What the DPDPA does for you

Under the Delaware Personal Data Privacy Act (DPDPA), you have the right to know what personal data businesses collect about you, correct errors, request deletion, and get a portable copy of your data. You can also opt out of your data being sold, used for targeted ads, or used in automated profiling. These rights apply to Delaware residents, and businesses that violate them can be investigated and prosecuted by the Delaware Department of Justice.

Your rights under the DPDPA

Right to Know

You have the right to confirm whether a business is processing your personal data and to access that data. You can also request a list of the categories of third parties to whom the business has disclosed your personal data.

Exceptions: Does not apply if confirming or providing access would require the controller to reveal a trade secret; Does not apply to de-identified or pseudonymous data where the controller cannot reasonably link the data to you; Does not apply to data excluded from the law's scope (e.g., HIPAA-covered health data, FCRA-regulated data).

Source: Del. Code tit. 6, § 12D-104(a)(1), (a)(5)

Right to Delete

You can request that a business delete personal data it has collected from you or about you. This applies to data you provided as well as data the business obtained from other sources.

Exceptions: A controller that obtained your data from another source may comply by retaining a minimal record of the deletion request to ensure data stays deleted; Does not apply where compliance would violate an evidentiary privilege; Does not apply to data needed to comply with federal or state law, law enforcement, legal claims, or security/fraud prevention; Does not apply to de-identified or pseudonymous data that cannot be linked back to you.

Source: Del. Code tit. 6, § 12D-104(a)(3), § 12D-104(c)(5), § 12D-110

Right to Correct

You have the right to ask a business to fix inaccuracies in the personal data it holds about you, taking into account the nature of the data and how it is used.

Exceptions: Does not apply to de-identified or pseudonymous data the controller cannot link to you.

Source: Del. Code tit. 6, § 12D-104(a)(2)

Right to Opt Out of Sales

You can opt out of a business selling your personal data to third parties for monetary or other valuable consideration. Businesses that sell personal data must clearly disclose this and provide an easy way to opt out.

Exceptions: Does not apply to transfers to processors acting on the controller's behalf; Does not apply to disclosures to provide a product or service you requested; Does not apply to disclosures to affiliates; Does not apply to disclosures you directed or where you intentionally interacted with a third party; Does not apply to data you intentionally made public without restricting the audience; Does not apply to transfers in mergers, acquisitions, or bankruptcy.

Source: Del. Code tit. 6, § 12D-104(a)(6)b., § 12D-102(29)

Right to Opt Out of Processing

You can opt out of your personal data being used for targeted advertising — ads selected based on your activities tracked across different websites and apps over time.

Exceptions: Does not apply to ads based on your activity within the same controller's own website or app; Does not apply to ads based on your current search query or website visit context; Does not apply to ads in direct response to your request for information; Does not apply to processing solely to measure or report ad performance.

Source: Del. Code tit. 6, § 12D-104(a)(6)a., § 12D-102(33)

Right to Opt Out of Automated Decisions

You can opt out of your personal data being used in purely automated profiling that produces decisions with significant legal or similarly important effects on you — such as decisions about loans, insurance, housing, employment, education, health care, or access to essential goods and services.

Exceptions: Only applies to solely automated decisions — human review may limit applicability; Applies only where decisions produce legal or similarly significant effects as defined in the statute.

Source: Del. Code tit. 6, § 12D-104(a)(6)c., § 12D-102(13), § 12D-102(25)

Right to Data Portability

You can request a copy of your personal data in a portable, easy-to-use format so you can transfer it to another company, where the processing is done by automated means.

Exceptions: Only applies where processing is carried out by automated means; Controller is not required to reveal trade secrets; Does not apply to de-identified or pseudonymous data the controller cannot link to you.

Source: Del. Code tit. 6, § 12D-104(a)(4)

Right to Non-Discrimination

A business cannot discriminate against you for exercising your privacy rights. This means they cannot deny you goods or services, charge you different prices, or give you a lower quality of service just because you made a privacy request.

Exceptions: Businesses may offer different prices or features if you voluntarily join a bona fide loyalty, rewards, discounts, or club card program; Businesses are not required to provide a service that inherently requires personal data they do not collect.

