Delaware DPDPA and analytics
Delaware's Personal Data Privacy Act (DPDPA), effective 1 January 2025, grants residents rights to access, correct, delete, and obtain a copy of personal data and to opt out of targeted advertising, sale, and certain profiling. It has relatively low applicability thresholds and requires controllers to recognise universal opt-out mechanisms. Analytics on Delaware visitors can touch these rights. This is educational, not legal advice.
What this means
The DPDPA follows the consumer-rights template (access, correction, deletion, portability, opt-out of sale, targeted advertising, and profiling with legal or similarly significant effects) and notably sets lower applicability thresholds than many states, so it can reach smaller businesses. Controllers must recognise universal opt-out signals such as the Global Privacy Control. Certain entities and data categories are exempt.
Why it touches analytics
First-party analytics confined to measuring your own site usually avoids the sale and targeted-advertising triggers. The opt-out and universal-signal duties bite when measurement powers cross-context behavioural advertising or shares identifiers with third parties for value. Because Delaware also requires honouring browser opt-out signals, your consent and analytics stack should be able to read and act on the GPC. Minimised, first-party measurement keeps exposure low.
Confirm thresholds and exemptions against the current statute.
- Effective 1 January 2025 with lower thresholds
- Opt-out of sale, targeted ads, and profiling
- Must recognise universal opt-out signals (GPC)
How it appears in analytics and logs
If your analytics feeds targeted advertising or sale for Delaware visitors, the DPDPA's opt-out and universal-signal duties apply; first-party measurement is lighter.
Diagnostic use case
Check whether analytics supports Delaware residents' opt-out of sale, targeted advertising, and profiling, plus access, correction, and deletion rights.
What WebmasterID can help detect
WebmasterID's first-party, minimised model avoids selling data or building cross-context ad profiles, narrowing the DPDPA rights analytics must service.
Common mistakes
- Assuming small businesses fall below Delaware's thresholds.
- Ignoring universal opt-out (GPC) recognition.
- Treating first-party measurement as a 'sale' by default.
Privacy and accuracy notes
This page is educational, not legal advice. First-party, aggregated measurement that avoids sale and targeted ads reduces DPDPA exposure.
Related pages
- US state privacy laws overview
In the absence of a single federal privacy statute, several US states have enacted comprehensive consumer privacy laws with overlapping but non-identical rules. Most grant access, deletion, and correction rights and require opt-outs for targeted advertising and 'sale'. This page gives an educational overview of the common pattern and how it touches analytics.
- Global Privacy Control: legal status
Global Privacy Control (GPC) is a specification that lets a browser or extension send a machine-readable opt-out signal to every site. Unlike the older Do Not Track, GPC has been given legal teeth in some US states: California's Attorney General and the CPPA have stated that GPC must be honoured as a valid do-not-sell-or-share request. This page summarises its status.
- Do Not Sell or Share my personal information
Under California's CCPA as amended by the CPRA, consumers can direct a business not to sell or share their personal information, where 'sharing' specifically covers disclosure for cross-context behavioural advertising. Businesses must offer a clear opt-out and honour opt-out signals. This page explains the right and how analytics and ad tags can fall within 'sharing'.
- Privacy-first analytics
First-party measurement avoids DPDPA sale and ad triggers.
Sources and verification notes
- Delaware General Assembly — HB 154 (Personal Data Privacy Act)Official bill record for the DPDPA. Educational, not legal advice.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.