Join the masses in relying on Consentmo for top-notch privacy protection
.jpg)
What is DPDPA?
The Delaware Personal Data Privacy Act (DPDPA) is a state law designed to enhance data privacy and security for Delaware residents. It was enacted to address the growing concerns around data breaches and the protection of personal information. The Delaware Data Protection Act was signed into law on September 11, 2023, and went into effect on January 1, 2025. This law is separate from the earlier Delaware Data Protection Act, which focused more narrowly on data security and breach notification requirements. The law makes sure businesses implement reasonable security measures to protect personal information and to provide a legal framework for addressing data breaches.
Where does the DPDPA apply?
The law applies to businesses that operate in Delaware or target Delaware residents and meet certain thresholds, such as:
- Controlling or processing personal data of at least 35,000 Delaware residents (excluding data used solely for payment transactions), or,
- Controlling or processing personal data of at least 10,000 Delaware residents and deriving more than 20% of gross revenue from the sale of personal data.
.webp)
What are some possible reasons for a penalty?
Here are some possible reasons for penalties:
- Failure to Provide Consumer Rights: If a business does not respond to a consumer's request to access, correct, delete, or port their personal data within the required timeframe.
- Non-Compliance with Opt-Out Requests: Consumers have the right to opt out of the sale of their data, targeted advertising, and certain types of profiling. Ignoring these requests is a violation.
- Failure to Notify Authorities or Consumers of a Data Breach: The DPDPA requires businesses to promptly notify consumers and authorities in the event of a data breach that compromises personal data.
- Lack of Transparency: Businesses are required to be transparent about their data practices, and failing to provide this information violates the DPDPA.
Who is liable for a penalty under DPDPA?
Under the Delaware Personal Data Privacy Act (DPDPA), liability for penalties primarily falls on businesses or entities that control or process personal data in violation of the law. Controllers, which determine how and why personal data is processed, are directly responsible for complying with the DPDPA, including honoring consumer rights, ensuring transparency, and maintaining data security. Processors, which handle data on behalf of controllers, can also face penalties if they fail to meet contractual obligations or assist controllers in complying with the law. Third-party vendors and service providers may share liability if they violate the DPDPA or their agreements with controllers.
.webp)
.webp)
What are the penalties for
Non-Compliance?
- Monetary Fines: The DPDPA authorizes the Delaware Department of Justice to impose civil penalties of up to $10,000 per violation.
- Enforcement Actions: The Delaware Department of Justice can investigate complaints, conduct audits, and take enforcement actions against businesses that fail to comply with the DPDPA.
- Mitigating Factors: Businesses that demonstrate good faith efforts to comply with the DPDPA, such as promptly addressing violations or cooperating with investigations, may receive reduced penalties or avoid fines altogether.
- Legal Costs.
Get the UCPA checklist for Free
Improve the effectiveness of your compliance strategy now.
Download checklist.png)
How Consentmo can help?
Cookie bar and Preferences popup
Generated Compliance pages
Data Subject Access Request (DSAR) logs
Automatic translations in multiple languages
Do Not Sell Rule Compliant
Frequently Asked Questions
How do I obtain consent from individuals under the DPDPA?
Under the DPDPA, obtaining consent is a detailed process that starts by providing individuals with clear, accessible, and comprehensive information about what data will be collected, how it will be processed, the purposes for its use, who it will be shared with, and the duration of its retention. This means presenting the information in plain language (free of legal jargon) so that individuals can easily understand what they are agreeing to. Consent must be explicit and given through an affirmative action, such as checking an opt-in box or clicking an "I agree" button; pre-ticked boxes or implied consent (e.g., through inactivity) are not acceptable.
Additionally, consent should be granular, allowing users to consent to different processing activities separately if needed. It must also be freely given without any form of coercion, and individuals should be informed of their right to withdraw consent at any time, with the withdrawal process being as straightforward as providing consent. Also, organizations should keep records of the consent obtained to demonstrate compliance.
How is the DPDPA enforced?
The DPDPA is enforced by the Delaware Department of Justice, which is responsible for overseeing compliance through both proactive and reactive measures. The Department conducts audits, risk assessments, and investigations based on consumer complaints, ensuring that organizations adhere to the data protection standards set forth by the Act. When violations are detected, the Delaware Department of Justice has the authority to impose fines, corrective action orders, and other penalties to enforce compliance and protect individuals' data privacy rights.
How do I make my business compliant with the DPDPA?
Making your business compliant with the DPDPA is really about taking a few practical steps. Start by mapping out all the personal data you collect—what you gather, how you process it, where you store it, and who you share it with. Once you have that clear picture, update your privacy policies and consent forms so they're easy to understand and accurately explain how the data is used. It’s also important to put robust security measures in place and set up clear procedures for handling requests from individuals who want to access, update, or delete their information. Regular training for your team and routine checks can keep everything running smoothly.
Shopify merchants can streamline compliance by leveraging tools like Consentmo, which offers automated solutions for managing cookie consent, generating privacy notices, and processing data subject requests.
Data Privacy in 2025: What Businesses Need to Know About New US Laws and AI Regulations
Mariya Petrova
Jan 7, 2025
8 mins
A Complete US Compliance Laws Guide for Shopify Merchants [January 2025]
Dilyana Simeonova
Jul 18, 2024
10 mins
Navigating the Utah Consumer Privacy Act (UCPA): A Guide for Ecommerce
Dilyana Simeonova
Jan 5, 2024
7 mins
%20-%20Copy-p-500.webp)
.webp)
%20-%20Copy.png)
.svg)