On September 11, 2023, the Governor of Delaware signed DE H 154, passing the Delaware Personal Data Privacy Act (DPDPA), providing residents of Delaware with privacy rights and requiring businesses that need to comply with the law to meet certain obligations. This privacy law will go into effect on January 1, 2025 so businesses should start work to adapt their privacy programs to this new law as soon as possible.
In this Compliance Guide, we will break down the important points of the DPDPA, including:
- Who needs to comply with the Delaware Personal Data Privacy Act;
- How the law defines personal data;
- The privacy rights provided to residents of Delaware;
- The penalties for failure to comply; and
Who does the Delaware Personal Data Privacy Act apply to?
The DPDPA applies to any person that conducts business in Delaware or that produces products or services that are targeted to residents of Delaware and that during the preceding calendar year:
- Controlled or processed the personal data of not less than 35,000 residents of Delaware; or
- Controlled or processed the personal data of not less than 100,000 residents of Delaware and derived more than 20% of their gross revenue from the sale of personal data.
It is important to note that similar to other privacy laws, your business does not need to be located in Delaware for this privacy law to apply to you. The DPDPA exempts nonprofit organizations that provide services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony or stalking but does not exempt nonprofits working in other areas.
How does the law define personal data?
Since Delaware’s new privacy law applies only to those processing or controlling personal data, it is important to first determine whether your website collects personal data. The law defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable individual.” While the law specifically exempts de-identified data or publicly available information, most information collected by websites would be considered “personal data.” For example, names, emails, phone numbers, IP addresses, billing addresses, and shipping addresses would be considered “personal data” under the DPDPA as they are linked to a particular individual.
The privacy rights provided to residents of Delaware
The purpose of the Delaware Personal Data Privacy Act is to protect the privacy of residents of the State. This purpose is accomplished by providing the following privacy rights to residents of Delaware:
- Confirm whether a controller is processing the individual’s personal data and access such personal data;
- Correct inaccuracies in the consumer’s personal data;
- Delete personal data;
- Obtain a copy of the consumer’s personal data in a portable format;
- Obtain a list of the specific third parties to whom the controller has disclosed the consumer’s personal data;
- Opt out of targeted advertising;
- Opt out of the sale of personal data;
- Opt out of the use of personal data for profiling in further of solely automated decisions that produce legal or similarly significant effects concerning the consumer;
- Non-discrimination based upon the exercise of privacy rights.
Once the DPDPA goes into effect, businesses will have 45 days to respond to a consumer privacy rights request, though that timeline may be extended by an additional 45 days if needed. Consumers will also have a right to appeal a decision made by a business in response to a privacy rights request.
- The categories of personal data processing;
- The purpose for processing the personal data;
- How consumers may exercise their privacy rights, including how to appeal a privacy rights decision;
- The categories of third parties with whom personal data is shared, if any;
- The categories of personal data that is shared with third parties, if any;
- An active email address or other online mechanism where the controller can be contacted;
- If personal data is sold or processed for targeted advertising, a disclosure of such processing and how a consumer can opt out of such processing.
The law also provides that no later than one year following the effective date of the DPDPA, controllers must also allow consumers to opt out of targeted ads or the sale of their personal data through an opt-out preference signal, otherwise known as a cookie consent banner.
Penalties for failure to comply
Delaware’s new privacy law will be enforced by the Delaware Department of Justice, which can prosecute any violations. The Department of Justice can bring an enforcement proceeding and issue fines.