The Delaware Personal Data Privacy Act (DPDPA) takes effect January 1, 2025. Delaware generally followed the Connecticut model, but has some unique terms. We provide a non-exhaustive list of some of Delaware’s requirements here.
A lower threshold for application; no categorical exemption for all nonprofits. The DPDPA applies to organizations that control or process personal data of 35,000 or more Delaware residents in a given year or organizations that control or process personal data of 10,000 or more Delaware residents and derive more than 20% of their gross revenue from the sale of personal data. Like states other than California, the DPDPA will only apply to personal data processed for a personal or household purpose (i.e., not in the employment context or in a commercial context). Nonprofits are not categorically exempt from the DPDPA unless dedicated exclusively to preventing and addressing insurance crime.
A broader definition of sensitive personal data. Sensitive data under the DPDPA includes “status as transgender or nonbinary” and “mental or physical health condition or diagnosis (including pregnancy).”
Protection for teens. Entities subject to the DPDPA cannot, without consent, sell or process for targeted advertising purposes the data of consumers that the entity knows, or willfully disregards, that the individual is between the ages of 13 to 18.
Additional data access rights. The DPDPA gives Delaware residents the specific right to “obtain a list of the categories of third parties to whom the controller has disclosed the consumer’s personal data.” This is similar to one part of California’s right to know about categories of information.
Right to cure with sunset. The DPDPA provides a 60-day cure period for violations, which sunsets on December 31, 2025.
No private right of action. The DPDPA contains no private right of action; it will be exclusively enforced by the Delaware Department of Justice.