Delaware's New Personal Data Privacy Act

The Delaware Personal Data Privacy Act (DPDPA or Act) became law on September 11, 2023, making Delaware the 13th state to enact a comprehensive consumer data privacy law, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Florida, Texas, and Oregon. The DPDPA will become effective on January 1, 2025. We highlight key aspects of the DPDPA below.

Application Thresholds

The DPDPA applies to persons who conduct business in Delaware or produce products or services targeted to Delaware residents and who, during the preceding calendar year, either: (1) controlled or processed the personal data of at least 35,000 Delaware residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or (2) controlled or processed the personal data at least 10,000 Delaware residents and derived more than 20 percent of their gross revenue from the sale of personal data.

• The 35,000-consumer threshold is the lowest among states with enacted consumer data privacy laws (Montana comes in second with a 50,000-consumer threshold), likely to account for Delaware's smaller population.

Notable Provisions

1. Applicability to Nonprofits: Following the privacy laws in Colorado and Oregon, the DPDPA broadly applies to nonprofit organizations and the data they collect. Other state privacy laws exempt nonprofits. The DPDPA contains limited exemptions for: (1) nonprofit organizations "dedicated exclusively to preventing and addressing insurance crime," and (2) the personal data of victims and witnesses of sexual and violent crimes "that is collected, processed, or maintained" by nonprofit organizations that provide services to those populations.
2. No HIPAA Entity-Level Exemption: Delaware does not provide an exemption for covered entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Rather, the DPDPA contains several more limited exemptions for specific types of health data, including protected health information (PHI) covered by HIPAA.
3. Broad GLBA Exemptions: The DPDPA exempts both financial institutions and personal data subject to the Gramm–Leach–Bliley Act (GLBA).
4. B2B and Employment Exemption. The DPDPA defines "consumer" to "not include an individual acting in a commercial or employment context…."
5. Universal Opt-Out Mechanisms: Delaware requires controllers to recognize universal opt-out mechanisms beginning January 1, 2026.
6. Definitions of Profiling, Sensitive Data, and Genetic Data: Like other state privacy laws, the DPDPA provides consumers with the ability to opt out of "profiling" (among other things).[1] However, in a first among such laws, the DPDPA includes "demographic characteristics" in the list of features about an individual that may be derived from profiling. As a result, the DPDPA broadens the concept of profiling—and therefore provides consumers a broader right to opt out of profiling activities. Additionally, the Delaware law includes "status as transgender or nonbinary" in its definition of "sensitive data" and, for the first time in a state privacy law, provides a specific definition of "genetic data"[2] as a category of sensitive data.
7. Right to Obtain List of Categories of Third Parties: The DPDPA departs from other state privacy laws in allowing consumers to obtain a list of the categories of third parties to which the controller has disclosed that particular consumer's personal data. Other state privacy laws require controllers to list the categories of third parties to which they disclose consumers' personal information generally. This may be challenging, as businesses regularly shift relationships, and accurately tracking and keeping up to date with all of the disclosure relationships for each consumer may require significant resources.
8. Children's Data – Restrictions on Sales and Targeted Advertising: If a controller has actual knowledge, or willfully disregards, that the consumer is at least 13 years old but younger than 18 years old, the controller must not "process the personal data . . . for purposes of targeted advertising, or sell the consumer's personal data without the consumer's consent."
9. 60-Day Cure Period with Sunset Provision: The DPDPA provides controllers and processors 60 days to cure violations following receipt of notice of the violations from the Delaware Department of Justice (the state's office of the attorney general) "if the Department of Justice determines that a cure is possible." However, that cure provision sunsets on December 31, 2025. After that date, the Delaware Department of Justice may, at its discretion, provide controllers and processors an opportunity to cure violations when considering the scope and nature of the violations at issue.
10. Additional Requirements for Liability Shield: A controller or processor will not be responsible for its processor's (or subprocessor's) or a third party's violation of the DPDPA if (i) at the time of disclosure the controller or processor did not have actual knowledge that the recipient had violated – or would violate – the Act, and (ii) the controller or processor was, and remained, in compliance with its obligations as the discloser. This second prong does not exist in other state privacy laws, which focus only on the compliance of the receiving entity.

Consumer Rights

The DPDPA provides Delaware residents the rights to the following, which mostly are typical across US state privacy laws:

• Confirm whether a controller is processing their personal data and access to their personal data;
• Correct inaccuracies in the consumer's personal data;
• Delete personal data provided by, or obtained about, the consumer;
• Obtain a copy of their personal data processed by the controller in a format that allows the consumer to transmit that data to another controller;
• Opt out of the processing of the personal data for the following purposes:
  • Targeted advertising;
  • The sale[3] of personal data; and
  • Profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

The DPDPA also permits consumers to obtain a list of the categories of third parties to which the controller disclosed the specific consumer's personal data. Only Oregon's data privacy law contains a similar right. Other state privacy laws permit consumers only to obtain the categories of third parties to which the controller discloses personal data generally (not specific to the requesting consumer).

