Delaware has taken a significant step in the realm of consumer data protection by enacting the Delaware Personal Data Privacy Act (DPDPA). This landmark legislation, signed into law on September 11, 2023, positions Delaware as the 13th state in the United States to implement a comprehensive consumer data privacy law.
The journey to enacting the Delaware Personal Data Privacy Act was marked by collaboration and determination. Rep. Krista Griffith’s two-year campaign culminated in Governor John Carney’s signature, empowering Delawareans with greater control over their personal data.
Delaware now stands alongside other trailblazing states, such as California, Virginia, Colorado, and Texas, in its commitment to safeguarding consumer data. The DPDPA, effective from January 1, 2025, carries substantial implications for businesses operating within the state and those targeting Delaware residents.
Thresholds
One notable aspect of the DPDPA is its application thresholds. It applies to entities conducting business in Delaware or producing products or services for Delaware residents if, in the preceding calendar year, they either:
- Controlled or processed personal data of at least 35,000 Delaware residents (excluding data for payment transactions); or
- Controlled or processed personal data of at least 10,000 Delaware residents and derived more than 20 percent of their gross revenue from the sale of personal data.
Notably, Delaware’s 35,000-consumer threshold is the lowest among states with comprehensive data privacy laws, reflecting its consideration for the state’s smaller population.
Scope of Applicability
The DPDPA, Delaware’s comprehensive consumer data privacy law, stands out in several significant respects. Unlike many other state privacy laws, it takes a broad approach when it comes to nonprofit organizations, subjecting them to its provisions with only limited exemptions for specific cases, such as those related to insurance crime prevention and services for victims and witnesses of particular crimes.
Another notable feature of the DPDPA is its treatment of entities governed by the Health Insurance Portability and Accountability Act (HIPAA). Unlike some states that provide a broad exemption for these entities, Delaware opts for a more nuanced approach, offering limited exemptions specifically related to certain categories of health data.
Additionally, the DPDPA extends broad exemptions to financial institutions and personal data regulated by the Gramm–Leach–Bliley Act (GLBA). This means that certain financial organizations may find themselves exempt from certain aspects of the DPDPA.
Furthermore, the DPDPA distinguishes individuals who operate within a commercial or employment context, explicitly excluding them from the definition of “consumer” within the law. This distinction has implications for the application of the DPDPA’s provisions to those individuals.
Overall, the DPDPA’s unique approach in these areas sets it apart from many other state privacy laws, shaping its impact on non-profit organizations, entities subject to HIPAA, financial institutions, and individuals in commercial or employment contexts.
Key Provisions
The DPDPA includes several noteworthy provisions that set it apart from other state privacy laws:
- Sensitive Data: The DPDPA provides a precise definition for “sensitive data,” encompassing various categories of information that can unveil sensitive aspects of an individual’s identity or personal life. This includes details such as racial or ethnic origin, religious beliefs, mental or physical health conditions or diagnoses (including pregnancy), information related to one’s sex life or sexual orientation, status as transgender or nonbinary, citizenship or immigration status, genetic or biometric data, data concerning children, and precise geolocation data.
- Children’s Data Restrictions: The DPDPA places restrictions on processing personal data of children aged 13 to 18, prohibiting targeted advertising and the sale of their data without consent.
- Additional Requirements for Liability Shield: The DPDPA introduces unique provisions regarding the Liability Shield. Under these provisions, a controller or processor will be absolved of responsibility for any violation of the DPDPA committed by their processor, sub-processor, or a third party, provided that two key conditions are met. Firstly, at the time of disclosing data, the controller or processor must not possess actual knowledge that the recipient has violated, or intends to violate, the DPDPA. Secondly, the controller or processor must have been in compliance with their obligations as the discloser and must remain in such compliance.
It’s important to note that this second condition, or “prong,” represents a distinctive aspect of the DPDPA not found in other state privacy laws. Typically, these laws focus solely on the compliance of the receiving entity, whereas the DPDPA introduces an additional layer of protection for the controller or processor, provided they meet both of these stringent conditions.
- Valid Consent: Obtaining explicit and valid consent from consumers is a pivotal requirement for businesses striving to adhere to the DPDPA. Valid consent is clearly defined as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer.” For consent to be deemed valid, it must be expressed through a straightforward and unambiguous affirmative action.
- Consumer Rights: The DPDPA grants Delaware residents several consumer rights in line with other state privacy laws, including:
- Confirmation of data processing.
- Right to access to personal data.
- Correction of inaccuracies in personal data.
- Deletion of personal data.
- Obtaining a copy of personal data in a portable format
- Opting out of targeted advertising, sale of personal data, and profiling (universal opt-out signals such as Global Privacy Control (GPC) also need to be respected)
- Delaware stands out by allowing consumers to obtain a list of the specific categories of third parties to which their personal data has been disclosed, a unique provision not found in most other state privacy laws.
- Information Security: The DPDPA, like other state privacy laws, mandates businesses to maintain reasonable data security practices appropriate to the volume and nature of personal data processed. While specific safeguards are not enumerated, this requirement ensures data protection.
- Privacy Notices: Privacy notices play a crucial role under the DPDPA. Businesses must provide clear and meaningful privacy notices to consumers, disclosing key information, including categories of personal data processed, purposes of processing, rights, data sharing with third parties, and contact details.
- Processor Contracts: The DPDPA establishes requirements for contracts between controllers and processors, emphasizing confidentiality, data deletion or return, compliance demonstration, cooperation in data protection assessments, and the use of compliant subcontractors.
- Data Protection Assessments: The DPDPA imposes specific data protection assessment obligations on businesses that control or handle the personal data of more than 100,000 consumers. These companies are obligated to create a comprehensive record of data protection assessments for each processing activity that exhibits an elevated risk of harm. These activities encompass the processing of personal data for targeted advertising, the sale of personal data, the processing of personal data for profiling, and the handling of sensitive data.
Within the framework of a data protection assessment, businesses must actively identify and evaluate the advantages of a given processing activity in relation to the potential harm it may pose to the consumer. It is noteworthy that the DPDPA permits a unified data protection assessment for comparable sets of processing operations. Moreover, assessments conducted in accordance with similar privacy laws can be considered valid under the DPDPA in the state of Delaware.
- Enforcement: Enforcement of the DPDPA falls under the jurisdiction of the Delaware Department of Justice, with violations constituting a per se violation of Delaware’s Consumer Fraud Act and a maximum fine of $10,000 per violation. The law offers controllers and processors a 60-day cure period for businesses found to have violated the law, with this provision expiring on December 31, 2025. From January 1, 2026, the cure period in Delaware will be discretionary. Notably, the law does not provide a private right of action.
Conclusion
Delaware’s enactment of the DPDPA adds a new layer of complexity to privacy compliance for businesses. While many aspects align with existing privacy programs, the introduction of another privacy law heightens enforcement risk. As a result, businesses, whether in Delaware or elsewhere, must prioritize robust privacy compliance measures.
Several states have already enacted privacy laws scheduled to take effect in the coming years. Delaware’s law becomes effective on January 1, 2025, joining other states with implementation dates in 2024 to 2026. These developments underscore the growing importance of privacy compliance on a state level.
