Published:

Updated:

Delaware Personal Data Privacy Act Compliance Guide

General, Privacy Policy

Photo of author

Hans Skillrud

Vice President of Termageddon

retro image with the words new law Delaware Personal Data Privacy Act Compliance Guide

On September 11, 2023, the Governor of Delaware signed DE H 154, passing the Delaware Personal Data Privacy Act (DPDPA), providing residents of Delaware with privacy rights and requiring businesses that need to comply with the law to meet certain obligations. This privacy law will go into effect on January 1, 2025 so businesses should start work to adapt their privacy programs to this new law as soon as possible. 

In this Compliance Guide, we will break down the important points of the DPDPA, including: 

  • Who needs to comply with the Delaware Personal Data Privacy Act; 
  • How the law defines personal data; 
  • The privacy rights provided to residents of Delaware; 
  • The Privacy Policy disclosure requirements of Delaware’s new privacy law; 
  • The penalties for failure to comply; and 
  • How Termageddon will handle Privacy Policy updates for this new privacy law. 

Who does the Delaware Personal Data Privacy Act apply to? 

The DPDPA applies to any person that conducts business in Delaware or that produces products or services that are targeted to residents of Delaware and that during the preceding calendar year: 

  • Controlled or processed the personal data of not less than 35,000 residents of Delaware; or 
  • Controlled or processed the personal data of not less than 100,000 residents of Delaware and derived more than 20% of their gross revenue from the sale of personal data. 

It is important to note that similar to other privacy laws, your business does not need to be located in Delaware for this privacy law to apply to you. The DPDPA exempts nonprofit organizations that provide services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony or stalking but does not exempt nonprofits working in other areas. 

How does the law define personal data? 

Since Delaware’s new privacy law applies only to those processing or controlling personal data, it is important to first determine whether your website collects personal data. The law defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable individual.” While the law specifically exempts de-identified data or publicly available information, most information collected by websites would be considered “personal data.” For example, names, emails, phone numbers, IP addresses, billing addresses, and shipping addresses would be considered “personal data” under the DPDPA as they are linked to a particular individual. 

The privacy rights provided to residents of Delaware

The purpose of the Delaware Personal Data Privacy Act is to protect the privacy of residents of the State. This purpose is accomplished by providing the following privacy rights to residents of Delaware: 

  • Confirm whether a controller is processing the individual’s personal data and access such personal data; 
  • Correct inaccuracies in the consumer’s personal data; 
  • Delete personal data; 
  • Obtain a copy of the consumer’s personal data in a portable format; 
  • Obtain a list of the specific third parties to whom the controller has disclosed the consumer’s personal data; 
  • Opt out of targeted advertising; 
  • Opt out of the sale of personal data; 
  • Opt out of the use of personal data for profiling in further of solely automated decisions that produce legal or similarly significant effects concerning the consumer; 
  • Non-discrimination based upon the exercise of privacy rights. 

Once the DPDPA goes into effect, businesses will have 45 days to respond to a consumer privacy rights request, though that timeline may be extended by an additional 45 days if needed. Consumers will also have a right to appeal a decision made by a business in response to a privacy rights request. 

The Privacy Policy requirements of Delaware’s new privacy law 

In addition to honoring consumer privacy rights, businesses that need to comply with the DPDPA will also need to have a clear, meaningful, and accessible Privacy Policy that includes the following information: 

  • The categories of personal data processing; 
  • The purpose for processing the personal data; 
  • How consumers may exercise their privacy rights, including how to appeal a privacy rights decision; 
  • The categories of third parties with whom personal data is shared, if any; 
  • The categories of personal data that is shared with third parties, if any; 
  • An active email address or other online mechanism where the controller can be contacted; 
  • If personal data is sold or processed for targeted advertising, a disclosure of such processing and how a consumer can opt out of such processing. 

The law also provides that no later than one year following the effective date of the DPDPA, controllers must also allow consumers to opt out of targeted ads or the sale of their personal data through an opt-out preference signal, otherwise known as a cookie consent banner. 

Penalties for failure to comply 

Delaware’s new privacy law will be enforced by the Delaware Department of Justice, which can prosecute any violations. The Department of Justice can bring an enforcement proceeding and issue fines. 

How Termageddon will handle Privacy Policy updates for this new law 

We have been monitoring the DPDPA since its inception and will continue to monitor this law for any amendments, regulations, and guidance, which may expand on the Privacy Policy disclosure requirements. Prior to this law going into effect, we will email our clients to notify them when the updates are available and whether they need to answer any new questions that are required to create the new disclosures within their Privacy Policy. If you do not have a Privacy Policy or do not have a strategy to keep it up to date with changes such as this one, make sure to check out the Termageddon Privacy Policy generator

Photo of author
About the Author
Hans Skillrud

Hans is the Vice President of Termageddon, an auto-updating website policies generator. With Termageddon, you can generate a comprehensive set of policies for your website, and then receive automatic updates to your policies when the laws change.  When not working on Termageddon, you can find Hans gardening, beekeeping, fishing or taking care of his chickens.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates