The DPDPA requires businesses to implement a cookie consent mechanism—such as a banner with a preference center—to provide transparency and collect opt-ins or opt-outs for targeted advertising, data sales, profiling, and the processing of sensitive data. Are you compliant?
The Delaware Personal Data Privacy Act (DPDPA) was signed into law on September 11, 2023, and took effect January 1, 2025 . It’s a comprehensive state privacy law granting rights to Delaware consumers and imposing obligations on controllers/processors regarding personal data handling.
Businesses should do the following to comply with DPDPA Delaware:
Update privacy policy:
Updating privacy policies with Delaware-specific disclosures.
Implement consent management:
Implement cookie consent banners and opt-out flows to obtain clear, affirmative consent
Data subject handling:
Establishing processes for handling data subject requests.
Data security:
Ensuring data security measures are in place.
Review and disclose data and cookie practices:
Disclose data handling practices, including collection, storage and sharing of cookie types, purposes, etc.
Consult legal counsel and consider using a consent management platform (CMP) for ease of compliance.
DPDPA Delaware applies to any controller or processor that:
Conducts business in Delaware or targets Delaware residents; and
In the previous year, either processed data of ≥ 35,000 consumers (excluding payment-only data) or processed data of ≥ 10,000 consumers and derived over 20% of gross revenue from sale of personal data .
Exemptions include government bodies (excluding higher-ed), GLBAregulated financial institutions, entitylevel nonprofit carve-outs (e.g., antiinsurancefraud), as well as datalevel exemptions (HIPAAcovered info, FERPA, FCRA, DPPA, Airline Deregulation, COPPA for children under 13, etc.).
Delaware consumers have the right to:
Consumers can access and confirm processing of personal data
Consumers can request to correct inaccuracies
Consumers can request that their personal data be deleted
Consumers have a right to port/download/transmit their information in a usable format
Consumers can opt out of the sale of personal data, targeted advertising, and profiling that produces legal/significant effect
Consumers can obtain a list of specific third parties who received their data
Additionally, controllers must respond within 45 days (with a possible 45-day extension) and provide an appeals process.
Cookies that collect data linked to an identifiable individual—such as IP addresses, browser history, or geolocation—are considered personal information. As such, businesses must:
Disclose cookie usage (types, purposes, third parties).
Obtain clear, affirmative consent for non-essential cookies tied to targeted advertising, profiling, data sales, and processing of sensitive data.
Honor opt-outs via both on-site flows and universal preference signals by 2026.
Penalties apply for DPDPA non-compliance, which are enforced by the Delaware Department of Justice:
Up to 10,000 USD per violation.
Enforcement includes a 60-day cure period (in effect until December 31, 2025). Post-sunset, cure is discretionary.
No private right of action—only DOJ enforcement.
To check your compliance with the DPDPA, organizations should:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third-party contracts:
Review third-party data-sharing practices
The DPDPA covers controllers and processors doing business in Delaware or targeting its residents and meeting data volume or revenue thresholds (≥ 35k users or ≥ 10k users plus over 20% revenue from data sales).
Any information linked or reasonably linkable to an identified or identifiable individual—excluding de-identified or publicly available info (e.g., names, emails, IPs).
Data revealing race, religion, health/medical conditions (including pregnancy), sex life/orientation (including trans/non-binary), citizenship, genetic or biometric data, precise geolocation, and personal data of a known child.
The Delaware Department of Justice, Consumer Protection Unit, enforces the law—there’s no private lawsuit provision.
Exemptions include state agencies (except universities), GLBA-regulated financial entities, specified nonprofits, and data already regulated under laws like HIPAA, FERPA, FCRA, COPPA, Airline Deregulation Act, DPPA, etc.
Consult Delaware DOJ FAQs and statute: Delaware AG website and HB 154 in Delaware Code.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
