Blog
Data, Privacy + Cybersecurity Insights
January 11, 2024

Delaware Personal Data Privacy Act: What Businesses Need to Know

On September 11, 2023, Delaware Governor John Carney signed House Bill No. 154, referred to as the Delaware Personal Data Privacy Act (DPDPA), into law. With the passage of the DPDPA, Delaware became the thirteenth state to adopt a comprehensive consumer data privacy law, joining CaliforniaVirginiaColoradoConnecticutUtahIowa,
IndianaTennesseeMontanaFloridaTexas, and Oregon. The DPDPA becomes effective on January 1, 2025.

Similar to other state privacy laws, the DPDPA provides the state’s residents with comprehensive privacy protections and grants them new rights regarding their personal data. At the same time, the DPDPA introduces distinctive elements that set it apart from other state privacy laws. These include applicability to most nonprofit organizations (similar only to Colorado’s and Oregon’s privacy laws) and institutions of higher education, and an expanded definition of sensitive personal data. These specific attributes of the Delaware law add another layer of complexity to the already intricate mosaic of U.S. state privacy laws, posing new challenges for companies in adapting their compliance strategies.

In this context, we provide an overview of the key components of the DPDPA.

Who Is Covered by the DPDPA?

Scope and Applicability

Like other state privacy laws, the DPDPA is applicable only to entities that meet certain geographic and processing requirements. Specifically, the DPDPA applies to persons who either (a) conduct business in Delaware; or (b) produce products or services that are targeted to the residents of Delaware and who, during the preceding calendar year, either (i) controlled or processed the personal data of not less than 35,000 consumers, or (ii) controlled or processed the personal data of not less than 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data. Of note, the 35,000-consumer threshold is the lowest of all the state privacy laws, which is likely correlated to Delaware’s small population size.

Like certain other state privacy laws (such as Connecticut), the DPDPA (1) exempts from its applicability threshold personal data used solely for the purpose of completing a payment transaction (i.e., such data will not count towards the 35,000-consumer threshold); and (2) does not consider an entity’s annual revenue in determining the Act’s applicability.

Exemptions

Like other state privacy laws, the DPDPA does not apply to government entities or financial institutions and information subject to the Gramm-Leach-Bliley Act. Moreover, the DPDPA does not apply to information pertaining to individuals acting in a commercial or employment context or information regulated by the federal Fair Credit Reporting Act, among other exemptions.

Notably, unlike other state laws, the DPDPA does not contain an entity-level exemption for HIPAA “covered entities” or “business associates”; rather, the DPDPA provides a narrow data-level exemption for protected health information subject to HIPAA.

One other unique aspect of the DPDPA is its applicability to public higher education institutions and to nonprofits (with narrow exceptions for nonprofit organizations dedicated exclusively to preventing and addressing insurance crime, and for personal data collected by nonprofits related to victims or witnesses of certain crimes, including domestic violence and stalking). Currently, the only other state privacy laws that apply broadly to nonprofits are Colorado’s and Oregon’s.

What Data Is Covered by the DPDPA?

Consistent with other state privacy laws, the DPDPA defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable individual.” Personal data does not include de-identified data or publicly available information.

Further, the DPDPA provides enhanced obligations in relation to “sensitive data,” which includes any of the following: genetic or biometric data; personal data of a known child who is under thirteen; precise geolocation data; and data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary (a category that other state privacy laws except Oregon do not typically expressly classify as sensitive), citizenship status, or immigration status. This broad definition signifies an evolving trend in state privacy laws towards more inclusive definitions of sensitive data. Also of note, the DPDPA includes a defined term for “Genetic Data,” which is not present in any other state privacy laws.

Key Obligations of Controllers

Controllers (those that, alone or jointly with others, determine the purpose and means of processing personal data) are required to adhere to several key obligations. Specifically, controllers must:

  • Restrict the collection of personal data to what is adequate, relevant and reasonably necessary for the purposes for which it is processed, as disclosed to the consumer.
  • Not process personal data for purposes that are not reasonably necessary or compatible with the purposes disclosed to consumers, unless the controller obtains consent from the consumer.
  • Establish and maintain reasonable administrative, technical, and physical data security practices, safeguarding the confidentiality, integrity, and accessibility of personal data.
  • Obtain consumer consent for processing of sensitive data. For processing sensitive data of a known child, consent must be obtained from the child’s parent or guardian.
  • Clearly and conspicuously disclose if the controller sells consumers’ personal data to third parties or processes personal data for targeted advertising and provide consumers an opportunity to opt out via a link on the controller’s website.
  • Provide an effective mechanism for consumers to revoke their consent, which should be as easy to use as the mechanism for giving consent. Upon revocation, controllers must cease data processing as soon as practicable.
  • Not discriminate against consumers for exercising any of their rights under the DPDPA, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer.

