Skip links
Sign In
Book a Demo
PrivacyPillar
delaware personal data privacy act with map
Published in: Privacy laws

Understanding the Delaware Personal Data Privacy Act (DPDPA)

Published on:

Data has become the new currency of this century, and businesses are compelled to protect their personal data as one of the key challenges in modern business. It is for this reason that Delaware Personal Data Privacy Act established consumer rights and other data protection measures for personal data. With the growing concerns about privacy, this Act aims to give consumers greater control over their data while holding businesses accountable for how they handle it. But how does the DPDPA work, and why is it important? Let’s break it down.

What is the DPDPA?

The Delaware Personal Data Privacy Act (DPDPA) is a state-level privacy law that governs how businesses collect, store and use personal data. The law is designed to protect Delaware resident’s personal information and ensure that businesses follow proper privacy practices. It lays down guidelines on consumer rights, the responsibilities of data controllers and processors, and how businesses must conduct data protection assessments.

One of the key goals of the DPDPA is to offer consumers more transparency and control over their personal data. It also aims to ensure that organizations handling personal data take adequate measures to protect it from unauthorized access, use or loss.

Applicability of the DPDPA

So, who exactly does the DPDPA apply to?

The DPDPA applies to businesses targeting Delaware residents that meet the following criteria:

  1. Businesses that handle the personal data of at least 35,000 consumers.
  2. Businesses that handle the personal data of at least 10,000 consumers and make 20% or more of their revenue from selling personal data.

Who Is Exempt from This Law?

The law does not apply to:

  • Government bodies like courts, agencies, and legislatures (except colleges and universities).
  • Financial institutions that follow the Gramm-Leach-Bliley Act (GLBA).

What Types of Information Are Exempt?

This law does not cover:

  • Health Information protected under HIPAA.
  • Patient-identifying information (under 42 U.S.C. § 290dd-2).
  • Private information collected for federal human subject research protections (45 CFR § 46).
  • Clinical research data following ICH Good Clinical Practices or federal rules (21 CFR 50 and 56).
  • Patient safety data used for improving patient safety (42 CFR 3).
  • Data used for public health activities under HIPAA.
  • Credit-related information regulated by the Fair Credit Reporting Act (FCRA).
  • Data following the Driver’s Privacy Protection Act.
  • Data regulated under the Family Educational Rights and Privacy Act (FERPA).
  • Data collected under the Farm Credit Act.

Consumer Rights Under the DPDPA

The Delaware Personal Data Privacy Act empowers consumers with several rights over their personal data. These rights are similar to those outlined in other privacy laws like the GDPR (General Data Protection Regulation) but tailored to Delaware’s requirements.

  1. Right to Access: Consumers have the right to request a copy of the personal data businesses hold about them. This allows consumers to see what information has been collected and how it is being used.
  2. Right to Correct: If the personal data a business holds is inaccurate or incomplete, consumers have the right to request corrections.
  3. Right to Deletion: Consumers can ask businesses to delete their personal data, with certain exceptions (such as legal or contractual obligations).
  4. Right to Data Portability: Consumers can request that businesses provide their data in a format that is easy to transfer to another service provider.
  5. Right to Receive a List of Third Parties: Consumers have the right to request a list of third parties to whom their data has been disclosed. This ensures greater transparency about who has access to their information.
  6. Right to Opt-Out: Consumers can opt-out of the sale of their personal data or the use of it for targeted advertising.

Duties of Data Controllers

A data controller is any business that determines the purposes and means of processing personal data. Under the DPDPA, data controllers have several key responsibilities:

  1. Transparency: Controllers must provide clear and accessible privacy notices to consumers, informing them about how their data is collected, used, and shared. This includes explaining consumers’ rights under the Act.
  2. Security: Controllers should put appropriate security measures in place so that personal data is not accessed, used, or destroyed in an unauthorized manner.
  3. Data Minimization: Controllers should only collect personal data that is necessary for the specified purposes and retain it for no longer than required.
  4. Accountability: Businesses must be able to demonstrate compliance with the DPDPA, which may involve keeping records of processing activities and conducting regular internal audits.
  5. Data Protection Assessments: If certain data processing activities pose a high risk to consumer privacy (like targeted advertising or processing sensitive data), the controller must conduct regular data protection assessments to assess and mitigate the risks.

