Delaware Data Privacy Law for Healthcare: DPDPA Compliance Guide for Providers

DPDPA Overview and Effective Date

The Delaware Personal Data Privacy Act (DPDPA) is Delaware’s comprehensive consumer privacy statute governing how organizations collect, use, disclose, and retain personal data about Delaware residents. For healthcare organizations, it functions alongside HIPAA, filling gaps for data and activities HIPAA does not cover. The statute took effect in 2025 and is now actively enforceable by the state.

DPDPA adopts the controller/processor model: a “controller” determines the purposes and means of processing, while a “processor” acts on documented instructions. The law includes heightened protections for minors and Sensitive Personal Information, requires opt-in Data Processing Consent for sensitive data, and mandates risk-based governance such as Data Protection Impact Assessments. You may also see the phrase Delaware Personal Data Protection Act used informally to describe this framework.

Private lawsuits are not authorized; instead, the Delaware Department of Justice leads enforcement. As a result, your compliance posture should be designed to withstand regulatory scrutiny, demonstrate accountability, and show prompt remediation when issues arise.

Applicability Criteria for Healthcare Providers

DPDPA applies to entities that conduct business in Delaware or target products or services to residents and meet certain annual processing thresholds. While many state laws exclude nonprofits, Delaware’s coverage is broader, meaning nonprofit hospitals and health systems may fall within scope depending on the volume and nature of processing. “Consumer” generally does not include people acting in an employment or commercial B2B context.

You are likely in scope if you: offer care or digital health services to Delaware residents at scale; operate patient portals, apps, or telehealth platforms that profile or target users; or derive revenue from selling or sharing personal data. Payment-only processing is typically carved out, but analytics, advertising, and cross-context behavioral tracking are squarely within view.

Vendors are captured too. If you act as a processor for a covered provider—EHR vendors, RPM platforms, billing services, marketing technology providers—you must execute contracts with required terms and implement security, confidentiality, and deletion obligations aligned to controller instructions.

Exemptions Relevant to Healthcare

HIPAA Exemption: Protected health information (PHI) processed by HIPAA covered entities or business associates is exempt from DPDPA’s core obligations. However, PHI-adjacent and consumer-facing data often remain in scope—think website cookies, mobile app telemetry, patient acquisition campaigns, call recordings for scheduling, newsletter lists, or wellness program data not maintained as PHI.

Additional carve-outs commonly relevant to healthcare include: public health reporting; certain research conducted under recognized ethical or human-subjects standards; data processed by government entities; and information already governed by sectoral laws (for example, some financial records under GLBA). These exemptions are purpose-bound—once processing moves beyond the exempt use, DPDPA obligations can reattach.

Definition and Scope of Sensitive Data

DPDPA treats Sensitive Personal Information with special care. For healthcare settings, this category includes personal data revealing physical or mental health conditions or diagnoses, medical treatments, genetic or biometric identifiers used for identification, precise geolocation, sexual orientation, and data about a known child. Processing this data requires clear, affirmative Data Processing Consent.

Consent must be specific, informed, freely given, and unambiguous—no pre-checked boxes or bundled permissions. You should provide granular choices (separate from general Ts&Cs), maintain consent logs, allow easy withdrawal, and avoid dark patterns. Extra protections apply to teens: targeted advertising and the sale of personal data about consumers ages 13–17 generally require opt-in.

Consumer Rights Under DPDPA

DPDPA grants robust Consumer Data Access Rights. Consumers can: confirm whether you process their data; access their personal data; correct inaccuracies; delete personal data; obtain a portable copy in a usable format; and opt out of targeted advertising, the sale of personal data, and certain forms of automated profiling that produce legal or similarly significant effects.

Controllers must offer at least two easy-to-use request methods, authenticate the requester, and respond within statutory timeframes with a documented appeals process if a request is denied. You should honor opt-out preferences across systems and, where required, recognize user-enabled opt-out signals. Discrimination against consumers for exercising their rights is prohibited.

