What Is the Delaware Personal Data Privacy Act?
DPDPA applies to controllers processing data of 35,000+ Delaware consumers or 10,000+ while selling data. It covers nonprofits, matching Oregon's inclusive scope. The AG enforces with civil penalties under the Delaware Consumer Fraud Act (up to $10,000 per violation). A 60-day cure period applies through December 2025, sunset thereafter.
At a glance
- Full name
- Delaware Personal Data Privacy Act
- Short code
- DPDPA
- Effective date
- January 1, 2026
- Response deadline
- 45 days
- Cure period
- None (sunset)
- Private right of action
- No
- Enforcement
- Delaware Department of Justice. Consumer Protection Unit
- Maximum penalty
- Up to $10,000 per violation under the Delaware Consumer Fraud Act
- Statutory citation
- Del. Code tit. 6, § 12D-101 et seq.
Who DPDPA applies to
A business is covered if it meets the applicability thresholds set out in Del. Code tit. 6, § 12D-101 et seq.. Most state laws use an “or” framework — any one of the thresholds triggers coverage unless otherwise noted.
- Conducts business in Delaware or targets Delaware residents, AND
- Controls or processes personal data of 35,000+ Delaware consumers in a calendar year, OR
- Controls or processes personal data of 10,000+ Delaware consumers AND derives more than 20% of gross revenue from the sale of personal data
Consumer rights under DPDPA
Delete, access, correct, port, opt-out
Nonprofit coverage
Leverage against Delaware-incorporated brokers
Notable features (vs. CCPA)
DPDPA has one of the lowest consumer thresholds of any US state privacy law (35,000, roughly 3.4% of Delaware's population). It applies to nonprofit organizations (unlike CCPA, VCDPA, CPA, and CTDPA) and explicitly covers data that has been de-identified only if the business still retains the ability to re-identify. Teen protections require opt-in for users aged 13-17.
Enforcement & penalties
Enforcing agency: Delaware Department of Justice. Consumer Protection Unit
Maximum penalty: Up to $10,000 per violation under the Delaware Consumer Fraud Act
Cure period: The 60-day cure period sunset on December 31, 2025. Violations are now directly enforceable.
Private right of action: DPDPA has no private right of action. Enforcement is exclusive to the Delaware Attorney General. Consumer Protection Unit.
Where to file a complaint: Delaware Department of Justice. Consumer Protection
How to exercise your DPDPA rights
- 1
Identify the business that holds your data (or use OfflistMe, which pre-targets 500+ known brokers and applies DPDPA citations automatically).
- 2
Submit a verifiable consumer request to the business's designated contact. Include enough identifying data that the business can verify you as a Delaware resident (e.g., ZIP code, email associated with your record).
- 3
Under DPDPA, businesses have 45 days to respond. Extensions are permitted with written notice under most state laws.
- 4
If the business fails to respond or denies the request without legal basis, file a complaint with the Delaware Department of Justice. Consumer Protection at https://attorneygeneral.delaware.gov/fraud/cpu/fraud_complaint.
Use your rights
DPDPA-compliant deletion emails, $7 one-time
OfflistMe drafts DPDPA-compliant deletion emails for $500+ data brokers. Citations included. You send from your own inbox. No account, no ID upload.
Start for $7 →FAQ
Why does Delaware state law matter if I don't live in Delaware?+
Most US data brokers are incorporated in Delaware. This means the Delaware AG has jurisdiction over the corporate entity regardless of where the consumer lives, creating cross-state leverage on brokers headquartered or legally domiciled there.
Official sources & citations
Compare with sibling state laws
DPDPA is one of 18 comprehensive US state privacy laws. Its closest peers by effective date, useful when tracking how this law influenced or was influenced by neighboring legislation: