Does the Delaware Personal Data Privacy Act apply to your business?
It turns on how many Delaware residents you reach, not how much money you make. The DPDPA applies to persons that do business in Delaware or target its residents and that, in the prior calendar year, controlled or processed the personal data of at least 35,000 consumers, or at least 10,000 consumers while deriving more than 20% of gross revenue from selling personal data .
The thresholds here are among the lowest in the country, and there is no dollar revenue floor — so an early-stage, pre-revenue startup that simply touches 35,000 Delaware residents is covered. Delaware is also unusually broad on nonprofits: rather than exempting them as a class, it carves out only a nonprofit dedicated exclusively to preventing and addressing insurance crime, so most charitable and trade organizations fall within the law. A consumer is a Delaware resident acting in a personal or household context, not an employee or a business-to-business contact. State agencies, GLBA-regulated financial institutions, and certain federally regulated data remain excluded.
Sources for this answer
Primary law
A.1 Del. Code tit. 6 § 12D-103The DPDPA applies to persons doing business in Delaware or targeting its residents that, in the preceding calendar year, controlled or processed the data of at least 35,000 consumers, or at least 10,000 consumers while deriving more than 20% of gross revenue from selling personal data.
This chapter applies to persons that conduct business in the State or persons that produce products or services that are targeted to residents of the State and that during the preceding calendar year did any of the following: (1) Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction. (2) Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data.
See Del. Code tit. 6 § 12D-103(a).
What must your Delaware privacy policy contain?
A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purpose for processing, how consumers exercise and appeal their rights, the categories of personal data shared with third parties, the categories of those third parties, and a way to contact the controller .
Section 12D-106(c) is the content checklist for a Delaware privacy policy. The DPDPA also requires data minimization — collection limited to what is adequate, relevant, and reasonably necessary — and, where a controller sells personal data or processes it for targeted advertising, a clear and conspicuous disclosure of that practice and how to opt out. As of January 1, 2026, the opt-out mechanism must also honor a universal opt-out preference signal such as Global Privacy Control. The notice the policy presents should match the data practices the controller actually carries out.
Sources for this answer
Primary law
B.1 Del. Code tit. 6 § 12D-106A controller must provide a reasonably accessible, clear, and meaningful privacy notice listing the categories of personal data processed and the purpose for processing, among other required disclosures.
A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes all of the following: (1) The categories of personal data processed by the controller. (2) The purpose for processing personal data.
See Del. Code tit. 6 § 12D-106(c).
What must your contracts with processors say?
A binding contract must govern any processor's handling of personal data on the controller's behalf — so a data processing agreement is a statutory requirement, not a best practice — and that contract must set out the processing instructions, the nature and purpose of processing, the type of data, the duration, and the rights and obligations of both parties .
Section 12D-107(b) then layers in the required processor commitments: a duty of confidentiality for everyone handling the data, deletion or return of data at the controller's direction, the information needed to demonstrate compliance, advance notice before engaging a subcontractor (which must be bound by written contract to the same obligations), and cooperation with reasonable assessments. A compliant template DPA tracks each of these.
Sources for this answer
Primary law
C.1 Del. Code tit. 6 § 12D-107A binding contract between a controller and a processor must govern the processor's data processing and set forth the processing instructions, nature and purpose, type of data, duration, and the rights and obligations of both parties.
A contract between a controller and a processor must govern the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract must be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties.
See Del. Code tit. 6 § 12D-107(b).
Do you need consent to process sensitive data?
Yes. A controller may not process a consumer's sensitive data without first obtaining consent, and for a known child it must instead obtain a parent's or guardian's consent and otherwise comply with Delaware's children's-data provisions . Sensitive data covers data revealing race or ethnicity, religious beliefs, a mental or physical health condition or diagnosis, sex life, sexual orientation, transgender or nonbinary status, or citizenship or immigration status; genetic or biometric data; the personal data of a known child; and precise geolocation .
This is the opt-in model that the Virginia-family privacy laws share — consent must be a freely given, specific, informed, and unambiguous affirmative act, and it cannot be manufactured through buried terms of use or dark patterns. Delaware also goes further than some peers for teenagers: a controller cannot run targeted advertising on, or sell the data of, a consumer it knows to be at least 13 but under 18 without that consumer's consent.
Sources for this answer
Primary law
D.1 Del. Code tit. 6 § 12D-106A controller may not process a consumer's sensitive data without consent, and must obtain parental or guardian consent for a known child's sensitive data.
Not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without first obtaining consent from the child’s parent or lawful guardian and otherwise complying with § 1204C of this title.
See Del. Code tit. 6 § 12D-106(a)(4).
Primary law
D.2 Del. Code tit. 6 § 12D-102Sensitive data includes data revealing race or ethnicity, religious beliefs, a health condition or diagnosis, sex life, sexual orientation, transgender or nonbinary status, or citizenship or immigration status; genetic or biometric data; the personal data of a known child; and precise geolocation.
“Sensitive data” means personal data that includes any of the following: a. Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status. b. Genetic or biometric data. c. Personal data of a known child. d. Precise geolocation data.
See Del. Code tit. 6 § 12D-102(30).
Can a consumer sue your business under the DPDPA?
No. The DPDPA gives the Delaware Department of Justice exclusive enforcement authority and expressly forecloses any private right of action . The law's right-to-cure was temporary: through the end of 2025 the Department had to issue a notice and allow 60 days to fix a curable violation, but that mandatory cure period applied only to the period ending December 31, 2025 .
Unlike Virginia's permanent cure period, Delaware's sunset on January 1, 2026. Since then, whether to offer a controller a chance to cure is left to the Department's discretion, weighed against factors such as the number of violations and the likelihood of injury to the public — so a covered business can no longer count on a guaranteed off-ramp. The practical posture is to build the notice, consent, and contracting controls up front rather than rely on a cure window that may not be offered.
Sources for this answer
Primary law
E.1 Del. Code tit. 6 § 12D-111The Delaware Department of Justice has enforcement authority over the DPDPA, and the chapter provides no private right of action.
Nothing in this chapter shall be construed as providing the basis for, or be subject to, a private right of action for violations of said sections or any other law.
See Del. Code tit. 6 § 12D-111(d).
Primary law
E.2 Del. Code tit. 6 § 12D-111The mandatory right-to-cure applied only during the period ending December 31, 2025, requiring a notice of violation and 60 days to cure before enforcement.
During the period beginning on January 1, 2025, and ending on December 31, 2025, the Department of Justice shall, prior to initiating any action for a violation of any provision of this chapter, issue a notice of violation to the controller if the Department of Justice determines that a cure is possible. If the controller fails to cure such violation within 60 days of receipt of the notice of violation, the Department of Justice may bring an enforcement proceeding pursuant to subsection (a) of this section.
See Del. Code tit. 6 § 12D-111(b).