Children's Data

If a controller has actual knowledge, or willfully disregards, that the consumer is at least 13 years old but younger than 18 years old, it must not "process the personal data . . . for purposes of targeted advertising, or sell the consumer's personal data without the consumer's consent." Data of consumers whom companies know to be under 13 years old is a category of "sensitive data" and cannot be processed for any purpose without the consent of a parent or guardian. Companies that comply with the consent requirements of the Children's Online Privacy Protection Act (COPPA) are deemed to comply with the DPDPA's parental consent requirements.

Information Security

Like other state privacy laws, the DPDPA requires companies to maintain "reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue." The law does not enumerate any specific required security safeguards (such as encryption or multifactor authentication).

Exemptions

The DPDPA exempts a variety of entities and types of data, including:

• Any financial institution or affiliate of a financial institution subject to Title V of the GLBA.
• A national securities association registered pursuant to § 15A of the Securities Exchange Act of 1934.
• Registered futures association so designated pursuant to § 17 of the Commodity Exchange Act.

• PHI as defined under HIPAA.
• Patient-identifying information for purposes of 42 U.S.C. § 290dd-2.
• Personal data collected, processed, sold, or disclosed in compliance with the Fair Credit Reporting Act (FCRA), Driver's Privacy Protection Act, the Farm Credit Act, and the Airline Deregulation Act.
• Personal data regulated by the Federal Education Rights and Privacy Act (FERPA).

• Information relating to individual job applicants, agents, independent contractors, and employees of a controller, processor, or third party "to the extent that the data is collected and used within the context of [their] role," including emergency contact and benefits information. Separately, the DPDPA excludes "individual[s] acting in a commercial or employment context" from the definition of "consumer," thereby exempting all data processed from individuals acting in these capacities.

While these exemptions are largely similar to those in other state privacy laws, the DPDPA notably has no broad exemption for HIPAA-covered entities and business associates. Rather, the DPDPA contains several more limited exemptions for specific types of health data, including HIPAA-covered PHI. At least some of the data held by HIPAA-covered entities and business associates is not PHI (for example, data of employees and certain marketing-related data), so those entities will have to conduct detailed assessments of their compliance obligations under the DPDPA based on the nature and status of the personal data they process.

Privacy Notices

Like the other comprehensive state privacy laws, the DPDPA requires controllers to provide consumers with a "reasonably accessible, clear, and meaningful" privacy notice that discloses the categories of personal data processed, the purpose for such processing, how consumers may exercise their rights (e.g., the right to delete), the categories of personal data shared with third parties, the categories of third parties with whom the data is shared, and an active email address or other online means by which consumers may contact the controller. Controllers may not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which the personal data is processed, unless the controllers obtain consumer consent.

Processor Contracts

The DPDPA requires that controllers (persons who "determine[] the purpose and means of processing personal data") and processors (persons who "process personal data on behalf of a controller") enter into contracts requiring processors to:

• Impose a duty of confidentiality on all individuals processing personal data;
• Delete or return personal data at termination of the agreement;
• Demonstrate compliance with the DPDPA upon request;
• Cooperate with the controller's data protection assessments; and
• Use subcontractors that are subject to the same privacy requirements as processors, and permit controllers to object to the use of those subcontractors.

Data Protection Assessments

The DPDPA requires a controller "that controls or processes the data of not less than 100,000 consumers, excluding data controlled or processed solely for the purpose of completing a payment transaction" to complete data protection assessments (called "data protection impact assessments" in some other state privacy laws) "on a regular basis" for the following five processing activities:

• Processing personal data for targeted advertising;
• The sale of personal data;
• The processing of personal data for the purposes of profiling if certain risk factors are met;
• Processing sensitive data; and
• Any processing activities that present a "heightened risk of harm."

Under the DPDPA, a single data protection assessment may address a comparable set of processing operations that include similar activities. In addition, if a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment shall be deemed to satisfy the requirements of Delaware's privacy law, if the data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to Delaware law.

The DPDPA's data protection assessment requirements apply to processing activities "created or generated on or after" six months after the law's effective date (i.e., July 1, 2025) and are not retroactive.

Enforcement

Violations of the DPDPA may be enforced solely by the Delaware Department of Justice (the state's office of attorney general). A violation of the DPDPA is a per se violation of Delaware's Consumer Fraud Act. The DPDPA does not authorize any rulemaking.

No Private Right of Action

The DPDPA states that no provision in the law "shall be construed as providing the basis for, or be subject to, a private right of action for violations of [the DPDPA] or any other law."

Looking Ahead

DPDPA's arrival adds yet another layer of privacy compliance complexity for U.S. businesses. While businesses should be able to utilize their current privacy compliance programs to account for a number of DPDPA's statutory requirements, another new privacy law invariably increases enforcement risk. As a result, proper privacy compliance should be prioritized for businesses in Delaware and elsewhere.

The state privacy laws enacted so far in 2023 are slated to go into effect as follows:

• July 1, 2024 – Oregon
• July 1, 2024 – Florida
• July 1, 2024 – Texas

• October 1, 2024 – Montana
• January 1, 2025 – Iowa
• January 1, 2025 – Delaware
• July 1, 2025 – Tennessee
• January 1, 2026 – Indiana

DWT's Privacy and Security team regularly counsels clients on how their business practices can comply with state privacy laws. We will continue to monitor the rapid development of other state and new federal privacy laws and regulations.

This post has been republished on NYU's Compliance and Enforcement blog.