Compliance Briefing — August 18, 2025
Delaware’s Personal Data Privacy Act has shifted enforcement toward youth data governance, requiring opt-in consent for sales or targeted advertising involving consumers under 18 and heightened processor controls eight months after go-live.
Executive briefing: Delaware’s Personal Data Privacy Act (DPPA) has applied since January 1, 2025 to controllers processing 35,000 consumers’ data (excluding payment-only transactions) or 10,000 consumers with more than 20% of gross revenue from selling personal data. By August, the Department of Justice is scrutinizing opt-in mechanisms for teenagers: controllers must obtain affirmative consent before selling or using personal data for targeted advertising when the individual is between 13 and 17, and may not process children’s data for those purposes at all without parental consent. Section 12B-107 also obligates documented data protection assessments for high-risk activities.
Key compliance checkpoints
- Youth opt-in management. Validate that consent experiences capture age, store consent receipts, and synchronize revocation across adtech, CRM, and CDP systems.
- Sensitive data gating. Enforce opt-in for precise geolocation, genetic, biometric, and immigration-status data, and confirm processors can delete or return data at contract termination.
- Assessment evidence. Maintain risk assessments for targeted advertising, sale of personal data, profiling, and processing of sensitive data, as required under Section 12B-107.
Operational priorities
- Processor contracts. Insert confidentiality, audit, and duty-to-assist clauses in line with Section 12B-106, and require downstream subcontractor disclosure rights.
- Appeals workflow. Ensure denied consumer requests trigger a 45-day appeal process with escalation contacts for the Delaware DOJ.
- Consent telemetry. Feed marketing platforms with consent metadata so campaign targeting rules automatically exclude teens lacking verified opt-in.
Enablement moves
- Refresh privacy notices to disclose categories of third parties receiving personal data, the purposes of processing, and instructions for teen opt-in and withdrawal.
- Train product and advertising teams on Delaware’s prohibition against dark patterns that subvert or impair consumers’ choices.
Sources
- Delaware HB 154 (DPPA) final text
- Delaware DOJ announcement of DPPA obligations
- IAPP analysis of Delaware’s teen privacy provisions
Zeph Tech calibrates Delaware DPPA compliance by operationalizing youth consent intake, processor contract governance, and defensible assessment evidence.