Duties of Data Processors

A data processor is a business or third party that processes data on behalf of a data controller. While processors have fewer direct responsibilities than controllers, they are still held to high standards under the DPDPA.

  1. Process Data Only as Instructed: Processors can only process personal data based on the instructions given by the controller. They cannot use the data for their own purposes.
  2. Data Security: Processors should implement adequate security measures to protect the data they process, including technical and organizational safeguards.
  3. Sub-processors: If a processor uses a third party (sub-processor) to handle personal data, they must ensure that these sub-processors also comply with the DPDPA’s requirements.
  4. Assist Controllers: Processors must assist controllers in responding to consumer rights requests (like access or deletion requests) and ensure they support data protection assessments.

Data Protection Assessments

The DPDPA requires businesses to conduct data protection assessments (DPAs) for certain high-risk processing activities. This includes:

  • Targeted Advertising: If a business uses personal data for targeted advertising, they must assess the risks of this activity and take steps to minimize harm.
  • Sale of Personal Data: Businesses that sell personal data must assess the risks associated with this activity and ensure they are in compliance with the Act.
  • Profiling: If a business uses personal data for profiling that could lead to unfair treatment or harm, they must perform a data protection assessment.
  • Processing of Sensitive Data: If a business processes sensitive data such as racial or ethnic information, religious beliefs, biometric or genetic data, health-related information, or data about children, then it must conduct an assessment. This ensures that risks associated with processing such sensitive data are carefully evaluated and managed.

Data protection assessments must evaluate the potential risks of processing activities, the benefits of such activities, and the safeguards needed to reduce risks. The results of these assessments should be documented and made available if needed for regulatory inspection.

Enforcement and Penalty

The Department of Justice (DOJ) in Delaware is responsible for enforcing the DPDPA. If a business is found to be in violation of the Act, the DOJ can issue a notice of violation and give the business 60 days to fix the issue. If the violation is not addressed, legal proceedings can be initiated. Factors influencing this decision include the number of violations, entity size, processing activities, potential harm, safety risks, cause of the violation, and past compliance history.

Penalties for non-compliance can include fines and other penalties as per Delaware’s laws on unlawful practices. The DOJ also has the authority to launch investigations into data breaches or potential violations.

However, the DPDPA does not provide a private right of action, meaning that individuals cannot directly sue businesses for violations. Enforcement is solely in the hands of the DOJ.

Steps to Comply with DPDPA

Businesses must adopt the following key steps in order to comply with DPDPA:

  1. Review Data Processing Activities: Assess the kind of personal data you collect, how it is processed, and to whom you give it.
  2. Implement Privacy Notices: Ensure that you offer clear and comprehensive privacy notices to consumers about your data processing practices.
  3. Improve Data Security: You are supposed to implement security measures to protect consumer data against breaches and unauthorized access.
  4. Conduct Data Protection Assessments: Regularly assess high-risk processing activities like targeted advertising, sale of personal data and profiling.
  5. Establish Procedures for Consumer Rights: Ensure that you can respond to consumer rights requests such as access, deletion and opt-out requests in a timely manner.
  6. Train Employees: Make sure your staff is trained in data privacy laws and how to handle personal data responsibly.

Conclusion

The Delaware Personal Data Privacy Act is a crucial step toward safeguarding consumer data and ensuring transparency in data processing. By empowering consumers with rights over their personal data and placing clear responsibilities on businesses, the DPDPA aims to build trust between consumers and companies. While businesses must make significant changes to align with the Act, the steps are necessary for a future where privacy is respected, and personal data is safeguarded.

FAQs

What are consumer rights under the DPDPA?

Consumers have rights such as access, correction, deletion, data portability, opt-out of sale, and protection from discrimination.

What is a data protection assessment?

It is a process that businesses must follow to evaluate the risks of high-risk data processing activities like targeted advertising or the sale of data.

What happens if a business doesn’t comply with the DPDPA?

The Department of Justice can issue a notice of violation and give the business 60 days to fix the issue. If it’s not fixed, legal proceedings can be initiated.

Can individuals sue businesses under the DPDPA?

No, there is no private right of action. Enforcement is handled by the Department of Justice.

Experience the difference our solution can make. Schedule your demo now!

Schedule A Demo

You may also like