The Delaware Assembly passed the Delaware Personal Data Privacy Act (HB 154) on June 30, 2023.
Governor John Carney of Delaware will review the bill after it has gone through the legislative process.
Delaware will be the twelfth state to enact a consumer data privacy law and the seventh this year if the bill is signed into law.
This year, bills have also been passed by the following states: Texas, Indiana, Iowa, Montana, Oregon, and Tennessee.
With a few significant exceptions covered in the article below, the Delaware bill is like the previous year’s Connecticut Data Privacy Act (CTDPA).
The CTDPA was passed last year before the Connecticut legislature amended it this year with Senate Bill 3; thus, the Delaware bill mostly follows the same provisions as the CTDPA.
Therefore, the Delaware bill—excluding California, based on another model, puts it in the same tier as Colorado, Connecticut, Oregon, and Montana.
Delaware Law is also considered among the more consumer-friendly state consumer data privacy bills passed.
Some contend that this group includes the Texas law passed earlier this year.
Delaware is the second legislature controlled by Democrats to pass a bill out of the seven passed this year.
It is important to note that Delaware already has the Delaware Online Privacy and Protection Act (DelOPPA), a law about online privacy.
While this new law has much stricter standards than DelOPPA, businesses should consider both laws while ensuring compliance.
In this article, we will discuss everything you need to know about the Delaware Personal Data Privacy Act to make your business comply with the law before it’s too late and you end up paying hefty fines and penalties.
What is the Delaware Personal Data Privacy Act?
The Act defines the rights of consumers regarding their data, including having a right to know what information is being collected about them, making corrections if there are any inaccuracies, and requesting deletion of any personal data kept by individuals or entities.
This Act is based on other jurisdictions’ data privacy frameworks that are currently in effect.
Applicability
The Delaware Law complies with the applicability requirement based on the number of customers whose data the entity collects, which has been popular with the variants of the Washington Privacy Act.
The Delaware bill, however, changes two things.
- Delaware first reduces the threshold of 100,000 consumers to 35,000 consumers. This change reflects Delaware’s smaller population of 1.02 million.
The 35,000 barrier is roughly 3.43% of the state’s population.
For example, in Colorado, Connecticut, and Oregon, the 100,000 threshold is around 1.72%, 2.78%, and 2.35% of the respective state populations.
Delaware is the second state to reduce the application threshold due to the lesser state population.
Montana lowered the threshold earlier this year to 50,000 customers, around 4.45% of the state’s population.
Tennessee is one such state that increased the threshold to 175,000 customers, around 2.48% of the state’s total population.
- Second, Delaware modifies the second applicability threshold so that the bill covers individuals who “controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data” in the previous calendar year.
For example, Connecticut establishes these limits at 25,000 customers and 25% of its gross revenue.
Simply put, businesses operating in the State of Delaware that control or process the personal data of at least 35,000 customers or 10,000 consumers and derive more than 20 percent of their gross revenue from the sale of personal data will be subject to the provisions of this Act.
Sensitive Data
Delaware defines sensitive data as “status as transgender or nonbinary.”
Delaware’s definition of sensitive data includes genetic or biometric information, just like other legislation passed.
The bill does not, however, specify that the information must be used to identify a person specifically.
However, since the definition of biometric data states that it must be “used to identify a specific individual,” the lack of this condition may not matter in the case of biometric data.
Delaware law also defines genetic data, which is not in other regulations.
It is “any data, regardless of its format, about genetic material obtained through the analysis of an individual’s biological sample or from another source that provides similar information.”
For this paragraph, “genetic material” refers to the following:
Uninterpreted data that comes from analysis of the biological sample or other source; genes; chromosomes; alleles; genomes; alterations or modifications to DNA or RNA; single nucleotide polymorphisms (SNPs); and any information extrapolated, derived, or inferred from that place.
Nonprofits
The Delaware bill does not exempt nonprofits, with two important exceptions. Nonprofits “dedicated exclusively to preventing and addressing insurance crime” are exempt from the law.
Additionally, the bill exempts from disclosure any personal information that is “collected, processed, or maintained by a nonprofit organization that provides services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking” and includes information about victims or witnesses to these crimes.
Delaware is the only state not exempting nonprofit organizations, joining Colorado and Oregon.
Exemptions
The Delaware bill exempts state governments, although it specifies that “any institution of higher education” is not included in this exemption.
The bill has no entity-level exemption for business associates and HIPAA-covered organizations.
Several data-level exemptions for health data in the bill differ from those in the Connecticut law.
The bill includes exemptions at the entity and data levels for GLBA financial institutions and information the GLBA covers.
Consumer Rights
Delaware follows the rights provided by Connecticut’s Law to its consumers, including Delaware’s requirement that controllers recognize universal opt-out procedures by January 1, 2026.
Additionally, opt-outs are not required to be authenticated by the bill.
Customers also have the right to “a list of the categories of third parties to which the controller has disclosed the consumer’s data,” according to Delaware law.
While Oregon specifies the right to acquire a list of “specific third parties,” this bill is relatively comparable to that state’s law.
