Diving into Delaware's Privacy Law: Key Requirements for Compliance

Delaware’s privacy law at a glance

• Signed into law on September 11, 2023, the Delaware Personal Data Privacy Act (DPDPA) is set to take effect on January 1, 2025.
• This guide explores who’s subject to Delaware’s privacy law, what’s required of businesses under its scope, and how the DPDPA is different from other US state privacy laws.
• Read to the end to find a 7 step Delaware privacy law checklist.

Who's subject to Delaware's privacy law?

Delaware's privacy law applies to businesses conducting operations in Delaware or targeting their products or services to Delaware residents. In addition, a business must also:

• Control or process personal data of at least 35,000 Delaware consumers annually OR
• Control or process personal data of at least 10,000 Delaware consumers and derive over 20% of their annual gross revenue from the sale of personal data

While the approach to applicability is common in the US state privacy law landscape, the DPDPA distinguishes itself with significantly lower applicability thresholds compared to other states. This ensures that a broad spectrum of businesses, ranging from local startups to large corporations, will be subject to the law's requirements.

Compliance requirements under Delaware's privacy law

Delaware's privacy law imposes rigorous obligations on businesses aimed at protecting consumer data and enhancing transparency in data handling practices. Key compliance requirements include:

Consumer rights

Under the DPDPA, Delaware consumers have the right to access, confirm, correct, delete, or transfer their data. Businesses under the law must establish mechanisms that enable consumers to exercise these rights effectively. Additionally, businesses must give consumers a way to opt out of targeted advertising, data sales, and profiling.

Children's privacy

For children aged 13 to 17, Delaware’s privacy law mandates additional data protections. In alignment with the Children's Online Privacy Protection Act (COPPA), businesses must get parental consent before processing personal data for minors in this age range for targeted advertising or data sales.

Delaware businesses must also obtain verifiable parental consent before processing personal data for children under 13 years old for any purpose.

Universal opt-out signals

The DPDPA requires that businesses under its purview provide consumers with a clear and accessible method to opt out of targeted advertising, data sales, and profiling.

To that end, starting January 1, 2026, businesses must recognize and respect universal opt-out signals, like the Global Privacy Control (GPC).

Data protection impact assessments

Businesses under Delaware's privacy law must conduct data protection impact assessments (DPIA) before engaging in data processing activities that may present a heightened risk to the consumer. These risky data processing activities include processing sensitive data, targeted advertising, selling personal data, and profiling.

DPIAs evaluate the necessity, proportionality, and mitigation measures associated with the processing activities—helping businesses to preemptively identify and address potential privacy risks.

Comparison with other state privacy laws

The Delaware Personal Data Privacy Act (DPDPA) shares similarities with other state privacy laws, but does have a few unique characteristics.

1. Lower applicability threshold: The DPDPA applies to businesses that control or process personal data of at least 35,000 Delaware residents—a much threshold lower than in Virginia and California, which set their thresholds at 100,000 consumers.
2. Applicability to nonprofits and higher education: Unlike most state privacy laws, the DPDPA extends its scope to include most nonprofit organizations and institutions of higher education. Only Colorado and Oregon have similar exceptions.
3. Expanded definition of sensitive data: The DPDPA includes "status as transgender or nonbinary" in its definition of sensitive data, a provision also found in Oregon's law. It also provides a separate definition for genetic data.
4. No rulemaking authority: Unlike many state privacy laws, Delaware’s privacy law does not grant the Delaware Attorney General rulemaking authority.
5. HIPAA exemption: The DPDPA does not exempt HIPAA-covered entities, but does provide a limited data-level exemption for health information protected under HIPAA.

Delaware privacy law compliance checklist

1. Conduct a compliance assessment

Begin with a thorough review of your company's data practices to determine if you fall under the scope of Delaware’s privacy law. Assess whether you meet the thresholds outlined in the legislation. If you do, start working through the other items.

2. Complete a data inventory

One of the most foundational pieces of compliance is creating a comprehensive inventory of the personal data your business collects, processes, and stores. Be sure to identify the types of data involved, processing activities, and the legal basis for each. With this inventory in hand, you can then conduct a gap analysis to assess your potential compliance risk.

3. Establish mechanisms for DSR fulfillment

Develop processes to fulfill consumers' requests for data access, correction, deletion, and transfer. Ensure these processes include verification of consumer identity and prompt response times. Using a next-gen privacy solution like Transcend DSR Automation may be able to help.

4. Implement a consent management solution

Deploy a consent management system across all digital interfaces, including websites, web apps, mobile apps, and backend data stores. A full-stack solution like Transcend Consent Management will ensure consistent enforcement of consumer consent preferences, covering browser-based signals like GPC, LDU, and Do Not Sell requests across all domains and regions.

5. Conduct data protection assessments

Conduct assessments before engaging in high-risk processing activities, such as selling personal data or targeted advertising. Be sure to document assessment outcomes, including risk analysis and mitigation strategies.

With a tool like Transcend Assessments, you can use attribute-based auto-suggestions to manage Data Protection Impact Assessments (DPIAs), Transfer Impact Assessments (TIAs), and AI Risk Assessments with ease.

6. Implement privacy notices

Develop clear and concise privacy notices that inform consumers about your data practices. Include details on the purposes of data collection, categories of data processed, and consumer rights under Delaware’s privacy law.

7. Honor Universal Opt-Out Mechanisms

Prepare your systems and processes to acknowledge and respect universal opt-out signals for targeted advertising, data sales, and profiling activities. Update procedures to seamlessly integrate opt-out preferences, ensuring compliance with Delaware’s regulatory deadlines.

By following this comprehensive checklist, businesses can effectively navigate Delaware’s privacy law landscape, ensuring robust compliance that safeguards consumer data and upholds regulatory standards.

About Transcend

Transcend is a next-generation platform privacy and data governance. Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facing—including getting you ready for new legislation like Delaware's data privacy law.

From Consent Management, to automated DSR Automation, to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.