Delaware Passes Privacy Law

Delaware has become the twelfth state to pass its own privacy law. Governor John Carney signed the Delaware Personal Data Privacy Act (DPDPA), which will go into effect on January 1^st, 2025. The Delaware law provides strong consumer protections, similar to laws enacted in Colorado and Connecticut.

The DPDPA applies to organizations that met at least one of the following criteria in the preceding year:

• Controlled or processed the personal data of not less than 35,000 Delaware residents.
• Controlled or processed the personal data of not less than 10,000 Delaware residents and derived more than 20% of their gross revenue from the sale of personal data.

Delaware’s law applies to nonprofits, however there is an exemption for organizations that provide services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felonies, or stalking. There is also an exemption for nonprofit organizations dedicated exclusively to preventing and addressing insurance crime.

The DPDPA does not provide an entity exemption for organizations subject to HIPAA but does provide an exemption for data covered under HIPAA. It exempts data and entities governed by the GLBA.

The DPDPA also requires controllers to gain consent prior to selling the data of anyone between the ages of 13 and 18.

Here’s a breakdown of the other key elements of the DPDPA.

Consumers Have the Ability to:

• Confirm whether a controller is processing the consumer’s personal data and access such data, unless actions would require the controller to reveal a trade secret.
• Correct inaccuracies in their personal data.
• Delete personal data provided by, or obtained by the controller.
• Obtain a copy of their personal data in a portable and readily usable format that allows the consumer to transmit the data to another controller without hindrance.
• Obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data.
• Opt out of the processing of personal data for purposes of any of the following:
  • Targeted advertising
  • The sale of personal data
  • Profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer

Businesses will have 45 days to respond to consumer requests. A 45-day extension will be available when reasonably necessary. Consumers have a right to appeal if their request is denied, so organizations should be prepared to handle these types of requests.

Business Obligations

• Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.
• Cannot process personal data for purposes outside of the original intent, unless the controller obtains the consumer’s consent.
• Must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
• Only process sensitive data concerning a consumer by obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without first obtaining consent from the child’s parent or lawful guardian.
• Provide an effective mechanism for a consumer to revoke the consent that is at least as easy as the mechanism by which the consumer provided the consent. Upon revocation of such consent, cease to process the data as soon as practicable, but not later than 15 days after the receipt of such request.
• Cannot discriminate against a consumer for exercising any of the consumer rights.

Privacy Notice

Organizations must provide consumers with a privacy notice that includes all of the following:

• The categories of personal data processed by the controller.
• The purpose for processing personal data.
• How consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request.
• The categories of personal data that the controller shares with third parties, if any.
• The categories of third parties with which the controller shares personal data, if any.
• An active electronic mail address or other online mechanism that the consumer may use to contact the controller.

Data Protection Assessments

Businesses that control or process the data of more than 100,000 consumers, excluding payment transaction data, must conduct data protection assessments for activities that present a heightened risk of harm to a consumer, which includes:

• The processing of personal data for the purposes of targeted advertising.
• The sale of personal data.
• The processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of any of the following:
  • Unfair or deceptive treatment of, or unlawful disparate impact on, consumers.
  • Financial, physical, or reputational injury to consumers.
  • A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person.
  • Other substantial injury to consumers.

Enforcement

The Delaware Department of Justice will enforce the law. Penalties are not specified in the law. For the first year the DPDPA is in effect there will be a 60-day cure period (expires December 31^st, 2025). The DPDPA does not have a private right of action.

CompliancePoint has a team of experienced privacy professionals that can help your organization establish and maintain compliance with all state privacy laws, including the CCPA, and GDPR. Reach out to us at connect@compliancepoint.com to learn more.