Moreover, controllers are required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes all of the following:

  • The categories of personal data processed;
  • The purpose for processing the personal data;
  • Information on how consumers can exercise their rights, including the process for appealing a controller’s decision with regard to the consumer’s request;
  • The categories of personal data shared with third parties, as well as the categories of third parties receiving this data.
  • An active email address or another online mechanism through which consumers can contact the controller.

Processor Obligations

The DPDPA also imposes certain requirements on processors (that is, an entity that processes personal data on behalf of a controller). Processors must follow the instructions of a controller and assist them in fulfilling their obligations under the law. This includes helping respond to consumer rights requests and assisting with data security, data breach notifications and data protection assessments.

Like certain other state privacy laws, the DPDPA requires controllers to enter into contracts with processors that set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties, among other provisions. The contract must also require that the processor:

  • Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.
  • At the controller’s direction, delete or return all personal data to the controller at the end of the provision of services, unless retention of the personal data is required by law.
  • Upon request, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the DPDPA obligations.
  • After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data.
  • Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor regarding the processor’s compliance with relevant DPDPA obligations.

What Rights Do Consumers Have under the DPDPA?

Under the DPDPA, a consumer is granted a series of rights that mostly parallel existing state privacy laws, such as the right to confirm whether a controller is processing personal data and access such personal data; correct inaccuracies in the consumer’s personal data; and delete personal data provided by or obtained about the consumer.

In addition, the DPDPA grants consumers the right to opt out of the processing of their personal data for targeted advertising, the sale of personal data, and profiling in furtherance of solely automated decisions that create legal or similarly significant effects about the consumer.

Like California, Colorado, and many of the other state privacy laws that have recently passed, the DPDPA requires controllers that sell a consumer’s personal information or use it for targeted advertising purposes to allow a consumer to opt out of such processing through an opt-out preference signal beginning January 1, 2026.

Dark Patterns

The DPDPA provides that an agreement obtained through the use of “dark patterns” does not constitute valid consumer consent. “Dark patterns” include “a user interface designed or manipulated with the substantial effect of subverting or impairing a consumer’s autonomy, decision-making, or choice,” as well as any other practice that the Federal Trade Commission refers to as a dark pattern.

Children’s Data

Under the DPDPA, personal data of consumers whom controllers know to be under thirteen years old is classified as “sensitive data.” Processing this data for any purpose is prohibited without a parent or guardian’s consent. Companies that meet the Children’s Online Privacy Protection Rule (COPPA) standards for verifiable parental consent are also considered compliant with the DPDPA’s parental consent requirements.

The DPDPA prohibits the processing of personal data of consumers who are between thirteen and seventeen years old for targeted advertising or the sale of their data without the consumer’s consent. This rule applies if the controller has actual knowledge or willfully disregards that the consumer is in this age group. While a similar prohibition is found in Connecticut’s, California’s, and Montana’s privacy laws, Delaware’s law uniquely extends the prohibition to sixteen- and seventeen-year-olds, broadening the scope beyond the typical age limit of sixteen set by the other states.

Data Protection Assessments

The DPDPA mandates that controllers handling personal data of not less than 100,000 consumers (excluding data controlled or processed solely for the purpose of completing a payment transaction) must conduct and document, on a regular basis, a data protection assessment for each processing activity that poses a heightened risk of harm to a consumer. This includes, but is not limited to, activities like targeted advertising, selling personal data, profiling that may lead to foreseeable consumer risks, and handling sensitive data. Controllers are required to assess a number of factors impacting risks associated with data processing, including the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the relevant consumers.

The attorney general may require that a controller disclose any data protection assessment that is relevant to an investigation conducted by the attorney general, and the controller shall make the data protection assessment available to the attorney general.

Enforcement

Similar to several other state privacy laws, the DPDPA does not contain a private right action, and violations of the DPDPA can only be enforced by the Department of Justice. The DPDPA currently includes a sixty-day cure period for violations, which will expire on December 1, 2025. Beginning on January 1, 2026, the Department of Justice will have the discretion whether to provide the opportunity to cure an alleged violation.

In Summary

In summary, while the DPDPA introduces certain unique requirements, it shares a strong kinship with the other recently enacted state privacy laws. For businesses that are already navigating the compliance landscape of the other states, adapting to the DPDPA should be a relatively smooth transition, albeit with some specific modifications.

This article has been published in the PLI Chronicle: Insights and Perspectives for the Legal Community, https://plus.pli.edu.

 

The post Delaware Personal Data Privacy Act: What Businesses Need to Know appeared first on Data, Privacy & Cybersecurity Insights.