On September 11, 2023, Delaware Governor John Carney signed the Delaware Personal Data Privacy Act (DPDPA) into law, making Delaware the 13th state to enact a consumer privacy law. The DPDPA closely tracks the laws in Connecticut and Virginia, which is welcome news and a continuing sign that those state laws are serving as the model for other states. However, there are nuances in the DPDPA that make it a bit different, meaning businesses subject to the DPDPA will have to take certain steps to comply above and beyond existing or planned compliance activities. The DPDPA will go into effect January 1, 2025.
Below, we provide an overview of some of the key aspects of Delaware’s new consumer privacy law.
WHO DOES DELAWARE’S PERSONAL DATA PRIVACY ACT (DPDPA) APPLY TO?
Unlike the consumer privacy laws in California and Utah, the DPDPA does not include a revenue threshold. To be subject to the DPDPA, a business must do business in Delaware or target products or services to Delaware consumers, and either…
control or process personal data of 35,000 or more Delaware consumers (excluding data controlled or processed solely for the purpose of completing a payment transaction), or
control or process personal data of 10,000 or more Delaware consumers and derive more than 20% of gross revenue from the sale of that data.
These thresholds are significantly lower than other states with consumer privacy laws, meaning more companies will be subject to the DPDPA than would be in other states under other consumer privacy laws.
WHO IS A “CONSUMER”?
In the DPDPA, a consumer is a natural person who is a resident of Delaware acting in a personal context. This means that employees and business-to-business (B2B) contacts are expressly excluded from the definition of consumer.
WHAT IS “PERSONAL DATA”?
Personal data in Delaware’s bill is defined as “information that is linked or reasonably linkable to an identified or identifiable individual.” It excludes, however, de-identified data, aggregate data and publicly available data. The limitations for de-identified data and publicly available data closely track those of Virginia (e.g., de-identification requires a public commitment to keep data de-identified, and public data is both from government files as well as data that is generally available through mass media sources).
Although not included in the definition of personal data, companies do not need to include pseudonymous data (under certain circumstances) when responding to consumer requests under the DPDPA.
WHO CAN ENFORCE?
The Delaware Department of Justice has exclusive enforcement authority, and there is an express provision disclaiming the creation of any private right of action. For the calendar year of 2025, the Department of Justice is required to provide companies with 60 days’ notice and a cure period prior to commencing any enforcement actions. Beginning January 1, 2026, the provision of a cure period is left to the discretion of the Delaware Department of Justice. If an enforcement action follows, violations of the DPDPA can be up to $10,500 per violation.
WHO IS EXEMPT?
The DPDPA’s exemptions mirror those of other state consumer privacy laws. For example, exemptions include personal information covered by laws such as the Health Insurance Portability and Accountability Act, the Children’s Online Privacy Protection Act, the Gramm-Leach-Bliley Act, the Family Educational Rights and Privacy Act, and a litany of other federal laws.
In addition, the DPDPA does not apply to government entities or nonprofit organizations.
The DPDPA also has broad use exemptions for certain use cases such as compliance with law, preventing fraud or injury to others, and defending legal claims.
WHAT OBLIGATIONS ARE IMPOSED?
The DPDPA imposes what are now standard obligations on data controllers under state consumer privacy laws. Specifically, controllers must:
Limit the purpose of processing personal data to that which is reasonably necessary and proportional
Take steps to implement reasonable safeguards for the personal data within their control
Refrain from discriminating against consumers for exercising their rights and from processing personal data in violation of federal laws that prohibit discrimination
Be transparent in their reasonably accessible, clear and meaningful privacy notice
Ensure contracts control relationships with their processors (note: the law itself details the minimum necessary provisions of these contracts)
WHAT CONSUMER RIGHTS ARE CREATED BY THE DPDPA?
Controllers must provide what is now a standard set of consumer rights to Delaware consumers:
Opt-out rights related to the sale of personal data, targeted marketing and profiling (automated decision-making that could have significant legal effects such as related to housing, drinking water, credit, etc.)
Deletion rights (with respect to the data provided by or about the consumer)
Access rights, including a right to confirm whether controller is processing any data at all and to obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data
Data portability rights (limited to data the consumer previously provided). Controllers are given the option to respond to a data portability request with a “representative summary” of the personal data held rather than the data itself.
With the exception of the provision of a list of the categories of third parties to whom personal data has been disclosed, these rights should look familiar to most companies by now.
Under the DPDPA, the definition of sensitive data is arguably broader than it is under other state consumer laws and includes: data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status or immigration status, genetic or biometric data, personal information of a known child (under the age of 13), and precise geolocation (within a radius of 1,750 feet).
A controller may not process (including collection) sensitive data without obtaining the consumer’s consent (or their parent’s consent, in the case of a known child).
RESPONSE TO CONSUMER INQUIRIES
As has become standard in state consumer privacy laws, controllers must respond to a consumer personal data request within forty-five (45) days of receipt of the request, with a forty-five (45) day extension available. If a consumer appeals a decision of the controller to deny a consumer request, the appeal response must be delivered within sixty (60) days. If the appeal is denied, controllers must provide the consumer with a method for contacting the Delaware Department of Justice.
DATA PROTECTION ASSESSMENTS
Controllers will need to conduct document privacy assessments before they engage in certain processing activities, including:
Processing for targeted advertising
Sale of personal data
Processing of personal data for profiling if the profiling presents a reasonably foreseeable risk of legal, deceptive, discriminatory, financial, reputational or physical harms
Processing sensitive data
The required assessment must analyze the benefits of the processing to the company, consumer and public while weighing the harms and potential mitigants. The DPDPA allows for the use of impact assessments done under other state laws to count toward the requirements of the DPDPA and does not require retroactive impact assessments for processing activities occurring prior to the effective date of the law. One unique aspect of the DPDPA, however, is that if the assessment is produced to the Delaware Department of Justice, in order to preserve privilege over the assessment, the document produced must be “conspicuously” marked as privileged.
WHEN DOES THE DPDPA TAKE EFFECT?
The DPDPA comes into effect on January 1, 2025.
Creating a successful, effective and comprehensive privacy program for your organization requires a thorough understanding of both the relevant legal obligations and the personal data subject to compliance. Setting up a program that is prepared to respond to various state privacy laws as they come into effect will save organizations time in the long run, especially as many of these laws reflect one another.