On September 11, 2023, Delaware's Governor, John Carney, signed House Bill 154, enacting the Delaware Personal Data Privacy Act (the "DPDPA"). Delaware is the twelfth state to enact a state comprehensive privacy law, and the DPDPA is the seventh of such laws to be enacted since the end of March 2023. The DPDPA will take effect on January 1, 2025, and has many similarities to the other state comprehensive privacy laws. Of note, like the Oregon Consumer Data Privacy Act and the Colorado Privacy Act, the DPDPA applies to non-profit organizations and institutions of higher education.
The DPDPA applies to persons or entities conducting business in Delaware or producing products or services that are targeted to residents of Delaware and that, during the preceding calendar year, either:
- controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- controlled or processed the personal data of not less than 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data.
Notably, the DPDPA does not apply to governmental entities (other than institutions of higher education), financial institutions governed by the Gramm-Leach-Bliley Act, or non-profit organizations dedicated exclusively to preventing and addressing insurance crime, among other entities. Other non-profit organizations are not exempt from the DPDPA, although the DPDPA exempts personal data of a victim of or witness to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking that is collected, processed, or maintained by a nonprofit organization that provides services to such victims or witnesses.
Additionally, while the DPDPA does not exempt HIPAA covered entities or business associates or institutions of higher education, it exempts certain types of information typically held by such entities, including protected health information under HIPAA and certain other patient-identifying information; information provided by or to a HIPAA covered entity for public, community, or population health activities and purposes authorized by HIPAA; and personal data regulated by the Family Educational Rights and Privacy Act. The DPDPA also exempts data processed or maintained in the course of employment.
Like the vast majority of the state comprehensive privacy laws, the DPDPA narrowly defines "consumer" to mean an individual who is a Delaware resident acting in any capacity other than in a commercial or employment context. As a result, employee personal data and business contact personal data fall outside the scope of the DPDPA.
With respect to such consumers, the DPDPA regulates their "personal data," in addition to a special category of personal data known as "sensitive data," which it defines as (i) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status; (ii) genetic or biometric data; (iii) personal data of a known child (i.e., an individual under thirteen); or (iv) precise geolocation data.
Under the DPDPA, the "sale of personal data" means the exchange of personal data for monetary consideration or other valuable consideration by the controller to a third party, which aligns with the definitions in the state comprehensive privacy laws in California, Connecticut, Colorado, Montana, Florida, Texas, and Oregon. The DPDPA also provides broad exceptions to the definition of "sale" that are similar to exceptions in other state comprehensive privacy laws and should cover many ordinary business activities, such as disclosure of personal data to a processor who processes the personal data on behalf of a controller or to a third party or affiliate for the purpose of providing a product or service requested by a consumer.
In general, the compliance obligations found in the DPDPA are substantially similar to those found in the other state comprehensive privacy laws, including the requirement for controllers to provide a compliant privacy notice to consumers and to enter into contracts with processors that process personal data on their behalf. Further, like the privacy laws in Colorado, Connecticut, Florida, Indiana, Montana, Tennessee, Texas, Virginia, and Oregon, the DPDPA requires controllers to conduct and document, on a regular basis, data protection assessments of any processing activities that involve personal data used in targeting advertising, the sale of personal data, the processing of sensitive data, or, in certain instances, profiling. However, the DPDPA is unique in that the obligation to conduct these assessments only applies to controllers that process the data of at least 100,000 consumers.
Consumer Rights and Requests
The DPDPA also aligns with the other state comprehensive privacy laws in that it grants consumers rights regarding their personal data. Specifically, the DPDPA grants consumers the right to make requests to (1) confirm whether a controller is processing the consumer's personal data and access such personal data; (2) correct inaccuracies in their personal data; (3) delete their personal data; (4) obtain a copy of their personal data; (5) obtain a list of the categories of third parties to which the controller has disclosed the consumer's personal data; and (6) opt out of the processing of their personal data for targeted advertising, the sale of personal data, or certain types of profiling.
Under the DPDPA, when a consumer requests to exercise these rights, a controller has 45 days to respond, which may be extended once by an additional 45 days when reasonably necessary considering the complexity and number of the consumer's requests. Additionally, the DPDPA requires a controller to provide consumers with an appeals process if it denies a consumer's request, and a controller has 60 days to respond to an appeal. The state comprehensive privacy laws in California and Utah do not contain a right to appeal.
Similar to other state comprehensive privacy laws, the DPDPA does not permit private rights of action. Rather, the Delaware Department of Justice has exclusive enforcement authority, and it can seek civil penalties of up to $10,000 for each "willful" violation of the law, meaning the violating controller or processor knew or should have known it was violating the law.
If the Delaware Department of Justice determines a violation is curable, then, before the Delaware Department of Justice can bring an enforcement action, the violating controller or processor will receive a 60-day period to cure such violation. However, this right to cure sunsets on December 31, 2025, after which it is within the Delaware Department of Justice's discretion to offer the right to cure. Beginning on January 1, 2026, the Delaware Department of Justice may, in determining whether to grant an opportunity to cure an alleged violation, consider the following: (1) the number of violations; (2) the size and complexity of the controller or processor; (3) the nature and extent of the controller's or processor's processing activities; (4) the substantial likelihood of injury to the public; (5) the safety of persons or property; (6) whether such alleged violation was likely caused by human or technical error; and (7) the extent to which the controller or processor has violated this or similar laws in the past.
The passage of state comprehensive privacy laws continues apace. While these laws contain many similarities, they are not uniform. In particular, the DPDPA furthers the recent trend of pulling non-profit organizations into the scope of the law. Maintaining compliance efforts with the state comprehensive privacy laws will be important for all covered businesses, but especially for businesses, whether for-profit or non-profit, that have not been subject to such laws in the past.
Special thanks to Nate W. Gatter for his contributions to this article.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.