Delaware
Code/Regulations
Effective Date: January 1, 2025
Details
Threshold
Persons that who conduct business in Delaware or persons that produce products or services that are targeted to residents of Delaware and that during the preceding calendar year did any of the following:
(1) Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
(2) Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data
Definition of "Personal Data"
Any information that is linked or reasonably linkable to an identified or identifiable individual. Does not include de-identified data or publicly available information. Personal data does not include data from people acting in an employment or commercial context.
Definition of "Sensitive Data"
As with all state general privacy laws, includes the following Personal Data:
- Race or ethnic origin;
- Religious beliefs;
- Citizenship or immigration status;
- Genetic data;
- Biometric data;
- Physical or mental health diagnosis; and
- Sexual orientation.
In addition, Delaware's definition also includes:
- Sex life;
- Precise geolocation data;
- Personal data of a known child; and
- Status as transgender or nonbinary.
Definition of "Sale"
Exchange of personal data for monetary or other valuable consideration by the controller to a third party
Data-Protection Assessments
Requires a controller "that controls or processes the data of not less than 100,000 consumers, excluding data controlled or processed solely for the purpose of completing a payment transaction" to conduct and document data protection assessments "for each of the controller's processing activities" presenting a heightened risk of harm to a consumer, which includes targeted advertising, sale, sensitive data, certain profiling
Opt-In Consent Required for Processing Sensitive Data
Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability
Yes
Consumer Right to Opt Out of Sale
Yes
Consumer Right to Opt Out of Targeted Ads
Yes
Consumer Right to Opt Out of Profiling
Yes
Pseudonymous Data Exempt from Consumer Requests
Yes
Appeal Rights
Yes
Universal Opt-Out Mechanism Required Recognition/Date
Yes, no later than January 1, 2026
Data of Minors
A controller is prohibited from processing the personal data of a consumer for the purposes of targeted advertising or the sale of consumer's personal data without the consumer's consent where a controller has actual knowledge or willfully disregards that the consumer is at least 13 years of age but younger than 18 years of age.
GLBA Exemption
Yes (both entity-level and data level)
HIPAA Exemption
Yes (data-specific)
Applies/Does Not Apply to Personal Information in a Commercial or Employment Context
Does not apply to commercial or employment context; applies in an individual or household context
Nonprofit Exemption
No
Private Right of Action
No
Cure Period
60 Days
Cure Period Expiration
December 31, 2025
Enforcement Authority/Damages
DE Dept. of Justice Bureau of Consumer Protection/refers to Delaware Code provision (29 DE Code § 2522) that provides for penalties of up to $10,000 per violation.
Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice.