What Is the Delaware Personal Data Privacy Act?
DPDPA applies to controllers processing data of 35,000+ Delaware consumers or 10,000+ while selling data. It covers nonprofits, matching Oregon's inclusive scope. The AG enforces with civil penalties under the Delaware Consumer Fraud Act (up to $10,000 per violation). A 60-day cure period applies through December 2025, sunset thereafter.
At a glance
- Full name
- Delaware Personal Data Privacy Act
- Short code
- DPDPA
- Effective date
- January 1, 2026
- Response deadline
- 45 days
- Cure period
- None (sunset)
- Private right of action
- No
- Enforcement
- Delaware Department of Justice — Consumer Protection Unit
- Maximum penalty
- Up to $10,000 per violation under the Delaware Consumer Fraud Act
- Statutory citation
- Del. Code tit. 6, § 12D-101 et seq.
Who DPDPA applies to
A business is covered if it meets the applicability thresholds set out in Del. Code tit. 6, § 12D-101 et seq.. Most state laws use an “or” framework — any one of the thresholds triggers coverage unless otherwise noted.
- Conducts business in Delaware or targets Delaware residents, AND
- Controls or processes personal data of 35,000+ Delaware consumers in a calendar year, OR
- Controls or processes personal data of 10,000+ Delaware consumers AND derives more than 20% of gross revenue from the sale of personal data
Consumer rights under DPDPA
Delete, access, correct, port, opt-out
Nonprofit coverage
Leverage against Delaware-incorporated brokers
Notable features (vs. CCPA)
DPDPA has one of the lowest consumer thresholds of any US state privacy law (35,000 — roughly 3.4% of Delaware's population). It applies to nonprofit organizations (unlike CCPA, VCDPA, CPA, and CTDPA) and explicitly covers data that has been de-identified only if the business still retains the ability to re-identify. Teen protections require opt-in for users aged 13-17.
Enforcement & penalties
Enforcing agency: Delaware Department of Justice — Consumer Protection Unit
Maximum penalty: Up to $10,000 per violation under the Delaware Consumer Fraud Act
Cure period: The 60-day cure period sunset on December 31, 2025. Violations are now directly enforceable.
Private right of action: DPDPA has no private right of action. Enforcement is exclusive to the Delaware Attorney General — Consumer Protection Unit.
Where to file a complaint: Delaware Department of Justice — Consumer Protection
How to exercise your DPDPA rights
- 1
Identify the business that holds your data (or use OfflistMe, which pre-targets 300+ known brokers and applies DPDPA citations automatically).
- 2
Submit a verifiable consumer request to the business's designated contact. Include enough identifying data that the business can verify you as a Delaware resident (e.g., ZIP code, email associated with your record).
- 3
Under DPDPA, businesses have 45 days to respond. Extensions are permitted with written notice under most state laws.
- 4
If the business fails to respond or denies the request without legal basis, file a complaint with the Delaware Department of Justice — Consumer Protection at https://attorneygeneral.delaware.gov/fraud/cpu/fraud_complaint.
Use your rights
DPDPA-compliant deletion emails, $5 one-time
OfflistMe drafts DPDPA-compliant deletion emails for 300+ data brokers. Citations included. You send from your own inbox. No account, no ID upload.
Start for $5 →FAQ
Why does Delaware state law matter if I don't live in Delaware?+
Most US data brokers are incorporated in Delaware. This means the Delaware AG has jurisdiction over the corporate entity regardless of where the consumer lives, creating cross-state leverage on brokers headquartered or legally domiciled there.
Official sources & citations
Compare with sibling state laws
DPDPA is one of 18 comprehensive US state privacy laws. Its closest peers by effective date — useful when tracking how this law influenced or was influenced by neighbouring legislation: