Navigating the Patchwork: An In-Depth Look at Delaware’s Personal Data Privacy Act (DPDPA)

Introduction

As organizations across the U.S. adapt to an array of new and evolving state privacy laws, the importance of understanding—and complying with—local requirements is more critical than ever. In this ninth installment of our ongoing series on data protection and privacy legislation, we turn our attention to the Delaware Personal Data Privacy Act (DPDPA), shedding light on its key provisions, practical implications, and compliance considerations. We’ll also highlight the vital importance of secure data deletion, introducing solutions like Active@ KillDisk and KillDisk Industrial as effective tools for meeting regulatory requirements and building customer trust.

Delaware’s Approach to Data Privacy: The Basics

Delaware, often heralded as a corporate-friendly state, formally adopted the DPDPA with the passage of House Bill 154, sponsored by Representative Krista Griffith. The bill was approved by the state legislators on June 30, 2023, and signed into law on September 11, 2023. It has gone into full effect on January 1, 2025. The law provides modern and meaningful privacy protections for its residents, reflecting the increasingly data-driven nature of commercial activity and aiming to give Delawareans stronger control over their personal information while balancing the needs of businesses.

Scope and Applicability

The DPDPA applies to businesses that conduct activities in Delaware or target products and services to Delaware residents, provided they meet thresholds based on data volume or revenue sourced from data activities. While inspired by broader laws such as California’s CPRA and Virginia’s VCDPA, Delaware’s law takes a more moderate approach, focusing narrowly on core data rights and sensitive data handling.

Which businesses must follow the DPDPA?

The DPDPA applies to any company that either operates in the state or sells products and services to people who live there. A business falls under this new law if, in the last calendar year, it met one of these two conditions:

  • It handled the personal information of 35,000 or more people, not counting data used only to complete a payment.
  • It handled the personal information of at least 10,000 people and more than 20% of its total revenue from selling that data.

These numbers may seem high, but the 35,000-person limit is actually the lowest threshold of any data privacy law so far in the U.S. On top of that, the revenue requirement — only 20% — is relatively easy to meet for businesses involved in selling data. Because of these lower thresholds, the DPDPA is likely to apply to many more small and medium-sized companies than previous privacy laws, meaning that businesses that may not have been affected before will now have to follow new rules for how they collect, store, and sell personal information.

Key Consumer Rights Under Montana’s Law

Enhanced Sensitive Data Protections

Delaware places particular emphasis on “sensitive data”— a category encompassing information such as racial or ethnic origin, religious beliefs, health conditions, sexual orientation, precise geolocation, and biometric identifiers. Businesses are required to obtain explicit, opt-in consent before collecting or processing such sensitive personal data. This step elevates the level of consumer protection and requires organizations to re-evaluate their consent management systems and data collection practices.

Consumer Rights: Limited but Impactful

While Delaware offers more moderate consumer data rights compared to some other states, individuals are still empowered in several important ways. Core rights under the DPDPA include:

  • Right to Access: Consumers may request information regarding what personal data has been collected about them and how it is being used.
  • Right to Delete: Delawareans can have their personal data covered by the Act deleted upon request, subject to certain exceptions.
  • Right to Correct: Individuals can ask businesses to rectify inaccuracies in their personal data.
  • Right to Data Portability: Consumers can receive a copy of their personal data in a portable, easy-to-use format.
  • Right to Obtain a List of the categories of third parties with whom their personal data has been shared.
  • Right to Opt-Out: Montanans can opt out of the sale of their personal data, refuse target advertising, and object to certain types of profiling

Similar to other state privacy laws, the DPDPA requires businesses to respond to consumer requests within 45 days, with the option to extend that deadline by another 45 days in certain cases. The scope and procedural details of these rights are somewhat narrower than in California or Colorado, providing a moderate compliance burden for organizations.

