After some delay, Delaware’s governor has at last signed into law the thirteenth state comprehensive privacy law. This is the seventh law passed in 2023, joining Iowa, Indiana, Tennessee, Montana, Florida, and Oregon. The law takes effect on January 1, 2025. The bill was passed by Delaware’s congress at the end of June and was sent to the governor’s office for signature on June 30, 2023. He did not sign it, though, until this week.
Like other states, Delaware’s law does not contain a private right of action. The Delaware Department of Justice has sole enforcement power. The law provides a 60-day cure period for violations until December 31, 2025. If a violation is not cured, the Department of Justice may bring an enforcement proceeding under state UDAAP laws. Since Delaware already has an existing online privacy law (though less stringent than this law), entities should consider both in their compliance plans.
Key provisions include:
- Applicability. Delaware’s privacy law will apply to consumer information and not to employees. The law contains thresholds different to other states. Like Montana, Delaware has lower thresholds. It will apply to businesses that either (1) process personal data of at least 35,000 Delawareans or (2) process personal data of 10,000 state residents and receive 20% of gross revenue from sale of personal data. Like California and Oregon, there is no entity-wide exemption for covered entities or business associates under HIPAA. Like Colorado and Oregon, Delaware does not exempt non-profits (except for those dedicated to preventing insurance crime).
- Privacy notice content. Under the Delaware law, businesses will need to include the same kind of content in their privacy policies as currently required under other laws. Privacy notices should state what categories of data are being processed and the purpose of processing. The notice must also state whether data is sold or shared. Also required is an explanation of consumer’s rights, how to exercise those rights and how to appeal a decision. Like California, Colorado, Connecticut, Montana, and Oregon, Delaware businesses must provide in their privacy notice an email or other online mechanism that allows consumers to contact the business.
- Consumer rights. Delaware consumers will have similar consumer rights as other states. This includes the right to access, correct, delete, and port personal information. Delaware will also allow consumers to designate an authorized agent to act on the consumer’s behalf. Timing for processing rights is similar to other states: 45 days to respond, with a 45-day extension possible. Like a handful of other states, businesses will need to comply with universal online opt-out mechanisms. The Delaware Department of Justice may publish or reference a list of mechanisms who will have presumptive authority to make such opt-out requests.
- Targeted advertising, sale, profiling, and sensitive information. Like other states, Delawareans under the new law will need to be given notice of, and the ability to opt out of, targeted advertising, the sale of their data, and profiling. Businesses will need to perform data protection assessments if they engage in any of those activities. Importantly, only businesses that control or process data for 100,000 consumers must conduct any needed data protection assessments. This is a higher threshold than the applicability for the rest of the law which impacts businesses that control or process the data of 35,000 Delaware consumers. For sensitive information, consent must be obtained before processing. (This is the same as Colorado, Connecticut, Indiana, Montana, Oregon, Tennessee, Texas, and Virginia). The definition of sensitive information parallels other states. It also, though, includes “pregnancy” as a mental or physical health condition and (like Oregon) “transgender/non-binary status.”
- Vendors. Vendor contracts for data processing require familiar provisions. The agreements must provide instruction on how to process information and what type of information will be processed. Vendor contracts will also require data confidentiality and allow companies to assess vendors’ compliance (vendors must cooperate with those assessments).
Putting it Into Practice: By now, many of these state privacy laws may be feeling familiar. However, privacy remains a space where “one-size-fits-all” policies still won’t hit the mark. Companies should continue to take a flexible approach to their privacy program in order to customize where necessary. As more states follow suit, differences will become harder to accommodate with one uniform policy or practice.