Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

Delaware General Assembly Passes HB 380, an Amendment to the Delaware Personal Data Privacy Act

By Libbie Canter, Jayne Ponder & Rosie Moss on July 16, 2026
Email this postTweet this postLike this postShare this post on LinkedIn

On June 16, 2026, the Delaware General Assembly passed HB 380, which would amend the Delaware Personal Data Privacy Act (DPDPA). The bill is currently awaiting the Delaware governor’s signature, and if signed, the amendments would take effect on January 1, 2027. The amendment would impose the following:

  • Third-Party Risk Management: The amendment requires controllers to conduct “reasonable due diligence” on third parties to whom the controller discloses information. In addition, the amendment requires new contract agreements when personal data is disclosed to third parties, such as when personal data is sold or disclosed to a third party for targeted advertising. The required contract language echoes certain requirements under the California Consumer Privacy Act. Further, the bill would give consumers the right to obtain a list of third parties to which the controller has disclosed the consumer’s personal data unless certain exceptions apply. At present, consumers are only entitled to a list of the categories of third parties to which personal data is disclosed. 
  • New Profiling Requirements: The amendment imposes new, prescriptive requirements for data protection impact assessments when a controller engages in profiling in furtherance of automated decisions that produce legal or similarly significant effects for a consumer. It also potentially expands the scope of profiling activities for which consumers have rights to opt out (removing references to “solely” automated decisions). The amendment also prohibits profiling that violates federal or state laws that prohibit unlawful discrimination, noting that evidence or the lack of evidence of anti-bias testing is relevant to such claims.  
  • Further, the amendment also imposes new obligations in the event a controller discloses personal data to a third party for use in connection with a decision that produces legal or similarly significant effects. The controller would need to put in place a contract with any such third party, requiring certain disclosures to consumers about the use of their personal data and notice to consumers of any adverse action based on their data. The controller would also be required to provide consumers, upon request, with additional information and the ability to correct relevant personal data. Although the DPDPA generally exempts data processed in the course of an individual applying to, employed by, or acting as an agent or independent contractor, the amendment would limit that application of that exemption for purposes of the above new obligations.
  • Sensitive Data: The amendment would expand the definition of sensitive data to include neural data, government-issued identification numbers, and consumer financial numbers and similar information that would allow access to a consumer’s financial account, among other additions. In addition, the amendment would prohibit the sale of sensitive data unless certain conditions are met, including both the consent of the consumer at that the disclosure is strictly necessary to provide or maintain a product or service requested by the consumer.
  • Additional Requirements: The amendment also makes several other changes and clarifications. New language suggests the required privacy notice that controllers must provide consumers should be “reasonably particular to the product or service offered to the consumer” and identify the controller. The provisions addressing contracts between data controllers and processors invoke language from the CCPA regulations that requires processor agreements to identify “each limited and specific purpose” for which the processor may process personal data without describing such purposes “in generic terms.”
  • Applicability: The amendment would lower the DPDPA’s applicability thresholds to encompass entities that control or process personal data of not less than 10,000 consumers or that derive more than 20% of revenue from the sale of personal data of not less than 5,000 consumers. HB 380 also narrows statutory exemptions, such as limiting the financial institution entity-level exemption to banks and insurers and their respective affiliates. The amendment also would impose certain obligations directly on third parties that receive personal data from a controller or processor.
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws.

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state laws, including the California Consumer Privacy Act, the Colorado AI Act, and other state laws. As part of her practice, she also regularly represents clients in strategic transactions involving personal data, cybersecurity, and artificial intelligence risk and represents clients in enforcement and litigation postures.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Chambers USA 2025 ranks Libbie in Band 3 Nationwide for both Privacy & Data Security: Privacy and Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Read more about Libbie CanterEmail
Show more Show less
Photo of Jayne Ponder Jayne Ponder

Jayne Ponder provides strategic advice to national and multinational companies across industries on existing and emerging data privacy, cybersecurity, and artificial intelligence laws and regulations.

Jayne’s practice focuses on helping clients launch and improve products and services that involve laws governing data privacy…

Jayne Ponder provides strategic advice to national and multinational companies across industries on existing and emerging data privacy, cybersecurity, and artificial intelligence laws and regulations.

Jayne’s practice focuses on helping clients launch and improve products and services that involve laws governing data privacy, artificial intelligence, sensitive data and biometrics, marketing and online advertising, connected devices, and social media. For example, Jayne regularly advises clients on the California Consumer Privacy Act, Colorado AI Act, and the developing patchwork of U.S. state data privacy and artificial intelligence laws. She advises clients on drafting consumer notices, designing consent flows and consumer choices, drafting and negotiating commercial terms, building consumer rights processes, and undertaking data protection impact assessments. In addition, she routinely partners with clients on the development of risk-based privacy and artificial intelligence governance programs that reflect the dynamic regulatory environment and incorporate practical mitigation measures.

Jayne routinely represents clients in enforcement actions brought by the Federal Trade Commission and state attorneys general, particularly in areas related to data privacy, artificial intelligence, advertising, and cybersecurity. Additionally, she helps clients to advance advocacy in rulemaking processes led by federal and state regulators on data privacy, cybersecurity, and artificial intelligence topics.

As part of her practice, Jayne also advises companies on cybersecurity incident preparedness and response, including by drafting, revising, and testing incident response plans, conducting cybersecurity gap assessments, engaging vendors, and analyzing obligations under breach notification laws following an incident.

Jayne maintains an active pro bono practice, including assisting small and nonprofit entities with data privacy topics and elder estate planning.

Read more about Jayne PonderEmail
Show more Show less
Photo of Rosie Moss Rosie Moss

Rosie Moss is an associate in the firm’s Washington, DC office. She is a member of the Data Privacy and Cybersecurity Practice Group and the Technology and Communications Regulation Practice Group.

Rosie advises clients on a wide range of data privacy and technology…

Rosie Moss is an associate in the firm’s Washington, DC office. She is a member of the Data Privacy and Cybersecurity Practice Group and the Technology and Communications Regulation Practice Group.

Rosie advises clients on a wide range of data privacy and technology regulatory issues, including emerging artificial intelligence compliance matters. She assists clients in complying with federal and state privacy laws and Federal Communications Commission (FCC) regulations. Rosie also maintains an active pro bono practice.

Read more about Rosie MossEmail
Show more Show less
  • Posted in:
    Administrative and Regulatory, Privacy and Cybersecurity
  • Blog:
    Global Policy Watch
  • Organization:
    Covington & Burling LLP
  • Article: View Original Source

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
Library at LexBlog
  • About LexBlog
  • The Field We Built
  • Library at LexBlog
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo