Delaware joined the growing list of states with comprehensive consumer privacy legislation when Governor John Carney signed the Delaware Personal Data Privacy Act into law on September 11, 2023. The DPDPA took effect on January 1, 2025, and gives Delaware residents meaningful control over how businesses collect, use, and sell their personal information. Here is everything you need to know about your rights under Delaware law.
The Delaware Personal Data Privacy Act (DPDPA)
The DPDPA establishes a framework of consumer rights and business obligations that governs how personal data is handled in Delaware. The law applies to businesses that conduct business in Delaware or target products and services to Delaware residents and meet at least one of the following thresholds:
- Process personal data of 35,000 or more Delaware residents during a calendar year (excluding data processed solely for completing payment transactions), or
- Process personal data of 10,000 or more Delaware residents and derive more than 20% of gross revenue from the sale of personal data.
These thresholds are notably lower than those in many other state privacy laws, which means more businesses fall under the DPDPA's jurisdiction. A proposed amendment, HB380, would lower the first threshold even further to 15,000 consumers, potentially bringing even more companies into scope.
Lower Thresholds Mean Broader Protection
Delaware's 35,000-consumer threshold (or 10,000 with revenue from data sales) is significantly lower than the 100,000-consumer threshold used in Virginia, Indiana, Iowa, and many other states. This means Delaware residents are protected against a wider range of businesses, including smaller data brokers that might escape regulation elsewhere.
Your Rights Under the DPDPA
As a Delaware resident, the DPDPA grants you the following rights over your personal data:
Right to Know and Access
You can confirm whether a business is processing your personal data and request access to the specific information they hold about you. Businesses must provide this information in a portable, readily usable format.
Right to Correct
If a business holds inaccurate personal data about you, you have the right to request corrections. This is especially important when data brokers list wrong addresses, outdated phone numbers, or incorrect associations with other people.
Right to Delete
You can request that a business delete the personal data it has collected from you or about you. There are limited exceptions for data needed to complete transactions, comply with legal obligations, or detect security incidents.
Right to Data Portability
You can obtain a copy of your personal data in a format that allows you to transfer it to another service provider. This prevents businesses from locking you in by holding your data hostage.
Right to Opt Out
Delaware law gives you the right to opt out of three specific types of data processing:
- Sale of personal data — the exchange of your data for monetary consideration
- Targeted advertising — ads based on your activities across different websites and platforms
- Profiling — automated processing that produces legal or similarly significant effects on you
Universal Opt-Out Mechanisms: Effective January 1, 2026
One of the most significant provisions of the DPDPA is the requirement for businesses to recognize Universal Opt-Out Mechanisms (UOOMs). As of January 1, 2026, controllers must honor browser-level opt-out signals such as Global Privacy Control (GPC).
This means that if you enable GPC in your browser, every covered business you visit must automatically treat that signal as a valid opt-out request for the sale of your data and targeted advertising. You no longer need to click through individual opt-out forms on each website.
GPC is supported by default in Firefox, Brave, and DuckDuckGo browsers, and can be added to Chrome and other browsers through privacy extensions like Privacy Badger or DuckDuckGo Privacy Essentials.
Also Effective January 1, 2026
The DPDPA's mandatory cure period expired on January 1, 2026. Before this date, businesses had the opportunity to fix violations before facing enforcement action. Now, the Delaware Attorney General has full discretion to pursue enforcement actions without offering a cure period first.
Protections for Children and Minors
The DPDPA includes additional protections for the personal data of consumers under 18 years of age. Businesses are subject to heightened requirements when processing minors' data, including restrictions on targeted advertising and data sales involving children's information. These protections reflect a growing national trend toward stronger safeguards for young people's privacy online.
Exemptions
Like most state privacy laws, the DPDPA includes exemptions for certain types of entities and data:
- HIPAA-covered entities and data governed by HIPAA
- Financial institutions covered by the Gramm-Leach-Bliley Act (GLBA)
- Data covered by the Fair Credit Reporting Act (FCRA)
- Nonprofit organizations
- Higher education institutions
These exemptions apply to the entity or the specific data type, not to all data those entities may hold. A hospital, for example, is exempt for HIPAA-covered health data but may still be subject to the DPDPA for other personal data it processes, such as marketing data.
Enforcement
The DPDPA grants exclusive enforcement authority to the Delaware Department of Justice. There is no private right of action, meaning individuals cannot sue companies directly for violations. Instead, if a business violates your rights under the law, your recourse is to file a complaint with the Delaware DOJ.
The Attorney General can investigate complaints, issue civil investigative demands, and pursue enforcement actions against non-compliant businesses. With the cure period now expired as of January 2026, the AG has full discretion over when and how to pursue violations.
How to Exercise Your DPDPA Rights
Here is a practical guide to putting your Delaware privacy rights to work:
- Enable Global Privacy Control. Install a GPC-compatible browser or extension to automatically send opt-out signals to every website you visit. This is the easiest and most effective first step.
- Search for yourself online. Look up your name on Google and on major people search sites like Spokeo, Whitepages, BeenVerified, and TruePeopleSearch to see what personal data is publicly available.
- Submit opt-out and deletion requests. Use the privacy links on each data broker's website to request removal of your information. Reference the DPDPA in your request and note the 45-day response deadline.
- Follow up on unresponsive brokers. If a business fails to respond within 45 days, file a complaint with the Delaware Department of Justice.
- Monitor for re-listings. Data brokers continuously scrape and acquire new data. Check back regularly to ensure your information has not reappeared.
Manual Removal Is an Ongoing Battle
There are over 100 data broker sites that may hold your personal information. Each requires a separate opt-out process, and brokers routinely re-list your data within weeks of removal. Staying truly private requires continuous monitoring and repeated requests.
Let PrivacyOn Protect Your Delaware Privacy Rights
The DPDPA gives you powerful rights, but exercising them across the entire data broker ecosystem is a massive undertaking. PrivacyOn automates data removal from more than 100 data broker sites, continuously monitors for re-listings, and re-submits removal requests whenever your information reappears. We also provide dark web monitoring to alert you if your personal data surfaces in places that opt-out forms cannot reach.
Delaware's privacy law provides the legal foundation. PrivacyOn provides the execution. Together, they give you comprehensive protection that keeps your personal information private, not just on paper, but in practice.