Governor John Carney signed the Delaware Personal Data Privacy Act (DPDPA). This makes Delaware the 12th state in the US to have a consumer privacy law. The law will take effect on 1 January 2025.
The DPDPA gives consumers the right to know:
Consumers will also be able to request and receive a list of the third parties who have access to their data, and they can opt out of allowing their information to be used for targeted advertising.
The DPDPA covers a broader range of businesses than other states' privacy laws. It applies to companies doing business in Delaware if they control or process the personal information of at least 35,000 consumers or if they derive more than 20% of their gross revenues from the sale of the personal data of as few as 10,000 consumers.
Despite covering the widest range of businesses of any state privacy law, Delaware's law does not provide a private right of action that would allow consumers to pursue individual complaints. Instead, enforcing the DPDPA is left to be done by the State's Department of Justice, which can issue a notice to any company found to be in violation. Before the department can take action, the notice gives the company at least 60 days to correct the violation.
Delaware has generally adopted the model set out by other states. However, it has some distinctive provisions, including a lower application threshold, a more expansive definition of sensitive personal information, special protections for teenagers between the ages of 13 and 18, and additional data access rights, among others.