Delaware Personal Data Privacy Act

Delaware’s Personal Data Privacy Act (PDPA), enacted through House Bill 154, becomes enforceable on 1 January 2025. The law covers controllers that conduct business in Delaware or target its residents and process data on at least 35,000 consumers annually (excluding data used solely for payment transactions) or 10,000 consumers when deriving over 20% of gross revenue from selling personal data. Controllers must provide access, correction, deletion, and data portability rights within 45 days, honor authenticated universal opt-out signals for targeted advertising and data sales, and obtain opt-in consent before processing sensitive data or selling the data of consumers aged 13–17. Delaware’s Attorney General can seek injunctive relief, civil penalties, and restitution, making 2024 the critical year to complete governance, consent orchestration, and evidence programs.

The PDPA is one of the most protective state privacy laws in the United States. It borrows core elements from the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA), while introducing stricter youth data requirements.

Controllers must publish detailed privacy notices describing categories of personal data processed, purposes of processing, categories of third parties, and secure methods for submitting data subject requests (DSRs). They must also disclose how universal opt-out signals are honored, whether profiling that produces legal or similarly significant effects occurs, and how consumers can appeal decisions. Processors are obligated to support controllers by providing assistance with DSRs, offering necessary technical and organizational measures, and enabling audits.

Governance and operating model: Boards and executive teams should set up a PDPA steering committee spanning privacy, security, marketing, product, engineering, legal, and customer support. The committee should report into the chief privacy officer or general counsel, with quarterly updates to the board risk or audit committee. Governance documents must outline accountability for each obligation: privacy engineering handles consent management and opt-out integration, product teams update user journeys, marketing teams rework targeting campaigns, and security teams manage data minimization and protection controls. Delaware businesses that already comply with California’s CCPA/CPRA or Colorado’s CPA should conduct a PDPA gap analysis to capture differences in youth opt-in, universal opt-out, and disclosure requirements.

Controllers must embed PDPA compliance into product development lifecycles. Product councils should require privacy impact assessments (PIAs) for new features that involve personal data or automated decision-making, referencing PDPA requirements for risk assessments on high-risk processing (targeted ads, profiling, sensitive data handling, or selling personal data).

Legal teams should update data processing agreements (DPAs) to include PDPA-specific clauses covering subprocessor transparency, breach notification timelines, and cooperation on audits. Vendor management offices must catalog processors and contractors handling Delaware residents’ data, confirm they can honor universal opt-out signals, and ensure data retention schedules align with PDPA purpose limitation and minimization requirements.

Universal opt-out orchestration: The PDPA obliges controllers to recognize authenticated universal opt-out signals beginning 1 January 2026, but Delaware encourages preventive adoption from 2025. Controllers should integrate global privacy control (GPC) signals and other state-defined mechanisms into consent management platforms, browsers, and mobile SDKs. Engineering teams must ensure signals propagate through advertising technology stacks, data clean rooms, customer data platforms (CDPs), and email marketing tools. Where technical conflicts arise, documentation should record the rationale, mitigation steps, and alternative methods offered to consumers to express preferences.

Controllers should set up a suppression management service that consolidates opt-outs from web forms, preference centers, customer support interactions, and universal opt-out signals. This service must synchronize with downstream partners—demand-side platforms (DSPs), social networks, affiliate marketers, and data brokers—via API updates, hashed suppression lists, or contractual obligations. During audits, controllers should be prepared to show that opt-out requests were processed within 15 days, that suppression lists are version-controlled, and that opt-out preferences remain intact after data migrations or system upgrades.

Consumer rights operations: Delaware requires controllers to authenticate requests and permits a single 45-day extension when reasonably necessary. Customer support teams should receive training on PDPA request categories, identity verification procedures, and appeal rights. Case management platforms must log timestamps, request types, verification status, response content, and appeals outcomes. Automated workflows can flag requests involving sensitive data or minors for additional scrutiny. Controllers should also provide at least two contact methods—such as a toll-free telephone number and secure web form—to receive requests, ensuring accessibility for consumers with disabilities or limited internet access.

Youth and sensitive data protections: The PDPA’s opt-in requirement for consumers aged 13–17 extends beyond most other US privacy laws. Controllers should implement age assurance strategies proportionate to risk, combining self-declaration with back-end signals (such as account history or transaction data) and minimising data collection to avoid violating children’s privacy rules. Marketing teams must disable targeted advertising segments for teen audiences unless opt-in consent is captured and logged. For sensitive data categories (race, religion, health, precise geolocation, biometric identifiers, sexual orientation, or citizenship status), controllers must collect explicit consent and present clear withdrawal options, documenting how consent was captured and revocation processed.

