top of page

Comparison of Privacy Laws in California and Delaware

  • May 21, 2024
  • 3 min read

Updated: Jun 17, 2025



California Privacy Laws


The California Consumer Privacy Act (CCPA), signed on June 28, 2018, established a series of consumer rights for the protection of personal data and obligations for businesses regarding collecting and processing such data. The CCPA came into effect on January 1, 2020. The California Privacy Rights Act (CPRA), also known as "Proposition 24," was approved by California voters on November 3, 2020. It significantly amended and expanded the CCPA, sometimes called "CCPA 2.0." The CCPA and CPRA set a comprehensive standard for consumer privacy protection and data security, influencing many companies' approaches to these issues.


Delaware Privacy Laws


In contrast, Delaware's privacy law is among the most business-friendly. It is not as stringent as California's CCPA and CPRA. Delaware's law applies to a broader range of companies of all sizes, unlike Florida's privacy law, which targets large companies, or Texas's Data Privacy and Security Act (TDPSA), which excludes small businesses.


Scope and Applicability


California


CCPA and CPRA impose obligations on businesses, service providers, and third parties. CPRA adds a fourth category: contractors. A "business" under CPRA is defined as a business enterprise that:

  • Collects consumer personal data either independently or through efforts by others

  • Determines the purposes and means of processing the personal data

  • Operates in California

  • Meets at least one of the following criteria:

   - Has an annual gross revenue of over $25 million

  - Annually buys, receives, sells, or shares the personal information of 100,000 or more consumers or households

  - Derives 50% or more of its annual revenue from selling consumers' personal data


Delaware


Delaware's compliance threshold is lower, unsurprisingly, given the state's small population—about one million compared to California's 40 million. Delaware's privacy law applies to more small businesses as it has no revenue threshold. Compliance is required:

  • If an organization controls or processes the personal data of at least 35,000 consumers, excluding data controlled or processed solely for completing a payment transaction

  • or if it controls or processes the the personal data of at least 10,000 consumers and derives over 20% of its gross revenue from selling personal data


Consumer Rights and Requests


Delaware's Data Protection and Privacy Act (DPDPA) grants consumers a range of rights similar to those in other state data privacy laws, including access, correction, deletion, obtaining a copy of personal data, and opting out of the sale of personal data and/or targeted advertising. Parents and guardians can exercise rights on behalf of their children as defined by the Children's Online Privacy Protection Act (COPPA). DPDPA also grants rights regarding "sensitive data," which includes racial or ethnic origin, religious beliefs, health status, sexual orientation, and precise geolocation data, among others.


CCPA established specific rights for consumers:


  • The right to know what personal information is collected and processed

  • The right to delete such personal information

  • The right to opt out of the sale of personal information to third parties

  • The right to non-discriminatory treatment when exercising any rights

  • The right to bring a civil action in case of data breaches


CPRA expanded the list of rights with two additional rights:


  • The right to correct inaccurate personal information

  • The right to limit the use and disclosure of sensitive personal information


Enforcement and Penalties


CCPA imposes civil penalties, with the potential for fines up to $7,500 for intentional violations and $2,500 for unintentional violations, with a 30-day period for correction after notice. Consumers can also seek damages for data protection violations, ranging from $100 to $750 per incident or actual damages, whichever is greater. Businesses may also face injunctions in cases prescribed by the California Attorney General.


In Delaware, the enforcement of DPDPA is entrusted to the state's Department of Justice. Before initiating actions, the Department must determine if the violation can be corrected and provide 60 days. Afterward, the Department can initiate a lawsuit against the controller or processor. This provision will be effective until December 31, 2025, but may be extended at the Department's discretion until January 1, 2026. Unlike most state data privacy laws, DPDPA does not cap the amount of civil penalties for violations.


Although California and Delaware laws provide robust consumer privacy protections, they differ significantly in scope, compliance thresholds, and enforcement mechanisms. California's CCPA and CPRA set high standards with strict requirements and severe penalties. Delaware's DPDPA is more accessible for small businesses with fewer consumers, offering a broader spectrum of consumer rights and emphasizing flexibility in compliance and a more organized enforcement approach.


Comments


5.0

case-4

Icon.Partners' professionalism was impressive.

Icon.Partners' efforts resulted in the client's company working satisfactorily. The team demonstrated experience, consistently met deadlines, and communicated transparently via email and messages throughout the engagement. Overall, the client was pleased with Icon.Partners' performance.

Founder, Synvisia

Nataliya Levitskaya

Estonia

Feb 20, 2026

5.0

case-5

They were very responsive, and communication was fast and great overall

The documents from Icon.Partners improved transparency and safety in the client's work. The team was knowledgeable, responsive, and communicated effectively throughout the project. The client was fully satisfied with the results and process overall. No improvements were needed.

Lead Designer

Anonymous

Ukraine

Feb 5, 2026

Reviews

log-17
log-18

5.0

case-4

Icon.Partners' professionalism was impressive.

Icon.Partners' efforts resulted in the client's company working satisfactorily. The team demonstrated experience, consistently met deadlines, and communicated transparently via email and messages throughout the engagement. Overall, the client was pleased with Icon.Partners' performance.

Founder, Synvisia

Nataliya Levitskaya

Estonia

Feb 20, 2026

Reviews

Sign up for free consultation

freepik__greek-porcelain-statue-in-greek
logo-3
вв.png
logo-22

International Law Firm

Frame 34099.png

Featured in Cointelegraph

Address

Estonia, Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt
7-634, 10117

Working hours

Monday - Friday

09:00 - 19:00 (GMT+2)

  • social-2
  • Frame 34116
  • Frame 34115
  • socialС
Frame 34109.png

5.0

Frame 34105.png
Frame 34104.png

4.9

Frame 34106.png
Frame 34110.png

5.0

Frame 34105.png

All rights reserved

© Copyright Icon.Partners 2026

bottom of page