ARTICLE
26 June 2026

Delaware Joins The "Fun,” Amends State Consumer Privacy Law

SR
McDermott Will & Schulte

Contributor

McDermott Will & Schulte logo
Explore Firm Details
On June 16, 2026, the Delaware State Legislature passed House Bill (HB) No. 380. If signed into law, the bill will amend the Delaware Personal Data Privacy Act (DPDPA).
United States Delaware Privacy
Phoebe Hebson and David P. Saunders
Your Author LinkedIn Connections
McDermott Will & Schulte are most popular:
  • within Environment, Cannabis & Hemp and International Law topic(s)

On June 16, 2026, the Delaware State Legislature passed House Bill (HB) No. 380. If signed into law, the bill will amend the Delaware Personal Data Privacy Act (DPDPA). The bill lowers the applicability threshold for DPDPA, expands consumer rights, and establishes new obligations for controllers and third-party recipients of data. The changes would go into effect on January 1, 2027.

In Depth

An expanded definition of “sensitive data”

“Sensitive data” under the DPDPA now includes national origin, mental or physical health treatment or status, transgender or nonbinary treatment, neural data, financial information (such as an account number, log-in information, or payment card information), and government-issued identification numbers.

Perhaps the headline, however, is that sensitive data also now includes inferences made based on personal data to the extent those inferences relate to an otherwise enumerated category of sensitive data.

Updated applicability thresholds

Following the trend of other small states, the bill lowers the DPDPA’s applicability thresholds. The amended act will now apply to any person who conducts business in Delaware or provides products or services to Delaware residents and:

  • Controls or processes personal data of 10,000 or more Delaware consumers (down from 35,000);
  • Controls or processes personal data of 5,000 or more Delaware consumers (down from 10,000) and derives over 20% of gross revenue from the sale of that data; or
  • Is a third party that acquires personal data from a controller.

The addition of a trigger for “third parties,” absent any numeric threshold, will be unique to Delaware. A “third party” is defined as any person other than the consumer, the controller, or a processor or an affiliate of a processor or the controller. There is, however, a continued exemption for any “third party” that is otherwise excluded from the statute (e.g., government entities).

Updated financial institution exemptions

Following the trend in other states, the DPDPA is being amended to narrow the financial institution entity-level exemption. While the data-level Gramm-Leach-Bliley Act (GLBA) exemption remains unchanged, the entity-level exemptions have been limited specifically to banks, credit unions, savings associations, various types of insurers, and their respective affiliates.

The DPDPA will also now expressly exclude agents, broker-dealers, and investment advisors regulated under Delaware or federal securities laws.

Updated health data exemptions

The DPDPA amendments expressly call out a number of health data types as exempt from the reach of the law, including, for example, health information maintained by a manufacturer under 21 C.F.R. 820.3(o) when processed under the Health Insurance Portability and Accountability Act (HIPAA), information subject to the Federal Health Care Quality Improvement Act of 1986, limited data sets under HIPAA, and certain research data.

Added consumer rights

In addition to the rights already set out in the DPDPA, consumers now have the right to:

  • Confirm whether the controller has made any inferences about the consumer or is profiling them for a legal or significant effect (e.g., lending, education, employment) and, if so, obtain that data;.
  • Obtain a list of third parties to whom their personal data has been disclosed, unless the data is pseudonymous. The list must be specific to the individual unless it would take unreasonable effort to compile the list, in which case the consumer must be given a list of all third parties to which the controller discloses personal data, or if the list of third parties would be a trade secret.

While these rights are new to Delaware, they do not necessarily represent new ground in the broader privacy rights rubric that other states have created.

Updated controller obligations

The DPDPA amendments impose several new obligations on controllers, including:

  • Only processing sensitive personal information with consumer consent and the processing must be reasonably necessary and proportionate to the disclosed purpose for the data processing;
  • Conducting “reasonable due diligence” on third parties to whom the controller discloses information, which “at a minimum” includes assessing the third party through questionnaires and “review of relevant documents” related to the third party’s ability to comply with applicable law; and
  • Not disclosing sensitive data without consumer consent, which must be obtained through clear and conspicuous notice.

Additionally, any controller that discloses “a report” to a third party for use with any decision that produces legal or similarly significant effects must contract with that third party and require them to (i) provide notice of adverse actions, (ii) provide a description of the personal data relied on in making the adverse opinion, (iii) include a statement that the resident can obtain information pursuant to the DPDPA, and (iv) include a statement that the resident may request a human review of the adverse action subject to certain limitations.

Updated obligations of processors

The processor obligations have been updated to require that a processor cooperate with reasonable assessments by the controller, as well as identify each purpose for which the processor processes personal data.

New privacy notice requirements

While not a novel or onerous requirement, controllers must now identify themselves in their privacy notices and provide their contact information.

New requirements for third parties

A new section of the DPDPA has been added that imposes obligations on third parties. A third party is expressly prohibited from processing personal data disclosed to it by a controller or processor without a contract meeting the requirements of the DPDPA. In addition, the third party is required to provide sufficient information to controllers in order for them to assess compliance with the DPDPA.

Updated data protection assessment thresholds and requirements

The threshold for a controller’s obligation to conduct a data protection assessment has been lowered from processing the data of 100,000 or more Delaware consumers down to processing the data of 50,000 or more Delaware consumers.

Moreover, where controllers engage in profiling in furtherance of automated decisions with legal or similarly significant effects, controllers must engage in a risk assessment that evaluates several enumerated factors, such as potential risk to the consumer and a description of safeguards used related to the processing.

Conclusion

If signed into law, HB No. 380’s amendments to the DPDPA will take effect on January 1, 2027. The bill will significantly expand the applicability of controller obligations under the DPDPA and introduce new obligations to third parties.

Businesses should start preparing now to meet these heightened requirements. If you have questions or need assistance with readiness work for new state consumer privacy laws, please contact your regular McDermott Will & Schulte lawyer or one of the authors.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Phoebe Hebson
Phoebe Hebson
Photo of David P. Saunders
David P. Saunders
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More