Support Centre



Law: The Delaware Personal Data Privacy Act (DPDPA)

Regulator: Consumer Protection Unit of Delaware's Department of Justice 

Summary: On September 11, 2023 the Delaware Governor signed House Bill 154 creating the DPDPA, which will enter into force on January 1, 2025. The DPDPA introduces obligations for controllers, including data processing principles, the publication of a privacy notice, requirements to conduct a Data Protection Assessment, and contracts between controllers and processors. Additionally, the DPDPA provides for data subject rights including the right to be informed, access, correct, delete, obtain a copy of personal data, as well as the right to opt-out of certain processing activities.  Notably, the DPDPA specifies that the Department of Justice has exclusive authority to enforce its provisions.

Regarding breach notification, on August 17, 2017, the Delaware Governor signed into law an Act amending the Delaware Code as it relates to security breaches involving personal information. Specifically, the Act revised the definition of what constitutes a security breach and expanded data breach notification requirements, in addition to creating a new requirement for businesses in Delaware to implement and maintain reasonable security safeguards to protect personal information.

In addition, Delaware has enacted a number of sector-specific laws governing, among other things, student data privacy, employee privacy, health privacy, and data security in the insurance sector. For instance, the Student Data Privacy and Protection Act is modelled after California's legislation and requires Delaware's Department of Education to promulgate extensive rules to protect the privacy of student data, mandates limits on transfer of student personal identifiable information, and creates online restriction regarding personal identifiable information and child marketing.


The Delaware Personal Data Privacy Act (DPDPA) was signed into law in September 2023 and becomes effective on January 1, 2025. While the DPDPA shares many similarities with other comprehensive state privacy laws, it is not identical. In this Insight article, Tara Cho, from Womble Bond Dickinson, highlights the key requirements for covered businesses to consider.  

On September 11, 2023, the Delaware Personal Data Privacy Act (DPDPA) was signed into law by the Governor of Delaware, John Carney. The provisions of the DPDPA will enter into force on January 1, 2025. 

The Delaware Personal Data Privacy Act was introduced, on May 12, 2023, to the Delaware House of Representatives. Since then, the Act has passed both the House of Representatives and the Senate and was signed by the Governor of Delaware, John Carney, on September 11, 2023. The Act introduces obligations applicable to both data controllers and data processors as well as consumer rights, and will enter into effect on January 1, 2025.