What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

← All states·DPDPA

Delaware (DPDPA) Privacy Law Compliance

Delaware's Personal Data Privacy Act (effective January 1, 2025) sets the lowest threshold of any US state — just 35,000 consumers. Combined with Delaware's role as the corporate domicile for ~70% of Fortune 500 companies, the law has outsized relevance for any company doing online business with US consumers.

Statute

Delaware Personal Data Privacy Act

Del. Code tit. 6 §12D-101 et seq.

Effective

Jan 1, 2025

Enforcer

Delaware Department of Justice / Attorney General

Consumer rights

8 business obligations

Run free policy audit Does this apply to me? ↓

Who must comply

Persons that conduct business in Delaware OR produce products/services targeted to Delaware residents
AND one of: (a) control or process personal data of 35,000+ Delaware consumers (excluding for payment-only); OR (b) control/process data of 10,000+ Delaware consumers AND derive 20%+ gross revenue from the sale of personal data

Exemptions

State + local government, certain non-profits (not all)
Financial institutions subject to GLBA, HIPAA-covered entities + BAs
Employment + B2B data fully exempt
FCRA, DPPA, FERPA in context

Consumer rights (9)

Right to access / know

Confirm whether personal data is processed and obtain a copy in a portable format

Right to correct

Correct inaccurate personal data

Right to delete

Request deletion of personal data the controller has collected

Right to data portability

Receive data in a portable, machine-readable format

Right to opt out of sale

Opt out of the sale of personal data to third parties

Right to opt out of targeted advertising

Opt out of cross-context behavioural advertising

Right to opt out of profiling with legal effect

Opt out of automated decisions producing legal or similarly significant effects

Right to appeal

Appeal a controller's refusal to honour a rights request (typically 45–60 days)

Right to know specific third parties

Obtain list of specific third parties (not just categories) to whom data was disclosed

Business obligations (8)

Public privacy notice

Clear, accessible notice of categories collected, purposes, third parties, rights, and contact channel

Rights response within 45 days

Respond to consumer rights requests within 45 days (extendable by 45 more with notice)

Data processing agreements

Written contracts with processors restricting their processing to the controller's documented instructions

Data protection assessments

Document risk assessment for targeted advertising, sale, profiling, sensitive data processing

Honour universal opt-out signals (GPC)

Recognise the Global Privacy Control browser signal as a valid opt-out (where required)

Reasonable security practices

Administrative, technical, physical safeguards appropriate to the data's sensitivity

Data minimisation + purpose limitation

Collect only what is adequate, relevant, and reasonably necessary for the disclosed purposes

Opt-in for sensitive data + minors 13–17

Affirmative consent before sensitive data processing; opt-in for targeted ads or sale of data of consumers known to be 13–17 (one of the broadest teen protections)

Required privacy notice elements

Categories of personal data processed
Purpose of processing
Categories shared + categories of third parties (specific names available on request)
Rights enumeration + how to exercise + appeal
Sale + targeted advertising disclosure + opt-out
Statement of UOOM (GPC) recognition

Don't hand-check this. Drop your existing privacy policy into the free policy audit and we'll grade every required element and surface the missing language.

Common compliance pitfalls

⚠ 35K threshold + Delaware corporate base

Delaware's threshold is the lowest in the country. Combined with Delaware's status as the corporate home of most US companies, almost every B2C SaaS likely has 35K Delaware-resident users.

⚠ Strongest teen protection (up to 17)

Delaware requires opt-in for targeted ads/sale of data of consumers known to be 13–17 — broader than Connecticut's 13–16 window. Actual-knowledge standards apply.

FAQ

Why is 35K so low?

Delaware has fewer residents than most states (~1M), so the threshold scales proportionally. The bigger impact: any US SaaS company with broad distribution likely crosses the threshold.

How is Delaware different from Virginia?

Lower threshold (35K vs 100K), broader teen opt-in (13–17 vs 16-and-under), right to know specific third parties, higher penalty cap ($10K vs $7.5K).

Grade your Delaware privacy policy in 20 seconds

Paste your privacy policy and we'll score it against DPDPA requirements — categories collected, rights enumeration, opt-out mechanism, sensitive data handling. Free, 3 audits/day, no signup.

Run free audit for Delaware