• Blog
  • Delaware Personal Data Privacy Law to Arrive in January 2025

Delaware Personal Data Privacy Law to Arrive in January 2025

Simon Coulthard September 18, 2023

6-minute read

The Delaware Data Privacy Law (DPDPA) was signed by Governor John Carney on September 11, 2023. 

It will correspondingly come into force on 1st January 2025, and will be preceded by a public outreach effort from July 2024. 

Read the full text of the bill on the Delaware State Government’s website.


Unlock Your Website's True Potential

Our advanced website intelligence solution will enable anyone to grow their website quickly - all while also staying data privacy compliant!

GET STARTEDcircle-arrow-right.svg

Scope of Delaware Data Privacy Law

Delaware’s incoming DPDPA law applies to any business that operates in the state, or equally processes the personal data of more than 35,000 Delaware consumers. And for businesses that make more than 20% of their gross annual income from the sale of personal data, this threshold drops down to 10,000 Delaware consumers.

However, businesses have ample time to prepare. The law does not take effect until January 1st, 2025, and the Department of Justice will also carry out a state-wide public awareness campaign in the six months preceding its enactment.

This will firstly provide Delaware’s internet users with information about their rights under the law. And secondly, it will also inform businesses about their new legal obligations.

The department also plans to hire more staff to better educate the public about their rights. It additionally needs this extra manpower to effectively enforce the law and hold businesses accountable once the law comes into force.

Strictest US-state Data Privacy Law to Date

By passing DPDPA, Delaware is the 11th state in the union to roll out personal data protection legislation after California. Other states with similar laws are Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, and also Oregon.

The DPDPA was largely modeled on laws in Connecticut and also Virginia. However it is stricter than these or other US state laws, and also applies to a wider range of businesses.

By comparison, Delaware’s 35,000 consumer threshold is far lower than the 100,000 found in Colorado, Iowa, Indiana, and Oregon. 

And for businesses selling personal data, the 10,000 threshold and 20% income share is far lower than, for instance, the 25,000/25% in Montana and 25,000/50% in Indiana.

That said, critics of the Delaware Personal Data Privacy law argue that Delaware will find it difficult to enforce the law. 

This is because, unlike other state laws in the US, Delaware’s residents are unable to open a civil action against businesses for individual complaints. Instead, the Department of Justice will issue violation notifications to businesses, who then have 60 days to meet requirements.

Objective of DPDPA

The objective of the Delaware Personal Data Privacy law is to give Delaware’s consumers more control over the personal information that companies collect on them.

 “Delawareans haven’t had the right to even access who has their information, how much information they have on you individually, and also, if there is something wrong with that information, to correct it. But most importantly, to even delete the information.”

- Bill sponsor State Representative Krista Griffith

Preparation Advice for Businesses

Businesses that fall under the scope of the DPDPA should start taking the necessary steps to meet these legal requirements. This may also include:

  • Auditing data collection and privacy practices in relation to Delaware’s internet users
  • Also creating an inventory of any historical personal data collected on these consumers
  • Determining the type of data that your business will likely collect in the future
  • Paying special attention to the personal data related to minors
  • Ensuring your business can also respond quickly to consumer data requests
  • Working with a data privacy advisor to ensure full compliance with DPDPA

Migrate Towards Privacy-first Technologies

The DPDPA is another example of the global trend towards the protection of internet user personal data protection that started with GDPR in 2018. It also continues the philosophical shift that the US is undergoing with regard to data privacy, as it moves from a harm-prevention-based approach to one based on user rights as per GDPR (with real implications for digital marketers).

Put another way, it continues the standardization of strict data privacy standards around the EU model. And like Europe, Delaware’s data enforcement authority will also need time before it can effectively enforce data malpractice.

But given the ever-tightening regulatory framework protecting data privacy, businesses looking to meet their legal obligations should moreover move away from personal data collection as much as possible.

TWIPLA is privacy-by-design, and also complies with all data privacy requirements by default. And at this Maximum Data Privacy Mode, our website analytics platform collects no personal data whatsoever. This keeps your business above board and also your customer data safe.

We provide an all-in-one website intelligence solution, with website statistics also complemented by visitor behavior analytics graphicalization tools and direct visitor communication features.

With TWIPLA, you can start using the website statistics and behavior analytics tools in our free forever plan, and only upgrade to a paid plan once you achieve increasing visitor number thresholds.

Sign up today and identify exactly what you need to do for your website to meet targets.

Get Started for Free

Gain World-Class Insights & Offer Innovative Privacy & Security