All About the Delaware Privacy Law
Its nickname may be the First State, but Delaware is the thirteenth state in the United States to enact a comprehensive state-level data privacy law. The Delaware Personal Data Privacy Act was signed into law in September 2023, joining legislation like the California Consumer Privacy Act, the Texas Data Privacy and Security Act, and the Colorado Privacy Act.
With the act taking effect in January 2025, companies who do business in Delaware will need to prepare for compliance this year. What do they need to know? What can consumers expect, and how should organizations change their data processing practices to comply? We’ll explain everything you need to know in this blog post.
What is the Delaware privacy law?
The Delaware Personal Data Privacy Act (DPDPA) is a piece of legislation designed to offer Delaware individuals certain privacy rights for their personal data. Signed into law by Governor John Carney in September 2023, the DPDPA also establishes new obligations for data controllers.
Although Delaware has a relatively small population, the DPDPA’s low threshold for applicability means it will impact many different organizations that do business in its state. To understand the implications of the law for Delaware residents and companies alike, let’s discuss the law’s key requirements.
What rights does the DPDPA grant to Delaware consumers?
First, Delaware’s privacy law offers residents more control over their personal data. Delaware defines personal data as any information that is linked or reasonably linkable to an identified or identifiable individual, excluding de-identified data and public information. Under the DPDPA, consumers have the right to:
- Confirm whether a data controller is processing their personal data.
- Correct inaccuracies in their personal data.
- Delete their personal data.
- Obtain a copy of their personal data in an easily usable format (portability).
- Obtain a list of the categories of third parties to which their personal data has been disclosed.
- Opt out of having their personal data processed for sale, for targeted advertising, or for profiling and certain automated decisions.
Additionally, the DPDPA offers protections around sensitive data, which it defines as genetic or biometric data, precise geolocation data, or a consumer’s personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, status as transgender or nonbinary, national origin, citizenship status, or immigration status. Sensitive data also includes the personal data of a known child, and all types of sensitive data in Delaware have processing restrictions that we’ll cover below.
What obligations does the DPDPA establish for businesses?
Like its counterparts in other states, Delaware’s privacy law requires that transparency and care be used in the handling of personal data. It also requires timely responses, with controller replies to consumer requests mandated within 45 days. For the purposes of the Delaware law, data controllers are defined as an entity that determines the purpose and means of processing personal data.
Privacy notices. Like most other state privacy acts, Delaware’s law requires controllers to provide privacy notices that are “reasonably accessible, clear, and meaningful.” These notices must disclose the categories of personal data being processed and/or shared with third parties, the purpose of the processing, how consumers may exercise their rights, and an online method for consumers to contact the data controller directly.
Consent for processing sensitive data. The DPDPA forbids data controllers from processing sensitive data without first obtaining the consumer’s consent. If controllers process personal data concerning a known child, which is a category of sensitive data under the Delaware law, they must first obtain consent from the child’s parent or lawful guardian. (Organizations that comply with the consent requirements of the Children’s Online Privacy Protection Act, COPPA, will be considered compliant with the DPDPA.)
Universal opt-out mechanisms. Delaware also requires that data controllers create universal opt-out mechanisms. These mechanisms must allow consumers to opt out of the processing of their personal data for the purposes of targeted advertising or sale. Additionally, controllers will have to recognize “authorized agents” like browser settings, browser extensions, plug-ins, and other technologies that signal a consumer’s intent to opt out of data processing.
Data processor contracts. Although the obligations in the DPDPA largely concern data controllers, the law also requires that data processors (entities that process personal data on behalf of a controller) enter into specific contracts with controllers. These contracts must oblige data processors to implement data confidentiality, delete or return personal data at the end of the contract period, demonstrate DPDPA compliance upon request, and subject any subcontractors to the same privacy requirements.
Data protection assessments. The DPDPA will require certain data controllers to conduct regular data protection assessments (DPAs) for certain types of data processing performed after July 1, 2025, including:
- Selling personal data
- Processing sensitive data
- Processing personal data for targeted advertising or for the purposes of profiling with certain risk factors
- Any other processing activities that present a “heightened risk of harm”
Strong data security measures. Lastly, like several other state privacy laws, the DPDPA imposes a duty on data controllers to maintain “reasonable administrative, technical, and physical data security practices.” Although the law does not require any technologies in particular, it does require that these security practices protect the confidentiality, integrity, and accessibility of personal data.
What’s the timeline and enforcement mechanism for the law?
Effective date. Formerly House Bill No. 154, the Delaware Personal Data Privacy Act will officially go into effect on January 1, 2025. Outreach efforts to data controllers will begin by July 2024, and universal opt-out mechanisms will be required by January 1, 2026.
Enforcement. The Delaware Department of Justice (a.k.a. the state attorney general) will enforce the DPDPA, investigate violations, and administer penalties as necessary. There is no private right of action under the DPDPA, meaning that individual consumers cannot sue organizations for violating their rights.
