Delaware Personal Data Privacy Act (DPDPA)

Overview

The Delaware Personal Data Privacy Act (HB 154, 2023), codified at Del. Code Ann. tit. 6, Sec. 12D-101 et seq., took effect on January 1, 2025. Delaware's law is notably pro-consumer despite the state's small population (~1M): it borrows the operational model from Connecticut's CTDPA and adds influences from Oregon's OCPA.

DPDPA applies to any controller that, in the prior calendar year, (a) processed personal data of 35,000 or more Delaware consumers, or (b) processed data of 10,000 or more consumers and derived more than 20% of gross revenue from the sale of personal data. These thresholds are among the lowest in the United States, so Delaware captures a disproportionate share of small and mid-market businesses relative to population.

Exemptions mirror the Virginia-family standard: government entities, HIPAA-covered entities, GLBA-regulated financial institutions, non-profits, higher-education institutions, plus data governed by FCRA, DPPA, FERPA, and COPPA. Employee and B2B data are also out of scope.

Consumer Rights

Delaware consumers may exercise the full Virginia-family rights bundle:

• Right to access personal data and confirm processing
• Right to correct inaccuracies
• Right to delete personal data
• Right to data portability in a readily usable format
• Right to opt out of sale of personal data
• Right to opt out of targeted advertising
• Right to opt out of profiling in furtherance of decisions producing legal or similarly significant effects
• Right to appeal a controller's denial of a request

Sensitive data — including racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic and biometric data, precise geolocation, and data of children under 13 — requires opt-in consent before processing.

Compliance Requirements

Controllers must publish a clear privacy notice, honor DSRs within 45 days (extendable +45 days), conduct data protection assessments (DPIAs) for targeted advertising, sale, profiling with significant effects, sensitive-data processing, and any heightened-risk activity. Processors must execute data-processing contracts covering the statutory duties.

Universal Opt-Out Mechanism (UOOM): Recognition of browser signals such as Global Privacy Control (GPC) becomes mandatory on January 1, 2026. Scope covers sale, targeted advertising, and profiling opt-outs.

Cure Period + Enforcement

The Delaware Attorney General, through the Department of Justice, has exclusive enforcement authority — there is no private right of action. Violators receive a 60-day right to cure before enforcement. Civil penalties reach up to $10,000 per violation, slightly above the $7,500 Virginia-family baseline.

The cure period does not carry a sunset clause in current law, but Delaware's AG retains discretion to decline to grant cure where a pattern or practice is evident.

How Inori Addresses This

Inori's v1.2 privacy.mdx includes Delaware in the multi-state rights section, identifying DPDPA by name and citing statute. We honor DSRs through the /api/dsar endpoint with a 45-day SLA and automated 45-day extension tracking. The middleware.ts respectGpc helper treats Sec-GPC: 1 as a valid opt-out signal for Delaware residents — positioning us ahead of the January 2026 UOOM mandate.

Hard-purge on account deletion runs via cron at 90 days, satisfying the right-to-delete flow. DPIAs for high-risk processing (targeted advertising, profiling, sensitive data) are handled procedurally; automated DPIA generation is deferred to a later release.

Related Concepts

• CCPA/CPRA — The California baseline Delaware borrows opt-out architecture from
• CTDPA — Connecticut's law, the structural model for DPDPA
• Global Privacy Control (GPC) — Browser signal DPDPA mandates from 2026
• NHPA — Similar low-threshold New Hampshire regime