Blog details

The Delaware Personal Data Privacy Act: A Comprehensive Overview

The Delaware Personal Data Privacy Act: A Comprehensive Overview

With the introduction of the Delaware Personal Data Privacy Act, Delaware has joined the ranks of US states with their own consumer privacy laws.


Governments worldwide are enacting legislation to safeguard individuals’ sensitive information and hold businesses accountable for its protection. The Delaware Personal Data Privacy Act (DPPA) is one such regulation that aims to ensure data privacy in the United States, within the state of Delaware. The DPPA was signed into law on September 11, 2023, and will come into effect January 1, 2025. Delaware now joins the likes of California, Utah, Colorado, Connecticut, Virginia, Iowa, Indiana, Tennessee, and Florida, among others, as states with their own consumer privacy laws.


The DPPA safeguards the personal information of Delaware residents and applies to businesses collecting and processing personal data of Delaware consumers, regardless of their physical presence in the state.


The DPPA is a state-level privacy law that aims to protect the personal information of Delaware residents. The law applies to businesses that collect and process personal data of Delaware consumers, regardless of whether the business operates physically in Delaware or not. This Act applies specifically to businesses which during the previous calendar year either controlled or processed personal data of not less than 35,000 Delaware residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

controlled or processed personal data of not less than 10,000 Delaware residents and derived more than 20 percent of its gross revenue from the sale of personal data. Unlike some other US State Data Privacy Laws, the Delaware Personal Data Privacy Act does not provide general exclusions for nonprofits and institutions of higher learning. This means that these organizations are equally obligated to comply with the Act’s provisions concerning personal data protection. It is crucial for nonprofits and institutions of higher learning to also familiarize themselves with these requirements to avoid potential violations and penalties.


The DPPA ensures individuals’ rights to know, control, and protect their personal data collected by businesses.


Under the DPPA, personal data is broadly defined and includes information that can identify an individual, such as names, addresses, social security numbers, financial information, and online identifiers. The scope of the DPPA includes several key provisions:


  1. Consumer Rights: The DPPA grants Delaware residents certain rights regarding their personal data. This includes the right to know what data is being collected, the purpose for collecting it, and who it is being shared with. Individuals have the right to access, correct, delete, and obtain a copy of their personal data.


  1. Consent: Businesses covered by the DPPA must obtain explicit consent from consumers before collecting and processing any sensitive data relating to individuals. Consent should be freely given, specific, and informed. Consumers also have the right to withdraw their consent at any time.


  1. Data Breach Notification: In the event of a data breach, businesses are required to notify affected individuals without undue delay. The notification should include the nature of the breach, the categories of personal data involved, and the steps individuals can take to protect themselves.


  1. Opt-Out of Sale: The DPPA provides consumers with the right to opt-out of the sale of their personal data to third parties. Businesses must provide a clear and conspicuous method for consumers to exercise this right.


  1. Non-Discrimination: The DPPA prohibits businesses from discriminating against consumers who exercise their rights under the law. Businesses cannot deny goods or services, charge different prices, or provide a lower quality of service based on a consumer’s exercise of their privacy rights.


In cases where a violation of the Delaware Personal Data Privacy Act has been established, various enforcement measures can be invoked. The act allows courts to order the violating business to pay civil penalties of up to US$10,000 for each willful violation. These penalties aim to deter non-compliance and underscore the seriousness with which data privacy is regarded.


Businesses operating in Delaware must prioritize data privacy and take proactive steps to ensure compliance with the Delaware Personal Data Privacy Act. 


Data privacy is of utmost importance when handling personal data under the DPPA. To ensure compliance and protect individuals’ privacy, businesses should implement a comprehensive set of measures. One crucial aspect is providing clear and concise privacy notices to individuals. These notices should be easily accessible and written in plain language, avoiding complicated jargon. By outlining the types of data collected, how it will be used, and any third parties with whom it may be shared, businesses can foster transparency and empower individuals to make informed decisions about their data. To further enhance data protection, organizations may consider designating a data protection officer (DPO). The DPO acts as a focal point for all data-related matters within the organization, ensuring accountability and overseeing compliance with the DPPA. A DPO plays a vital role in implementing the right internal policies and procedures, as well as handling data breach incidents, if they occur. Additionally, businesses must recognize that data privacy laws can evolve over time. As such, it is essential to stay updated on any changes or amendments to the DPPA. 

Discover how Aphaia can elevate your data protection strategy to new heights. We specialize in empowering organizations like yours with cutting-edge solutions designed to not only meet but exceed the demands of today’s data security landscape. Contact Aphaia today to find out more.

Prev post
European Data Act enters into force
January 25, 2024
Next post
The Indiana Consumer Data Protection Act: continuing the trend of state level Privacy law in the US
February 8, 2024