Cure period. If a cure is possible, the DPDPA will offer businesses a 60-day cure period. However, this cure period will end in December 2025 and will not be in effect from 2026 onward.
Penalties. Under the DPDPA, courts may order companies to pay a civil penalty of up to $10,000 for each willful violation.
Who must comply with the Delaware privacy law, and who is exempt?
The Delaware Personal Data Privacy Act applies to data controllers that conduct business in Delaware or that target Delaware residents with their products or services, and that either:
- Control or process the personal data of at least 35,000 Delaware residents, excluding processing solely for the purpose of completing a payment transaction, or
- Control or process the personal data of at least 10,000 Delaware residents and derive more than 20% of their gross revenue from the sale of personal data.
Although the law does not exempt HIPAA-covered entities or institutions of higher education like many of its counterparts in other states, it does still offer several exemptions:
- Any financial institution subject to the Gramm-Leach-Bliley Act (GLBA).
- Any protected health information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA).
- Any data governed by the Fair Credit Reporting Act (FCRA).
- Any data governed by the Farm Credit Act.
- Any data governed by the Driver's Privacy Protection Act.
- Any data governed by the Federal Education Rights and Privacy Act (FERPA).
How does the Delaware privacy law compare to other state privacy laws?
Nearly every state data privacy act bears similarities to other states’, and there is considerable overlap among several of the laws. There are also two prevailing categories of privacy legislation: the states with consumer-friendly privacy laws (like California) and the states with business-friendly privacy laws (like Virginia, Utah, and Tennessee). Delaware’s law is relatively consumer-friendly, earning praise from Consumer Reports, the Software Alliance, and other advocacy groups. Here’s how it stacks up.
Low consumer threshold. Delaware’s threshold for applicability — i.e., businesses must comply if they process the data of only 35,000 consumers annually — is one of the lowest among all the states. This likely reflects the relatively small population of Delaware, which has around 1 million residents and is the sixth smallest of the 50 states.
Nonprofit applicability. While most state privacy legislation exempts nonprofit organizations, the DPDPA (like the privacy laws in Colorado and Oregon) applies to most nonprofit organizations. Delaware does offer limited exemptions for nonprofits “dedicated exclusively to preventing and addressing insurance crime” and for personal data of victims and witnesses of sexual and violent crimes processed by nonprofits to provide services to those victims and witnesses. However, it is in the minority for not excluding all nonprofits.
How to prepare for compliance with the Delaware privacy law
With slightly less than a year before most aspects of the DPDPA go into effect, organizations need to start preparing for compliance now. It’s important for companies to familiarize themselves with the law’s requirements and consult with experienced legal experts as needed. Here are a few additional steps to help businesses become compliant with the Delaware privacy law.
Prepare privacy notices and opt-out mechanisms. Under the DPDPA, privacy notices will be required by January 1, 2025, and universal opt-out mechanisms will need to be in place by January 1, 2026. Controllers should ensure that their privacy notices are clear and comprehensive and that they include an online contact method for consumers seeking to exercise their data privacy rights. The privacy notices will also need to inform consumers of the categories of personal data being processed (including any sensitive data), the categories of personal data being shared with third parties, and the purpose for any data processing activities.
Prepare for data protection assessments. The DPDPA will require data protection assessments (DPAs) starting on July 1, 2025. The DPAs will need to be regularly performed for the processing of sensitive data, the sale of personal data, the processing of personal data for targeted advertising or for certain types of profiling, and for any other data processing activities with a heightened level of risk. To prepare to conduct DPAs, organizations should begin assembling detailed reports of their data processing activities, including data collection, storage, retention, and deletion policies.
Implement robust security measures. The DPDPA doesn’t require any specific technologies, but companies will likely still want to implement stringent security measures like role based access controls (RBAC), multi-factor authentication (MFA), end-to-end encryption, and more.
Consider ShardSecure. State-level data privacy laws can present compliance challenges even for organizations with strong security safeguards. The ShardSecure platform can help support compliance by strengthening data security, privacy, and resilience in on-prem, cloud, and hybrid-cloud architectures. Our innovative approach to file-level encryption secures sensitive data from access by unauthorized third parties, including infrastructure admins and cloud providers. Visit our resources page to learn more.
Sources
Delaware Personal Data Privacy Act | Delaware General Assembly
Delaware Enacts Groundbreaking Personal Data Privacy Act | ACA International
Delaware Enacts Comprehensive Data Privacy Law | White & Case LLP
BSA Welcomes Delaware Personal Data Privacy Act | The Software Alliance
Delaware’s New Personal Data Privacy Act | Davis Wright Tremaine
Identity and Access Control in Information and Network Security | Cybersecurity Education Guides
Data Protection and Privacy Impact Assessments | International Association of Privacy Professionals