Delaware DPDPA - Privacy & Children's Data Protection | ConsentStack

Back to Regulations Guide

Key Facts

Effective Date

January 1, 2025

Enacted

September 11, 2023

Enforcing Authority

Delaware Attorney General (Department of Justice)

Consent Model

Opt-out

Fulfillment Time

45 days

Applies To

Entities in DE or targeting DE residents: 35,000+ consumers OR 10,000+ consumers and 20%+ revenue from selling PI

Overview

Delaware's DPDPA features the broadest children's age protection among US state privacy laws — requiring opt-in consent for sale and targeted advertising of data from anyone under 18. It also has lower applicability thresholds (35,000/10,000) than most states and must honor universal opt-out mechanisms.

What This Means for Your Website

GPC/universal opt-out signals must be honored
Under 18: opt-in consent required for sale and targeted advertising (broadest age threshold)
Opt-in consent required for sensitive data
The cure period (60 days) sunsets December 31, 2025
The AG can seek restitution and disgorgement in addition to penalties

Key Requirements

The Delaware AG enforces the DPDPA with penalties up to $10,000 per violation, plus injunctive relief, restitution, and disgorgement. Consumer requests must be fulfilled within 45 days. Lower thresholds mean more businesses are captured than in most states.

How ConsentStack Handles This

ConsentStack detects Delaware visitors, honors GPC signals, and applies enhanced protections for under-18 visitors by blocking data sale and targeted advertising.

Penalties

Up to $10,000 per violation; plus injunctive relief, restitution, and disgorgement.

Maximum Fine

USD10,000 per violation

Key Requirements

Honor GPC/universal opt-out signals
Opt-in consent for sensitive data
Parental consent for children's data
Consumer rights: access, correct, delete, portability, opt-out
Data protection assessments for high-risk processing

Notable Provisions

Broadest children protection — under 18 opt-in for sale/advertising
Lower thresholds (35,000/10,000)
Cure period sunsets December 2025
AG can seek restitution and disgorgement

US State Specifics

Cure Period

60 days

Private Right of Action

No

Global Opt-out Required

Yes

Sensitive Data Opt-in

Yes

Children Provisions

Under 18: opt-in required for sale and targeted advertising — broadest age threshold among US states.

Other North America Regulations

CPRACalifornia, United States

The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.

PIPEDACanada (Federal)

Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.

Quebec Law 25Quebec, Canada

The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.

TDPSATexas, United States

The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.

CPAColorado, United States

Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.

MODPAMaryland, United States

The most restrictive US state privacy law. Sensitive data may only be processed when strictly necessary to deliver a requested service — and sale of sensitive data is completely prohibited even with consent. Under-18 sale and targeted advertising are prohibited regardless of consent. Strictest data minimization in the US.

Frequently Asked Questions

What makes Delaware's children protection unique?

Delaware has the broadest age threshold among US states — requiring opt-in for sale and targeted advertising for anyone under 18, not just under 13.

Does Delaware require GPC signal honoring?

Yes. ConsentStack automatically detects and honors GPC signals for Delaware visitors.

What are the Delaware DPDPA penalties?

Up to $10,000 per violation, plus injunctive relief, restitution, and disgorgement.

Stay compliant with DPDPA

ConsentStack helps you implement Opt-out consent for Delaware, United States automatically.