Compliance Requirements for Healthcare Providers

Build a right-sized compliance program

• Data mapping: distinguish PHI from non-PHI consumer data across websites, apps, CDPs, CRMs, and ad-tech partners.
• Purpose limitation and minimization: collect only what you need for defined care, operations, and marketing purposes; set retention limits you actually follow.
• Notices: publish clear privacy notices that explain purposes, categories, sharing, Consumer Data Access Rights, and how to exercise them.
• Consent and preferences: implement a consent management platform to capture and honor Data Processing Consent for Sensitive Personal Information and teen protections.
• Contracts: execute controller–processor agreements defining instructions, confidentiality, subprocessor controls, audits, return/deletion, and assistance with rights requests and security incidents.
• Security: apply risk-based administrative, technical, and physical safeguards; encrypt sensitive data; deploy role-based access; monitor vendors.
• Data Protection Impact Assessments: conduct DPIAs for high-risk processing (e.g., targeted ads, sale of data, large-scale profiling, sensitive data) and retain documentation.
• Rights operations: establish intake channels, verification workflows, fulfillment SLAs, and a formal appeals process with tracking and metrics.
• Children and teens: align with COPPA for under-13 data and apply DPDPA opt-in for ages 13–17 where applicable.
• Training and governance: assign ownership, train staff who touch personal data, and adopt a crosswalk showing how HIPAA and DPDPA controls work together.

DPIAs you are likely to need

• Advertising/retargeting that uses patient or visitor data outside PHI.
• Location-based services in clinics, urgent care, or telehealth apps.
• Biometric identity verification (e.g., facial or voice templates).
• Automated triage or eligibility tools that could materially affect individuals.

Operational tips for HIPAA–DPDPA harmonization

• Tag systems and data sets as PHI, non-PHI, or mixed; route each to the appropriate rule set.
• Use separate consent surfaces for marketing and analytics, distinct from care consents.
• Limit downstream disclosures to processors under contract; avoid “sale” triggers by disabling cross-context tracking where not consented.
• Centralize opt-out and deletion choices across web, mobile, and vendor platforms.

Enforcement and Penalties

DPDPA is enforced exclusively by the state—often described as Delaware Department of Justice Enforcement—with investigative powers, civil remedies, and injunctive relief available. There is no private right of action. In practice, regulators may provide an opportunity to cure certain violations, particularly where prompt, documented remediation and consumer relief are evident.

Penalties can apply on a per-violation basis and escalate for willful, repeated, or systemic noncompliance. Expect scrutiny of teen protections, Sensitive Personal Information handling, opt-out signal honoring, transparency, and the sufficiency of your Data Protection Impact Assessments. Maintain records to demonstrate how you evaluated risks, implemented controls, and responded to requests.

Conclusion

For healthcare providers, DPDPA compliance hinges on clean PHI versus non-PHI scoping, rigorous consent and preference management, reliable rights-response operations, disciplined vendor contracts, and DPIAs for high-risk use cases. Treat the statute as Delaware’s personal data protection framework for consumer-facing healthcare operations, and build auditable processes that show your program works in practice.

FAQs.

What healthcare entities are exempt from the DPDPA?

PHI processed by HIPAA covered entities and business associates benefits from a HIPAA Exemption, and certain public health, research, and government processing is out of scope. That said, non-PHI consumer data—such as website analytics, marketing audiences, and app telemetry—typically remains covered, so most hospitals, clinics, telehealth providers, and vendors still have obligations.

How does the DPDPA define sensitive health data?

DPDPA classifies Sensitive Personal Information to include data revealing a person’s physical or mental health condition, diagnosis, or treatment, as well as genetic and biometric identifiers used for identification, precise geolocation, sexual orientation, and data about a known child. Processing this information requires explicit Data Processing Consent and heightened safeguards.

What consumer rights are provided under Delaware's DPDPA?

Consumers can confirm and access their data, correct inaccuracies, delete personal data, receive a portable copy, and opt out of targeted advertising, the sale of personal data, and certain automated profiling. Controllers must provide clear instructions, verify requests, respond within statutory timelines, and offer an appeals process without discriminating against consumers who exercise their rights.

What are the penalties for non-compliance with Delaware data privacy law?

Enforcement is handled by the Delaware Department of Justice through investigations, settlement agreements, and civil actions seeking penalties and injunctive relief. Penalties are assessed per violation and may increase for willful or repeated conduct. Demonstrable remediation, strong documentation, and DPIAs can meaningfully mitigate enforcement risk.