It’s Time for Privacy Pros to Make a Strategic Shift
The importance of effective data privacy can no longer be ignored.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: December 12, 2023
Published: November 17, 2023
The patchwork of U.S. states enacting consumer data privacy laws continues to expand with the Delaware Personal Data Privacy Act (DPDPA).
The law is being touted as “the strongest data privacy bill in the nation.” While that’s not exactly the case — California still holds this title — it is more consumer-friendly than other state laws, and it applies to more businesses (and not just large companies).
Let’s explore the DPDPA and what it means for companies doing business with Delawareans.
As a reminder, while there are laws that protect certain types of data, like health information, there’s no federal law dictating how personal data is collected, stored, or shared. Not only do consumers not know what data is being collected, they don’t know how it’s being shared or used.
To address this, states are implementing their own data protection policies, giving consumers rights and providing responsibilities for those that collect, process, store, or sell consumer data.
Delaware is the 12th state in the nation to implement a comprehensive data privacy act to give consumers more control over their personal data. The law takes effect Jan. 1, 2025 and provides an additional year to begin recognizing universal opt-out mechanisms.
So far, exemptions have left some entities relatively unscathed by state privacy acts. Delaware’s privacy act, though, has lower applicability thresholds, which means some companies that haven’t had to comply in the past will now be on the hook for DPDPA compliance.
DPDPA applies to any company that does business in the state or produces products or services that are targeted to residents of the state and that, during the previous calendar year, met one of the following:
The 35,000-consumer threshold is the lowest among data privacy laws so far. This, combined with the gross revenue threshold — just 20 percent — means the DPDPA will apply to more small and medium-sized companies than its predecessors.
Like other laws, the DPDPA provides exemptions based on the entity and type of data.
Exempt entities include government bodies, higher education institutions, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), nonprofit organizations dedicated to preventing insurance crimes and those registered under the Commodity Exchange Act or national securities association registered under the Securities Exchange Act.
The list of exempt data types is longer but is still relatively standard among privacy laws. It includes:
DPDPA aligns with all other state laws in terms of the rights it grants consumers, including to:
Confirm whether a controller is processing their personal data and to access such personal data (unless access would reveal a trade secret).
Correct inaccuracies in their personal data.
Delete personal data provided by or obtained about the consumer.
Obtain a copy of their data collected in a portable and readily usable format.
Obtain a list of categories of third parties to which the controller has disclosed their personal data.
Opt-out of processing of personal data for targeted advertising, sale, or profiling.
Again, comparable to other laws, the DPDPA gives controllers 45 days to respond to a consumer’s request, allows an extension of 45 days in certain circumstances, and requires the controller to notify the consumer if they decline to take action as well as provide instructions for appealing the decision.
Delaware’s privacy law requires controllers to limit the collection of personal data to what is “adequate, relevant, and reasonably necessary based on the purpose disclosed to the consumer, and to not process it if otherwise.
It also states that controllers must set up safety and security measures to protect personal data of consumers. Companies can’t process data if it would enable discrimination, nor can they discriminate against those who exercise their rights.
Controllers must gain opt-in consent to process sensitive data or data of a known child.
Finally, controllers must provide consumers with a privacy notice that gives them a clear explanation of what data they collect, how it’s used and shared, how to exercise their rights, and how to opt out of the sale of personal data and use of their data for targeted advertising.
Processors, or those who process data on behalf of a controller, must help controllers meet their obligations and be in a contract that governs data processing procedures.
Delaware joins several other states that require Data Protection Assessments, including California, Colorado, Connecticut, Indiana. Montana, Oregon, Tennessee, Texas and Virginia.
If you control or process data of at least 100,000 consumers, Delaware’s privacy law says you must conduct a data protection assessment for any activity that presents a heightened risk of harm to a consumer. These activities include:
The DPDPA gives enforcement authority to its Department of Justice (DOJ).
Like other state laws, those who violate the law will be given a right to “cure” the issue. The DPDPA doesn’t specifically outline the penalty for violating the law, but states the Department may “investigate and prosecute violations of this chapter in accordance with the provisions of Subchapter II of Chapter 25 of Title 29.” In other words, if you break the law, the penalty could be up to $10,000 per violation.
The cure provision, which is 60 days, is only meant to help businesses transition to the law. Like several other state laws, including Oregon, California, Connecticut, and Colorado, Delaware’s cure period “sunsets” on Jan. 1, 2026. The idea is that over time, businesses should know and understand their expectations and ensure they’re in compliance before they receive an enforcement notice.
After the cure period sunsets, the Department can choose whether to provide a cure period based on several factors, such as the number of violations, size and complexity of the controller or processor, likelihood of injury to the public, and other considerations.
Many Delaware businesses and companies that operate in multiple states will need to ensure they understand the DPDPA and its requirements for protecting consumer’s data. Seek out legal counsel and work to create compliant policies and procedures to meet the law.
If you find your head swirling with all the new and upcoming laws, it may be time to look into Osano’s Consent Management Platform, which can take the headache out of maintaining compliance with not just Delaware’s law, but other state laws and those still on the horizon.
The Delaware Personal Data Privacy Act goes into effect Jan. 1, 2025.
Sensitive data is defined as data that reveals:
DPDPA states that sensitive data can’t be processed without the consumer’s (or their parent or guardian’s) consent.
No. When the DPDPA was passed, the only state with a private right of action was California, and only in certain circumstances.
Businesses must recognize Global Privacy Controls (GPC) and other universal opt-out mechanisms by Jan. 1, 2026.
The U.S. now has 12 data privacy laws with many others potentially on the way. Managing the complexity of such a dispersed landscape can be challenging, however, there are common steps any organization can take to prepare.
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.