, or 10,000 if 20%+ of revenue is from data sales) and gives consumers the right to a list of specific third-party recipients (like Oregon). Combined with the cure period sunset on December 31, 2025, Delaware is now a real enforcement risk for mid-sized e-commerce.
Penalties & enforcement
Enforced by the Delaware Department of Justice (Consumer Protection Unit). Penalties range from $0 to $10,000 per violation.
The cure period sunset on 2025-12-31 — the AG can bring enforcement actions immediately upon finding a violation, without first giving you time to fix the problem.
Compliance checklist
Add a 'Your Privacy Choices' link in the site footer
Implement a system to track which specific third parties receive personal data per consumer (Delaware-specific)
Configure your site to detect and honor Global Privacy Control (GPC) signals
If you serve users aged 13-17, obtain opt-in consent before targeted advertising or data sales
Update privacy policy with DPDPA-required disclosures
Implement a 45-day consumer request response process
Conduct data protection assessments for high-risk processing
Does the DPDPA apply to your business?
Run a free 60-second compliance check across all state privacy laws — including Delaware.
BriefStack is for informational purposes only and does not constitute legal advice. For decisions specific to your business, consult a qualified attorney.