Notice and Transparency Requirements

Clear communication is vital. The DPDPA mandates that companies provide comprehensive privacy notices, informing consumers about:

  • Categories of personal data collected,
  • The purpose for which data is processed,
  • Consumer rights and how to exercise them,
  • Categories of third parties with whom data is shared

Data Security and Vendor Management

The Act requires businesses to maintain “reasonable” security measures appropriate to the nature of the collected data and its risk profile. Additionally, organizations working with processors or vendors must ensure contractual obligations are in place that enforce data security, confidentiality, and prompt compliance with consumer data requests.

Enforcement and Remedies

Delaware’s Attorney General is responsible for enforcing DPDPA. Civil penalties are available for non-compliance, but the focus is on remediation—businesses are frequently given the opportunity to cure violations before penalties are imposed. This gives organizations a chance to address issues swiftly but does not diminish the importance of strong internal controls. There is no private right of action for consumers, which reduces the immediate litigation risk compared to some other states.

DPDPA Exemptions

Some organizations and types of data are not covered by the DPDPA.

Who’s exempt:

  • Government agencies
  • Colleges and universities
  • Banks and financial institutions (GLBA)
  • Certain non-profits fighting insurance fraud
  • Registered financial market organizations

What data is exempt:

  • Health information protected by HIPAA or public health purposes
  • Credit-related financial details
  • Data covered by other laws (DPPA, FERPA, Farm Credit Act)
  • Job-related or emergency contact info
  • Airline pricing, route, and service data
  • Victim/witness details for certain crimes (by eligible nonprofits)

DPDPA’s Restrictiveness: Balancing Business and Consumer Interests

Delaware’s law strikes a moderate balance. Its provisions are comprehensive enough to ensure meaningful consumer protections, particularly regarding sensitive data, but the overall restrictiveness for businesses is less than in some pioneering states like California. For example, the limited array of consumer rights, the centralization of enforcement, and the existence of remedial cure periods collectively reduce the compliance pressure, even as data minimization and robust security remain paramount.

Data Disposal Obligations and the Case for Data Sanitization

A recurring theme throughout the DPDPA—and similar state laws—is the consumer’s right to be deleted. For businesses, this translates into a technical imperative: how do you ensure that deleted data is, in fact, unrecoverable?

Simply marking files for deletion or reformatting drives is not enough; modern forensic techniques can recover such information, posing a threat to both compliance and security. True compliance demands data sanitization—secure, verifiable, and irreversible deletion of personal information from all systems and devices.

Practical solutions: Active@ KillDisk and KillDisk Industrial

To reliably meet the DPDPA’s data deletion requirements, consider advanced tools such as Active@ KillDisk and KillDisk Industrial. These solutions are designed to:

  • Completely erase data from hard drives, SSDs, and removable storage using industry-standard overwriting protocols (such as IEEE 2883 and NIST 800-88).
  • Provide reports and audit logs to demonstrate compliance with deletion and data disposal policies.
  • Scale from individual devices to enterprise-wide fleets with the industrial edition, making them appropriate for organizations of all sizes.

By integrating KillDisk products into your data management workflow, you increase your organization’s protection against regulatory penalties and demonstrate a serious commitment to consumer privacy.

Conclusion: Delaware’s Place in the U.S. Data Privacy Landscape

The Delaware Personal Data Privacy Act reflects a growing acknowledgement that privacy is a core component of consumer protection, even in states with a business-friendly reputation. While its requirements may be “moderate” compared to the nation’s most restrictive laws, organizations should not underestimate their significance. Compliance can serve as a foundation for a robust, adaptable privacy program—especially as more states and countries move ahead with similar legislation.

Organizations should see compliance not as a burden, but as an investment—laying the groundwork for scalable privacy programs as more jurisdictions adopt similar frameworks. Proactive adoption of secure deletion tools like KillDisk ensures both compliance and trust in an ever-evolving privacy environment.

References:

Delaware Personal Data Privacy Act (DPDPA)

Active@ KillDisk KillDisk Industrial