# Delaware Privacy Law (DPDPA) Compliance Guide for Small Businesses > Delaware DPDPA has some of the lowest thresholds in the US: 35,000 consumers, no revenue minimum, and a 20% data sale revenue trigger with just 10K consumers. _Published 2026-04-07 by Nikolas_ # Delaware Privacy Law (DPDPA): What Small Businesses Need to Know The Delaware Personal Data Privacy Act (DPDPA) took effect January 1, 2025, and applies to any business processing the personal data of **35,000 or more Delaware consumers** in a calendar year — with **no annual revenue threshold**. The secondary trigger is among the most expansive in the country: businesses processing data of just **10,000 Delaware consumers** and deriving **20% or more** of revenue from data sales are also in scope. Combined, Delaware has some of the lowest privacy law thresholds in the United States, alongside Connecticut, New Hampshire, Maryland, and Rhode Island. The Delaware Attorney General is the sole enforcement authority. --- ## Does DPDPA Apply to My Business? DPDPA applies to any person that conducts business in Delaware or produces products or services targeted to Delaware residents AND meets one of two thresholds: - Controls or processes personal data of **35,000 or more Delaware consumers** during a calendar year (excluding personal data processed solely to complete a payment transaction), OR - Controls or processes personal data of **10,000 or more Delaware consumers** AND derives **more than 20%** of gross revenue from the sale of personal data. The threshold logic is **OR** — only one needs to be met. The 20% data sale revenue threshold combined with 10,000 consumers is one of the lowest combined thresholds in any US state privacy law. | Threshold | Delaware DPDPA | CCPA/CPRA | Texas TDPSA | |-----------|----------------|-----------|-------------| | Revenue | None | $25M+ | None | | Consumer count | **35,000** | 100,000 | 100,000 | | Data sale alternative | **10K + 20%** | 50% revenue share | 25K + 50% | | Threshold logic | OR | OR | OR | Delaware accounts for roughly 0.3% of the US population — the smallest in absolute population among states with privacy laws. Reaching 35,000 Delaware consumers from a national e-commerce store typically requires significant volume. But the 10,000 + 20% data sale path is a much lower bar and can apply to mid-size businesses with ad tech monetization. --- ## What Does DPDPA Require? DPDPA grants Delaware consumers a comprehensive set of rights and includes several provisions specifically protecting children and minors that go beyond most state privacy laws. **Consumer rights you must honor.** Delaware consumers may access, correct, delete, and port their personal data, and opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects. Response deadline is 45 days, with one possible extension. **Disclosures you must publish.** Privacy notice covering categories of data, purposes, third-party sharing, rights and appeal processes. **Operational practices you must implement.** Conduct data protection assessments for high-risk processing. Obtain opt-in consent before processing sensitive personal data. Implement reasonable security practices. Honor universal opt-out signals. Provide enhanced protections for children and adolescents — including limits on processing personal data of consumers known to be 13-17 without consent for targeted advertising, sale, or profiling purposes. --- ## How DPDPA Affects Small Businesses Delaware's low thresholds mean it catches more mid-size businesses than its small population would suggest. The 10,000-consumer-plus-20%-data-sale path is the more aggressive trigger and applies to many businesses with meaningful ad tech revenue, even at modest customer volumes. The children's data protections are the second operational issue worth understanding. If your store has any reason to know that a consumer is between 13 and 17, you must obtain consent before processing their data for targeted advertising, sale, or profiling. This requires age detection or self-identification mechanisms that many e-commerce stores have not built. For nationally distributed Shopify merchants, the practical takeaway: Delaware is a "low threshold" state alongside Connecticut, New Hampshire, Maryland, and Rhode Island. If you are in scope under any of those laws, assume you may be in scope in Delaware as well. --- ## Key Differences from Other State Privacy Laws DPDPA is most comparable to Connecticut CTDPA, New Hampshire