On September 11, 2023, Delaware’s governor signed the Delaware Personal Data Privacy Act (“DPDPA”), the thirteenth U.S. state comprehensive privacy law. The law takes effect January 1, 2025 and mirrors other existing state privacy laws in several ways, including privacy policies requirements, consumer rights, opt-out mechanisms, data protection impact assessments (“DPIAs”), security measures, and contracts with processors.
While businesses working to comply with other state privacy laws have likely already taken key steps for DPDPA compliance, businesses should take note of the ways in which DPDPA departs from other laws, including: a significantly lower threshold for applicability, applicability to non-profit entities, and a broad(er) consumer right to delete.
DPDPA applies to a person that conducts business in Delaware or products or services targeted at the state’s residents (“consumers”) and that, during a calendar year, either:
- Controls or processes personal data of at least 35,000 consumers; or
- Controls or processes personal data of at least 10,000 consumers and derives 20% or more of its gross revenue from the sale of consumers’ personal data.
Of all the state comprehensive privacy laws, Delaware has the lowest threshold for applicability, which likely reflects the state’s small population of approximately one million residents.
Like most other state privacy laws, DPDPA exempts employee and B2B data, as well as data subject to several federal laws, including HIPAA, GLBA, and FCRA.
Joining Colorado and Connecticut, and unlike most other state laws, however, DPDPA applies to most non-profits. A nonprofit is only exempt from the law if it meets either of the following criteria:
- It is exclusively dedicated to preventing and addressing insurance crime; or
- It collects, processes, or maintains personal data of a personal data of a victim of or witness to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking to provide services to such victims or witnesses.
Under DPDPA, consumers have the right to: (1) confirm processing; (2) access their data; (3) correct inaccuracies; (4) delete their data; (5) obtain a copy of their data; (6) obtain a list of the categories of third parties to which the controller ha disclosed the consumer’s personal data; (7) opt out of the processing of their personal data for targeted advertising, sale, and profiling; and (8) appeal a controller’s refusal to take action on the consumer’s request. Controllers must respond to requests in 45 days (with the possibility of a 45-day extension).
Regarding requests for deletion, controllers that have obtained personal data about consumers from third parties can only retain a record of the deletion request and the minimum data necessary for the purpose of ensuring the personal data remains deleted, which cannot be used for any other purpose. This differs from several other states that allow controllers to retain data obtained about consumers from third parties (as opposed to directly from the consumer) if the controller opts the consumer out of processing for non-exempt purposes.
Controller and Processor Obligations
DPDPA’s obligations for controllers include requirements to:
- Limit their collection of personal data to what is adequate, relevant, and reasonably necessary in relation to their processing purposes;
- Implement reasonable security measures;
- Provide a mechanism for consumers to revoke their consent;
- Obtain consent to process sensitive data and to process personal information in ways that are not reasonably necessary to and compatible with the disclosed processing purposes; and
- Conduct a data protection impact assessment (“DPIA”) for processing for targeted advertising, personal data “sales,” processing for certain profiling activities, processing sensitive data, or any other processing that presents a heightened risk of harm to consumers.
Controllers and processors must enter into contracts that contain provisions required by other state privacy laws, such as the processor providing information to the controller to demonstrate compliance and ensuring that all processors are subject to a duty of confidentiality. Thus, contracts that are prepared in accordance with other state privacy laws will likely satisfy DPDPA’s requirements.
Enforcement and Effective Date
DPDPA takes effect January 1, 2025 (the same date as Iowa!), and will be enforced by the state Attorney General, as there is no private right of action. Businesses will also need to recognize a consumer’s universal opt-out mechanism by January 1, 2026. At least six months before the effective data, the Delaware Department of Justice will reach out to consumers and businesses about their rights and obligations under the law. In addition, for the first year DPDPA is in effect, the AG must notify controllers or processors of alleged violations and allow them a 60-day cure period before bringing an enforcement action. If violations persist, the AG can seek injunctive relief and penalties of up to $10,000 per violation.
Are You Keeping Up?
There is still no federal comprehensive consumer privacy law; the American Data Privacy and Protection Act (“ADPPA”) was introduced in the House of Representatives last year but did not advance, and it has not yet been reintroduced in the 118th Congress. As the patchwork of state privacy laws continues to grow, be sure to check out our previous coverage on other states: California; Indiana; Iowa ; Tennessee; Washington; Connecticut; Utah; Colorado; and Virginia. And stay tuned for the next state privacy law.