RatedWithAI

RatedWithAI

Accessibility scanner

Privacy LawJuly 15, 2026

Delaware DPDPA AI Compliance 2026: Lowest Threshold, Cure Period Already Expired

Delaware's Personal Data Privacy Act has been in force since January 1, 2025, and it pulls in more small and mid-sized AI companies than almost any other state law — a 35,000-consumer floor that's the lowest in the country. Worse for latecomers: the automatic cure period that used to give businesses a grace period expired at the end of 2025.

35,000 Consumers
The lowest standard threshold of any current state privacy law
Cure Period Expired
60-day right to cure sunset December 31, 2025 — now AG discretion
3 Opt-Out Rights
Profiling, targeted advertising, and sale of personal data

Does DPDPA Apply to Your AI Product?

DPDPA applies to a person who conducts business in Delaware or produces products or services targeted to Delaware residents and who, during the preceding calendar year, controlled or processed the personal data of at least 35,000 Delaware residents, or controlled or processed the data of at least 10,000 residents while deriving more than 20% of gross revenue from the sale of personal data.

Both numbers are lower than peer statutes. Compare Indiana and Virginia's 100,000-consumer floor, or even Rhode Island's 35,000-consumer floor paired with a steeper 50%-of-revenue alternate trigger. Delaware's 20% revenue bar is also easier to clear than most, meaning a smaller AI SaaS product monetizing any meaningful slice of data-sharing revenue can find itself in scope well before it would trip a wire in a neighboring state.

Consumer Rights and AI Profiling

Profiling opt-out

Consumers can opt out of profiling in furtherance of decisions that produce legal or similarly significant effects — credit, employment, housing, healthcare, insurance, and education outcomes.

Targeted advertising opt-out

Consumers can opt out of personal data being used for targeted advertising, including AI-driven ad personalization models.

Sale of data opt-out

Consumers can opt out of the sale of their personal data to third parties, including data-licensing arrangements with AI model developers.

Data Protection Assessments

Processing that presents a heightened risk of harm — including profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment — requires a documented data protection assessment before the processing begins.

Why the Expired Cure Period Matters Now

DPDPA originally gave controllers 60 days to fix a violation after receiving notice from the Delaware Department of Justice, before any enforcement action could proceed. That automatic right sunset on December 31, 2025. Since then, whether a business gets a chance to cure at all is a discretionary call by the Department, weighed against factors like the number of violations, the size and complexity of the business, and the likelihood of harm to consumers. For AI companies that assumed a fix-it grace period would always be available, that assumption stopped being safe more than six months ago.

DPDPA Compliance Checklist for AI Companies

1. Scope Determination
  • Track Delaware consumer counts against the 35,000-consumer threshold as your user base grows
  • Separately check the 10,000-consumer / 20%-revenue alternate trigger — it's easier to trip than most states' 50% bar
  • Reassess annually against the preceding calendar year, not a rolling window
2. Consumer Rights Infrastructure
  • Build opt-out flows for profiling, targeted advertising, and data sale
  • Document which AI-driven decisions fall into the legal-or-significant-effect category
  • Support access, correction, deletion, and portability requests within statutory timelines
3. Risk Assessments
  • Complete a data protection assessment before deploying profiling that carries a foreseeable risk of unfair treatment
  • Retain assessments in case the Department of Justice requests them during an inquiry
  • Update assessments when the AI model or its training data materially changes
4. Enforcement Readiness
  • Do not assume a cure notice will be offered before enforcement — the automatic window is gone
  • Retain records supporting your scope and threshold determinations
  • Treat any inquiry from the Delaware DOJ as immediately actionable rather than something to negotiate a grace period for

See where your AI product is exposed

RatedWithAI helps SaaS and platform teams surface compliance and trust gaps across their web properties. Start with a free scan to understand how your product presents to users and regulators alike.

Scan Your Product for Free →

Frequently Asked Questions

How does Delaware's threshold compare to other low-threshold states?

Delaware's 35,000-consumer floor is the lowest of any enacted state privacy law, with Montana's 50,000-consumer threshold the next lowest. That makes Delaware one of the first states a growing AI SaaS product will trip, especially if it also monetizes any data-sharing revenue above the 20% mark that triggers the alternate trigger.

What happens if the Delaware DOJ declines to offer a cure period after 2025?

Without an automatic cure right, the Department of Justice can proceed directly to enforcement action, which can include civil penalties. Businesses can still voluntarily remediate a known violation before receiving a notice, which remains the safest posture now that the guaranteed grace period is gone.

Does DPDPA apply retroactively to AI models trained before 2025?

DPDPA regulates ongoing processing and disclosure of personal data, not the historical training event itself. If a covered business continues to process, use, or profile with data collected from Delaware residents after the law's January 1, 2025 effective date, that processing is in scope regardless of when the underlying model was originally trained.

Related Guides