Evidence and assurance expectations: Delaware’s Attorney General can request documentation demonstrating compliance. Controllers should maintain an evidence repository that stores privacy notices, PIAs, risk assessments, opt-out logs, consent records, and training attestations. Audit trails should capture system configurations for universal opt-out recognition, including screenshots of browser preference detection, API payload samples, and vendor compliance certifications. Internal audit or an independent assessor should review PDPA readiness before year-end 2024, testing a sample of DSRs, opt-out signals, and profiling assessments to confirm procedural adherence.

Legal teams should script regulatory response playbooks covering breach notification obligations under Delaware’s data breach statute (6 Del. C. § 12B-102) and PDPA enforcement protocols. Board oversight materials should include KPIs such as DSR volume, average response time, opt-out fulfillment rates, consent withdrawal trends, and unresolved appeals. Boards should receive root-cause analyzes for any missed deadlines or sustained complaints, along with remediation plans and deadlines.

Integration with other regimes: Many Delaware businesses operate nationally. Compliance programs should harmonize PDPA obligations with California CPRA, Virginia VCDPA, Colorado CPA, Connecticut Data Privacy Act, and Utah Consumer Privacy Act requirements. Controllers should maintain a privacy law matrix that lists universal opt-out effective dates, consent thresholds, dark pattern prohibitions, and enforcement risks across states. Harmonization prevents fragmented customer experiences and reduces the likelihood of inconsistent statements in privacy policies or consumer communications.

Action plan for 2024: Conduct a PDPA gap assessment; refresh data inventories and records of processing; deploy or upgrade consent management tools to ingest universal opt-out signals; rewrite privacy notices to include PDPA disclosures; rehearse DSR fulfillment and appeal workflows; update vendor contracts; and schedule internal audit reviews. By Q3 2024, controllers should execute table-top exercises for enforcement scenarios, including simultaneous PDPA and CPRA requests, to test evidence readiness and governance escalation paths.

Sources

• Delaware House Bill 154 – Personal Data Privacy Act
• Delaware Department of Justice: PDPA fact sheet
• State privacy law comparisons (multi-state coalition)

Future Outlook and Considerations

If you are affected, monitor developments in this area and prepare for potential evolution of requirements, practices, or technologies. Understanding the broader trajectory helps inform strategic planning and investment decisions.

Industry engagement through working groups, standards bodies, and peer networks provides early insight into emerging expectations and good practices. Active participation can influence outcomes and ensure organizational interests are considered in future developments.

Controller-processor coordination

Delaware's privacy act requires specific contractual provisions with processors. Review existing processor agreements against Delaware requirements, focus on amendments, and establish tracking mechanisms for contract compliance. Document negotiation timelines and compliance commitments.

Consumer rights workflow integration

Integrate Delaware consumer rights handling with existing multi-state privacy operations. Configure intake systems to identify Delaware residents, route requests appropriately, and apply Delaware-specific response timelines. Test end-to-end workflows before enforcement begins.

See also

Selected articles on related subjects.

Compliance · Credibility 85/100 · January 15, 2025

New Jersey Consumer Data Privacy Act

New Jersey’s Consumer Data Privacy Act now demands board-directed privacy governance, universal opt-out automation, and audit-ready evidence so controllers can prove every right, consent, and child-protection duty is…

Compliance · Credibility 86/100 · August 8, 2025

Compliance — State privacy

Tennessee’s Information Protection Act has been enforceable for just over a month, and controllers must now evidence universal opt-out, data protection assessment, and appeals workflows to satisfy the law’s cure-based…

Compliance · Credibility 89/100 · January 1, 2025

Fincen Boi Legacy Company Deadline

FinCEN's beneficial ownership deadline for legacy companies (formed before 2024) was January 1, 2025. If you missed this deadline, file immediately and document your remediation. Penalties accumulate daily for…

Compliance · Credibility 93/100 · January 16, 2025

Preparing for DORA: Europe's Digital Operational Resilience Act, effective January 17 2025

DORA went live on January 17, 2025. If you are a financial institution in the EU, you need ICT risk management frameworks, resilience testing, incident reporting, and third-party oversight in place. Here's what the…

Compliance · Credibility 92/100 · January 17, 2025

NIS2 Directive: Expanding EU Cybersecurity Responsibilities and Compliance

An in-depth overview of the EU's updated NIS2 Directive, detailing the expanded scope, stricter penalties, management liabilities, and compliance steps for teams operating in critical sectors. The directive establishes…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

January 1, 2025

Coverage pillar

Compliance

Source credibility

84/100 — high confidence

Topics

Delaware Personal Data Privacy Act · State privacy law · Universal opt-out · Youth data protection

Sources cited

3 sources (legis.delaware.gov, news.delaware.gov, iso.org)

Reading time

6 min

Cited sources

1. Delaware HB 154: Personal Data Privacy Act — legis.delaware.gov
2. Governor Carney signs strongest-in-the-nation data privacy legislation — news.delaware.gov
3. ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization