Delaware Personal Data Privacy Act

The Delaware Personal Data Privacy Act (DPDPA) was signed into law on September 11, 2023, with an effective date of January 1, 2025. The DPDPA closely follows the Connecticut model, however, Delaware has lowered the scoping threshold, presumably because of the small size of the state. Other variations include a lack of exemption for non-profits, except those that are exclusively dedicated to preventing insurance crime, and a unique definition for genetic information as well as including transgender or non-binary status in its definition of sensitive personal information.

Book a Free Consultation

What you need to know about the DPDPA:

To Whom Does DPDPA Apply?

DPDPA applies to organizations that:

  1. Conduct business or provide products or services to residents of Delaware (consumers), and 
  2. Annually control or process the personal information of either:
    1. 35,000 unique residents, excluding personal information solely used for completing payment transactions; or
    2. 10,000 unique residents and derives more than 20% of gross revenue from sale of personal information.
Where Does DPDPA Not Apply?

Exempt Entities: Exempt entities include:

  • State government entities, excluding higher education institutions 
  • GLBAcovered entities; 
  • FINRA national securities associations that are registered under the SEC Act; 
  • Nonprofit organizations dedicated exclusively to preventing and addressing insurance crime. 


Exempt Data: The DPDPA exempts a long list of personal information, including but not limited to:

  • Protected Health Information under HIPAA;
  • GLBA-covered data;
  • Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more;
  • Various forms of credit data regulated by the Fair Credit Reporting Act; and
  • Data covered by a wide variety of other federal laws including Family Educational Rights, Farm Credit Act, and Privacy Act, and Driver’s Privacy Protection Act.

Exempt Use Cases: DPDPA is not applicable in some circumstances, such as:

  • Processing PI in an employment or commercial (B2B) context;
  • Processing PI for emergency contact purposes; and
  • Processing PI of another individual in relation to the provision of benefits.

In addition, DPDPA specifies that its law should not be construed to restrict a business’s collection, use, or retention of PI for:

  • Conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
  • Product recalls;
  • Identifying and repairing technical errors that impair existing or intended functionality; and
  • Performing internal operations.

Key Components of DPDPA

What Constitutes Personal Information in Delaware?

The DPDPA covers “personal data,” also called personal information or PI, which Delaware defines as: “any information that is linked or reasonably linkable to an identified or identifiable individual.” The definition exempts de-identified information and information made publicly available by government records, the media, or the consumer. However, pseudonymous data combined with information that can reasonably link it to an identified or identifiable individual is covered as PI.

What Constitutes Sensitive PI?

The DPDPA’s definition of sensitive PI consists of:

  • Racial or ethnic origin;
  • Religious beliefs;
  • Mental or physical condition or diagnosis (including pregnancy);
  • Sex life or sexual orientation;
  • Status as transgender or non-binary;
  • Citizenship or immigration status;
  • PI about a known child;
  • Precise geolocation data; and
  • Genetic or biometric data.
Any Other Categories of Data I Should Think About?

Where a controller processes de-identified data, the DPDPA requires it to take reasonable measures to ensure the data cannot be associated with an individual; publicly commit to maintaining such data without an attempt to re-identify it; and contractually obligate any recipients of the data to comply with the DPDPA.

Additionally, Delaware exempts pseudonymous data from access, correction, portability, and deletion rights requests where the controller can show it keeps information that would allow the data to be re-identified separate and subject to technical and organizational controls that prevent its use for re-identification.

Is consent needed to Process Sensitive Data?

In a word: YES!

Is Consent Needed for Any Other Processing?

Parental consent is required to process PI about a known child (under 13) in accordance with COPPA, and data subject consent is required to sell the PI of a minor ages 13 through 17 or use it for targeted advertising.

Consent is also required for secondary use of information that is not necessary or compatible with the purpose for collection and hasn’t been noticed to the consumer.

What Needs to Be Included in the Privacy Notice?