NHPA, Maryland MODPA, and Rhode Island RIDPPA — all states with 35,000-consumer thresholds and no revenue floor. Among this group, Delaware has the lowest secondary threshold (10,000 consumers + 20% data sale revenue). Compared to Virginia VCDPA, Delaware's threshold is dramatically lower (35,000 vs 100,000) and Delaware adds explicit children's protections. Compared to California CCPA/CPRA, Delaware lacks a private right of action and has no dedicated enforcement agency, but Delaware's consumer-count threshold is much lower. Compared to Texas TDPSA, Delaware has no SBA small business exemption and applies at much lower volumes. --- ## How to Comply with DPDPA 1. **Confirm scope at the lower threshold.** Calculate Delaware consumer count from analytics and customer records. Treat 35,000 as the trigger, or 10,000 if 20%+ of revenue comes from data sales. 2. **Update your privacy notice.** Disclose categories, purposes, third-party sharing, rights, and appeals process. 3. **Implement automatic universal opt-out signal handling.** Detect Global Privacy Control browser headers and apply opt-out preferences automatically. 4. **Add explicit opt-out mechanisms** for targeted advertising, sale of personal data, and profiling. 5. **Build a consumer rights request workflow** with 45-day response tracking. 6. **Build a denial appeals process** with timely written response. 7. **Implement opt-in consent for sensitive data**, including the categories enumerated in the statute. 8. **Build children's data protections.** If you have reason to know a consumer is 13-17, obtain consent before processing for targeted advertising, sale, or profiling. 9. **Conduct data protection assessments** for high-risk processing activities. 10. **Document reasonable security practices** appropriate to data volume. --- ## DPDPA Enforcement and Penalties The Delaware Attorney General has exclusive enforcement authority for DPDPA. There is no private right of action — Delaware consumers cannot sue businesses directly. The AG may seek civil penalties under Delaware's existing consumer protection statutes, with penalties up to **$10,000 per violation**. DPDPA includes a 60-day cure period for violations during the first 18 months after the law's effective date (until December 31, 2025), after which the cure period becomes discretionary. Businesses notified of violations during the cure-period window have a clear path to avoid enforcement by acting within 60 days. --- ## Frequently Asked Questions ### What are Delaware's privacy law thresholds? Delaware's DPDPA has some of the lowest thresholds in the country: 35,000 Delaware consumers (matching Connecticut) with no revenue threshold, or just 10,000 Delaware consumers if 20% or more of revenue comes from data sales. The 10,000 + 20% combination is one of the most expansive secondary thresholds in any US state privacy law. ### When did Delaware DPDPA take effect? Delaware DPDPA took effect January 1, 2025. The Delaware Attorney General is the sole enforcement authority. ### Does DPDPA require honoring universal opt-out signals? Yes. DPDPA requires covered businesses to honor universal opt-out mechanisms, including the Global Privacy Control browser signal. This is a technical implementation requirement. ### What children's protections does DPDPA include? DPDPA prohibits processing personal data of consumers known to be 13-17 for purposes of targeted advertising, sale of personal data, or profiling without consent. This is a more expansive protection than most state privacy laws, which typically only address children under 13. ### What are the penalties for DPDPA violations? The Delaware AG can seek civil penalties of up to $10,000 per violation under Delaware's consumer protection statutes. There is no private right of action. A 60-day cure period applied during the first 18 months after the law's effective date, after which cure opportunities are discretionary. ### Does DPDPA apply if my business is not based in Delaware? Yes. DPDPA applies based on where your consumers are located, not where your business is incorporated. If you process data from 35,000 or more Delaware consumers annually — or 10,000 with 20%+ data sale revenue — DPDPA applies regardless of your business location. --- **Check if DPDPA applies to your business →** [Take the free 5-minute quiz](https://app.getpurview.com/quiz) *This guide is for informational purposes only and does not constitute legal advice. Last updated: April 2026.* ---