State Privacy Laws: Delaware
Delaware Personal Data Privacy Act (DPDPA)
Overview
In September 2023, Delaware became the seventh state in 2023 to enact comprehensive privacy law with the Delaware Personal Data Privacy Act (DPDPA).
Key Dates
- Signed into law: September 11, 2023
- Effective date: January 1, 2025
Thresholds
The DPDPA applies to persons who conduct business in Delaware or produce products or services targeted to Delaware residents (“consumers”) and who, during the preceding calendar year, either:
- Controlled or processed the personal data of at least 35,000 consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction), or
- Controlled or processed the personal data at least 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data.
Consumer Rights
- The right to confirm whether a controller is processing the consumer's data and provide access to the consumer's data
- The right to correct inaccurate personal data of the consumer.
- The right to delete personal data about the consumer.
- The right to obtain a copy of the consumer's personal data (i.e., data portability).
- The right to obtain a list of the categories of third parties to which the controller has disclosed the consumer's personal data.
- The right to opt out of the processing of the consumer's personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
Sensitive Data
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health condition or diagnosis (including pregnancy)
- Sex life, sexual orientation, status as transgender or non-binary
- National origin
- Citizenship status or immigration status
- Genetic or biometric data for the purpose of uniquely identifying an individual
- Precise geolocation data
- Personal data of a known child
Penalties
Up to $10,000 per violation.
Configure Your Consent Banner for DPDPA
Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. DPDPA in Delaware). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like DPDPA in Delaware).
Recommended Consent Settings
Based on the current laws, we recommend the following regional settings:
- Consent Mode: Implied
- Blocking Mode: Strict
- Google Consent Mode V2: Basic
- Consent Duration: 12 months
- Enable Limit Sensitive Information: Enabled
- Enable Do Not Sell Consent: Enabled
- Enable Global Privacy Control: Enabled
For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document https://www.concord.tech/docs/configure-consent-banner-difference-regions.
Important Note: While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.
