Compliance Briefing — January 1, 2025
Delaware’s Personal Data Privacy Act takes effect, introducing GDPR-style rights, opt-out signals, and youth data safeguards that mid-sized firms serving Delaware residents must operationalize.
Executive briefing: Delaware House Bill 154, the Personal Data Privacy Act (PDPA), becomes enforceable on January 1, 2025. Controllers that process data on at least 35,000 Delaware residents—or 10,000 residents while deriving over 20% of revenue from selling personal data—must deliver access, correction, deletion, and portability rights within 45 days, honour universal opt-out mechanisms, and secure parental consent for users under 18 when profiling or selling their data. Compliance teams need to harden consent flows, update privacy notices, and tune data subject request (DSR) tooling for the new response windows.
Key regulatory signals
- Universal opt-out recognition. The PDPA compels controllers to process authenticated browser-based opt-out signals for targeted advertising and data sales by January 1, 2026, accelerating technical roadmap work in 2025.
- Heightened youth protections. Processing sensitive personal data or selling data of consumers aged 13–17 requires express opt-in consent, raising the bar beyond many other U.S. state privacy laws.
- Data minimisation and purpose limits. Controllers must collect only what is reasonably necessary for disclosed purposes and are barred from using personal data for materially different purposes without consent.
Control alignment
- Revise privacy notices. Update Delaware-facing disclosures with PDPA-specific rights, appeal processes, and contact methods to satisfy Section 12 transparency mandates.
- DSR workflow tuning. Ensure identity verification, suppression lists, and ticketing integrations can deliver responses inside the 45-day window with a single 45-day extension.
- Targeted advertising governance. Map adtech partners, audience segments, and tracking pixels so opt-out signals can cascade across platforms and contractual terms.
Detection and response priorities
- Instrument logging to prove when universal opt-out signals were received, honoured, or technically infeasible, creating evidence for the Department of Justice.
- Establish youth data review boards to triage campaigns or product features that touch teenage audiences before launch.
Enablement moves
- Train customer support and marketing teams on PDPA rights, especially the obligation to offer appeals when requests are denied.
- Refresh data mapping exercises so Delaware residency attributes feed suppression and consent tooling accurately.
Sources
- Delaware HB 154: Personal Data Privacy Act
- Office of Governor John Carney: Governor signs data privacy legislation
Zeph Tech deploys consent orchestration, DSR automation, and opt-out signal handling so Delaware-facing products stay compliant without losing growth velocity.