Source: Del. Code tit. 6, § 12D-106(a)(8), § 12D-106(b)

Right to Limit Sensitive Data

Businesses must obtain your consent before processing your sensitive personal data — which includes information about your race, ethnicity, religion, health, pregnancy, sex life, sexual orientation, transgender or nonbinary status, citizenship or immigration status, genetic or biometric data, precise location, or data about known children.

Exceptions: Controllers and processors that comply with COPPA's verifiable parental consent requirements are deemed compliant for children's data; Some sensitive data categories are excluded from the law's scope entirely (e.g., HIPAA-covered health data).

Source: Del. Code tit. 6, § 12D-106(a)(4), § 12D-102(30)

How to exercise your rights

1. See which data brokers have your information. Optery scans 200+ brokers to show you what’s exposed. Start a free scan →
2. Submit a DPDPA deletion or opt-out request. Covered businesses have 45 days to respond (Del. Code tit. 6, § 12D-104(c)(1), (c)(4)), with up to 45 additional days if they invoke the extension provision.
3. Let Optery automate the whole process. We submit opt-out and deletion requests on your behalf, track compliance, and resubmit whenever brokers re-add your data. Sign up free →

Authorized agents

The DPDPA mentions authorized agents only in the context of opt-out requests (6 Del. C. § 1201 et seq.). Data brokers may choose to — but are not required to — honor deletion requests submitted by an authorized agent. In practice, many brokers do accept agent-submitted deletion requests. Optery handles both types on your behalf where permitted.

Enforcement and penalties

The DPDPA is enforced by Delaware Department of Justice. The Delaware Department of Justice enforces the DPDPA. Violations are treated as unlawful practices under Delaware consumer protection law. From the effective date through December 31, 2025, businesses must be given a 60-day notice and opportunity to cure a violation before the DOJ can bring an enforcement action. Starting January 1, 2026, the DOJ has discretion on whether to offer a cure period. There is no private right of action — only the DOJ can sue.

Who does the DPDPA apply to?

The DPDPA applies to businesses that operate in Delaware or target Delaware residents, and that during the prior year either (1) processed the personal data of at least 35,000 consumers (not counting payment-transaction-only data), or (2) processed the data of at least 10,000 consumers AND earned more than 20% of their gross revenue from selling personal data. State and local government bodies, financial institutions covered by Gramm-Leach-Bliley, certain nonprofits, and securities/futures associations are excluded.

Frequently asked questions

Who does the Delaware Personal Data Privacy Act apply to?

The DPDPA covers businesses that operate in Delaware or target Delaware residents and that processed the personal data of at least 35,000 consumers in the prior year, or at least 10,000 consumers while earning more than 20% of gross revenue from selling personal data (Del. Code tit. 6, § 12D-103(a)). Government bodies, GLBA-covered financial institutions, and certain nonprofits are excluded.

How do I make a request to access, delete, or correct my data?

You can submit a request through the secure method described in the business's privacy notice — businesses are required to establish one or more reliable ways for you to submit requests (Del. Code tit. 6, § 12D-106(e)). The business must respond within 45 days and can extend by another 45 days if needed for complex requests (Del. Code tit. 6, § 12D-104(c)(1)).

Can I use an authorized agent to opt out on my behalf?

Yes, but only for opt-out requests. You can designate an authorized agent — including through a browser setting, browser extension, or other platform — to opt out of the sale of your data, targeted advertising, and automated profiling on your behalf (Del. Code tit. 6, § 12D-104(b); § 12D-105). Authorized agents cannot submit deletion or data-access requests on your behalf under this law.

What happens if a business violates my privacy rights?

The Delaware Department of Justice has the authority to investigate and prosecute violations (Del. Code tit. 6, § 12D-111(a)). Through the end of 2025, businesses must be given a 60-day notice to fix a violation before enforcement can begin (Del. Code tit. 6, § 12D-111(b)). There is no private right of action, meaning you cannot personally sue a company under this law (Del. Code tit. 6, § 12D-111(d)).

If a business denies my request, can I appeal?

Yes. Businesses are required to have a conspicuous appeal process that is similar to how you submitted your original request (Del. Code tit. 6, § 12D-104(d)). The business must respond to your appeal within 60 days with a written explanation. If your appeal is denied, the business must provide you with a way to submit a complaint to the Delaware Department of Justice.

Official resources

• Full statute text (HB 154)
• Delaware Attorney General’s office