A privacy notice must include:

  • The categories of PI processed;
  • The purpose for processing PI;
  • The categories of third parties with which PI is shared;
  • The categories of PI that are shared with third parties;
  • The methods for a consumer to exercise their rights (see below) and appeal a decision on their rights request;
  • Description of targeted advertising and profiling activities including a procedure for opting out of the processing for these purposes; and
  • An active email address or other electronic method for a consumer to contact the company.
What Constitutes “Sale” of PI?

Delaware defines “sale” to include exchange for monetary or other valuable consideration.

There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PI to provide a product or service requested by the consumer, the disclosure of PI to an affiliate, disclosure of PI intentionally made public, and the disclosure of PI as part of a merger or bankruptcy.

How Will the DPDPA Law Be Enforced?

Under the DPDPA the Attorney General (AG), as the head of the Department of Justice, has sole enforcement authority. The AG may bring an enforcement action after providing a 60-day notice and an opportunity for the business to cure the alleged violation(s); the cure period will end December 31, 2025, after which time the AG will have discretion (over whether to grant an opportunity to cure. Violations will be considered an unfair trade practice under Delaware’s consumer rights laws and may incur fines up to $10,000.

Privacy Rights

 

The privacy rights created under DPDPA consumer privacy law generally align with those provided under other state laws. If the DPDPA applies to your business, you must allow consumers to:

  • Right to know whether a business is processing your PI;
  • Right to access PI;
  • Right to Correct inaccuracies in PI;
  • Right to delete PI about them;
  • Right to obtain a list of the categories of third parties to which the controller has disclosed the consumer’s PI;
  • Right to obtain a copy of PI (data portability); and
    • Right to opt out of the sale of personal, processing for targeted advertising, or profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the consumer.

The DPDPA requires that businesses respond to privacy rights requests within 45 days of receipt, with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge once a year. Businesses may deny a rights request in certain circumstances, including inability to verify the identity of a requestor. When a business denies a request, the business must notify the consumer within the 45-day timeframe and provide the reason for the denial as well as instructions for how to appeal the decision.

The appeals process must be conspicuously available to consumers and similar to the process for submitting an initial privacy rights request. Businesses must respond to appeals within 60 days of receipt and, if denying an appeal, must provide the consumer with a method (online, if available) to file a complaint with the AG.

Universal Opt Out

 

Delaware requires that controllers recognize universal opt-out signals. Universal opt-out, or global privacy control, is a technical standard that enables users to automatically communicate their privacy preferences, such as opting out of the sale of their personal information, to websites through their web browser or other technologies.

Privacy Impact Assessments

 

Delaware requires that covered organizations conduct data protection impact assessments, or privacy impact assessments (PIAs), for certain high-risk processing.

DPDPA requires assessments for activities that present a heightened risk of harm, specifically including:

  • Processing for targeted advertising;
  • Processing sensitive PI;
  • Selling PI;
  • Processing for the purposes of profiling if it presents a ‘reasonably foreseeable risk’ of
  • Unfair or deceptive treatment or unlawful disparate impact on consumers;
  • Financial, physical or reputational injury to consumers;
  • Physical or other intrusion on the solitude or seclusion, or private affairs or concerns, which would be offensive to a reasonable person; or
  • Other substantial injury.

Vendor Contracts

 

Delaware requires controllers to have a contract in place with vendors that dictates obligations with respect to processing PI. Contracts must include:

  • Instructions for processing PI;
  • The nature and purpose of processing;
  • Type of data that is subject to processing;
  • The duration of processing;
  • Rights and obligations of both parties;
  • A duty of confidentiality for individuals who process the PI;
  • Obligation to delete or return all PI at the controller’s direction or when it has completed the services, unless retention of the PI is required by law;
  • Obligation to make available all information necessary to demonstrate the vendor’s compliance with its obligations;
  • Compliance with audits by the controller or independent auditor and to provide a report of the assessment to the controller;
  • Provide the opportunity for the controller to object to any sub-processors; and
  • Pass along obligations to any subcontractor in a written contract.

Vendor Contracts

 

Delaware limits the collection of PI to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer. Where processing is not necessary or compatible with the purpose for collection, organizations must obtain consumers’ consent for the processing.

Data Privacy is Just Good Business

Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.

You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.

Book a Free Consultation