Delaware further specifies that the Attorney General’s Office may post or reference a list of approved agents on its website.
This Delaware bill further narrows the data broker exemption found in other state laws, as stated in paragraph (3) of subsection (a) of this section,
“A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer’s request to delete such data if the controller retains a record of the deletion request and the minimum data necessary for ensuring the consumer’s data remains deleted from the controller’s records and does not use such retained data for any other purpose.”
According to other regulations, controllers may also allow customers to opt out of processing their data for any purpose except those exempted by the law.
Privacy Rights of Children
According to Delaware law, a controller who has actual knowledge or willfully disregards that a consumer is at least 13 but younger than 18 years old is not permitted to process the consumer’s data for targeted advertising or sell the consumer’s data without the consumer’s consent.
By doing this, Delaware increases the Connecticut law’s minimum age from under 16 to under 18.
It should be noted, nevertheless, that the additional protections for children’s privacy provided by Connecticut Senate Bill 3 this year achieve the same goal.
Processor Contracts
Contracts between controllers (those who “determine the purpose and means of processing personal data”) and processors (those who “process personal data on behalf of a controller”) must be entered into for processors to comply with the DPDPA. It requires processors to:
- Impose a confidentiality duty on everyone processing personal data;
- Delete or return personal data as soon as the agreement terminates.
- Upon request, provide a demonstration of DPDPA compliance.
- Assist the controller with data protection assessments.
- Provide controllers with the option to object to the use of subcontractors who are governed by the same privacy regulations as processors.
Data Protection Assessments
Except for Delaware, which specifies that the requirements will apply to processing activities developed or generated on or after six months following the law’s effective date, the language about data protection assessments is identical to that of Connecticut.
The assessment requirements in Connecticut take effect on the day of implementation.
Enforcement and Effective Date
The Attorney General’s Office of Delaware will enforce the bill. There is no private right of action in it. A sixty-day right to cure is included in the bill; however, it expires on December 31, 2025.
If the law is adopted before January 1, 2024, it will take effect on January 1, 2025.
Conclusion
We may sum up by saying that the Delaware Personal Data Privacy Act, which makes Delaware the twelfth state this year and the seventh overall, is an important step forward in consumer data protection.
Like the Connecticut Data Privacy Act, this bill emphasizes Delaware’s commitment to strict data privacy laws and sets the state apart as one of the friendlier ones for consumers.
The Act’s subtle provisions—such as broadened definitions and lowered thresholds—reflect Delaware’s practical response to a fast-changing digital environment.
Businesses must negotiate the Delaware Personal Data Privacy Act and the prevailing Delaware Online Privacy and Protection Act for total compliance since the law acknowledges the complexities of online privacy while enforcing high requirements.
The enactment of DPDPA increases the complexity of privacy compliance for US-based businesses even more.
Another additional privacy regulation inevitably raises enforcement risk, even though companies should be able to use existing privacy compliance programs to account for many of the DPDPA’s statutory requirements.
Therefore, businesses in Delaware and globally ought to prioritize proper privacy compliance.
FAQs
What is the Delaware Personal Data Privacy Act (DPDPA)?
The DPDPA is legislation passed by the Delaware Assembly aimed at protecting consumer data privacy rights, including the right to know what information is collected, correct inaccuracies, and request deletion of personal data.
How does the DPDPA compare to other state privacy laws?
The DPDPA shares similarities with the Connecticut Data Privacy Act (CTDPA) but includes some modifications tailored to Delaware’s population size and specific data privacy concerns.
Who is affected by the DPDPA?
Businesses operating in Delaware that collect data from at least 35,000 customers or 10,000 consumers and derive more than 20 percent of their gross revenue from the sale of personal data are subject to the DPDPA.
What is considered sensitive data under the DPDPA?
Sensitive data includes genetic or biometric information, as well as specific personal characteristics like transgender or nonbinary status, as defined by the DPDPA.
Are nonprofit organizations exempt from the DPDPA?
Most nonprofit organizations are not exempt, except those exclusively dedicated to preventing insurance crime or providing services to victims of certain crimes, as outlined in the DPDPA.
What are the consumer rights under the DPDPA?
Consumers have rights to opt-out of data processing, access lists of third parties with whom their data is shared, and have their data deleted upon request, among other provisions.
How does the DPDPA protect children’s privacy?
The DPDPA prohibits the processing of data for targeted advertising or sale without consent for consumers aged 13 to under 18, increasing protections for minors.
What are the requirements for processor contracts under the DPDPA?
Processor contracts must include confidentiality agreements, provisions for data deletion or return, assistance with data protection assessments, and compliance with privacy regulations.
When does the DPDPA go into effect and who enforces it?
The DPDPA is enforced by the Attorney General’s Office of Delaware and includes a sixty-day right to cure provision. It is set to take effect on January 1, 2025.
How does the DPDPA impact businesses’ privacy compliance efforts?
The DPDPA increases the complexity of privacy compliance, requiring businesses to navigate its provisions alongside existing laws like the Delaware Online Privacy and Protection Act, prioritizing comprehensive compliance measures.
