Deep Dive: The Delaware Personal Data Data Privacy Act (DPDPA)
Privacy & Compliance | October 25, 2023
On September 11th, 2023, Delaware Governor John Carney signed the Delaware Personal Data Privacy Act (DPDPA) into law, making Delaware the 12th state to pass a comprehensive consumer data privacy law and the seventh to do so in 2023.
The DPDPA largely mirrors the slate of VCDPA-inspired laws passed in 2023, and shares key definitions, business obligations, and core consumer rights, such as requiring consent for processing sensitive personal data and offering opt-out options for data sales, targeted advertising, and significant profiling decisions, with those laws. The law will go into effect on January 1st, 2025.
In this blog, we’ll cover the scope of the Delaware Consumer Data Privacy Act (DPDPA), the rights it grants to Delaware citizens, regulatory requirements for businesses, and how the law will be enforced.
For a more in-depth breakdown of state-level privacy laws, check out our new Comprehensive Guide to US Privacy Law for 2023, a free 46-page eBook that gives a comparison chart of all state-level privacy laws, as well as an in-depth breakdown of each law, the consumer rights and business requirements of each law, and best practices for compliance with the patchwork of US privacy laws.
Who does the Delaware Consumer Data Privacy Act Apply to?
The Delaware Personal Data Privacy Act applies to any organization that meets the following location and data subject criteria:
- The organization conducts business in Delaware or offers products or services targeted at Delaware residents (i.e., they are among the intended audience but not necessarily the sole or primary market.)
- The organization controlled or processed the data of at least 35,000 Delaware residents during the preceding calendar year — excluding data collected solely for payment transactions.
- The number of data subjects drops to 10,000 if the organization derives more than 20% of its gross revenue from selling personal data.
However, the DPDPA has several exemptions, and does not apply to the following categories:
- Any regulatory, administrative, advisory, executive, legislative, or similar body of Delaware.
- Any financial institution subject to Title V of the Gramm Leach Bliley Act (GLBA)
- Any non-profit organization dedicated exclusively to preventing and addressing insurance crime.
The law also does not apply to protected health information already covered under the Health Insurance Portability and Accountability Act (HIPAA).
What Rights does the Delaware Consumer Data Privacy Act provide for Delaware citizens?
Delaware’s privacy law grants citizens of the state several new rights, primarily based on the rights put forth by VCDPA, which in turn based its consumer rights on the EU’s General Data Protection Regulation (GDPR). Below, we examine several rights common among US data privacy laws, whether Delaware’s law provides them, and the specific requirements for each right.
Right to Access
The Delaware Personal Data Privacy Act grants Delaware consumers the right to confirm whether a data controller is processing their personal data and to access the data, unless accessing that data would reveal a trade secret.
Right to Correction
Delaware consumers can request a controller to correct inaccurate personal data.
Right to Deletion
Delaware consumers may require a controller to delete personal data about the consumer, including personal data the consumer provided to the controller, personal data the controller obtained from another source and derived data.
Right to Data Portability
When consumers exercise their right of access, they can request the data in a portable and readily usable format — to the extent that is technically feasible.
A data controller must provide an active email address or other online mechanisms for consumers to exercise their rights. It must respond to data subject access requests (DSARs) regarding the rights to access, correction, deletion, and data portability within 45 days.
Right to Opt-Out of Data Processing
A consumer has the right to opt out of personal data processing for targeted advertising, the sale of personal data, or profiling for automated decision-making.
A controller must clearly and conspicuously disclose if they sell consumers’ personal data or use it for targeted advertising. It must also include an opt-out link on its website. All data controllers must accept opt-out preference signals by January 1st, 2026.
Right to Opt-Out of Automated Decision Making
A consumer can opt out of personal data processing for profiling to support automated decisions that may result in legal or similar significant effects.
What are the Regulatory Requirements for Businesses?
Privacy Notice Requirements
Consent Management Requirements
As demonstrated by the ‘right to opt-out,’ Delaware’s law follows the opt-out consent model common to US laws. However, the law follows an opt-in consent model where sensitive personal information is concerned.
Controllers can only process consumers’ sensitive data after obtaining explicit consent. Sensitive data includes genetic or biometric data that can be used to identify an individual, precise geolocation data, personal information revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life, sexual orientation, national origin, and citizenship or immigration status.
Data Security Requirements
Data controllers must implement and maintain reasonable administrative, technical, and physical data security measures to protect the confidentiality, integrity, and accessibility of consumers’ personal data. A processor must assist the controller in meeting its obligations regarding secure data processing, which must be governed by a contract between the parties to outline relevant consumer privacy provisions.
Data Protection Assessment Requirements
Controllers that process the data of over 100,000 consumers (excluding data used solely for payment transactions) must regularly conduct and document data protection assessments on data processing activities that may present heightened risks to consumers (e.g., targeted advertising, the sale of personal data, or profiling that may lead to unfair or deceptive treatment.)
Data Collection and Purpose Limitation Requirements
Data controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes for which the data is processed, as disclosed to the consumer.
How will the law be enforced?
The Delaware Department of Justice will enforce the Delaware Personal Data Privacy Act by issuing cease and desist orders, pursuing administrative remedies, and initiating judicial actions. The court may order violators to pay a civil penalty of up to $10,000 per willful violation.
Until December 31st, 2025, the Delaware Department of Justice must issue a notice of violation and allow a 60-day cure period. Starting January 1st, 2026, it may choose (but is not required) to provide an opportunity for a controller to cure the violation.
The Delaware Department of Justice has exclusive authority to enforce the law, and there is no private right of action.
Get Compliant with CHEQ Privacy
State privacy laws like this one are pressing new responsibilities—and penalties—on businesses and marketers. CHEQ Privacy offers organizations a solution to help build a fully compliant website and simplify compliance with Delaware’s law, as well as the UCPA, CTCDPA, VCDPA, CCPA, CPA, GDPR, and any future privacy laws.
Request a demo to see how CHEQ can help your organization meet its compliance and consent management needs.