Delaware Data Privacy Act
On June 30, 2023, Delaware became the 12th state to pass a comprehensive consumer data privacy law. the Delaware Data Privacy Act (DDPA). It’s scheduled to take effect January 1, 2025 and closely resembles the newly-effective Connecticut CTDPA, with some notable differences.
It may surprise you to learn that DDPA consists of two privacy laws in place in Delaware; Delaware currently has the Delaware Online Privacy and Protection Act (“DelOPPA”).
At a high level, DelOPPA does three things:
- prohibits online marketing of certain types of products to children (including alcohol, tobacco, firearms, tattoos, lottery tickets, and fireworks, by way of example),
- requires commercial websites to have privacy policies posted (more on this later), and
- provides protections with respect to the rental, purchase, borrowing, or viewing of books electronically or via the Internet.
Why should it surprise us that Delaware – the first state in the Union and currently the second smallest and least populated state – has two privacy laws, while most states don’t even have one? Over two-thirds of the Fortune 500 companies are incorporated in Delaware, and Delaware has more corporate entities than residents! Despite these statistics, adopting a consumer privacy protection act is decidedly favorable to Delaware residents and creates one more privacy law with which many of those companies will have to comply as of January 1, 2025.
What is essential to know about DDPA, and what are its key requirements?
Until then, being proactive about your privacy program is the best way to make sure your company is ready to satisfy its legal obligations and meet your clients’ expectations for data privacy and protection. Red Clover Advisors has the knowledge and experience you need to do both.
What You Need to Know About DDPA
For the most part, DDPA closely resembles Connecticut’s CTDPA with a few notable exceptions.
DDPA applies to you if you:
- conducts business or provides products or services targeted to residents in Delaware, and
- in the previous calendar year, processed or controlled:
- personal data about at least 35,000 Delaware consumers, other than personal data processed solely for purposes of payment; or
- personal data about at least 10,000 Delaware consumers and derives more than 20% of gross revenue from sale of personal data, and is not
DDPA Does NOT Apply to:
-
- a state governmental body,
- a financial institution subject to GLBA,
- a non-profit organization, or
- a national securities association subject to the Securities Exchange Act and the Commodity Exchange Act.
DDPA explicitly excludes non-profits, institutions of higher education, and HIPAA-covered entities from its list of exemptions (or, in other words, DDPA specifically applies to non-profits*, institutions of higher education, and HIPAA-covered entities)!
- Context: Like most of the other state privacy laws, with Californiabeing the notable exception, DDPA does not apply to individuals acting in a commercial or employment context.
- Exempt data: data protected by: HIPAA and other specified heath and health-related laws including the Common Rule, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, FERPA, the Farm Credit Act, the Airline Deregulation Act, and GLBA, as well as data processed or maintained solely in connection with employment or another commercial context.It also exempts personal data related to a victim or witness to certain abuses and assaults.
*Two types of non-profits are exempted from the law: those “dedicated exclusively to preventing and addressing insurance crime,” and those collecting information related to victims or witnesses of certain crimes, including domestic violence and stalking.
a financial institution subject to GLBA,
- Review and update your Privacy Notice to specify purpose for collection of personal data.
- Review whether you processsensitive personal data, includingstatus as transgender or nonbinary, and be sure you have appropriate consent.
- Get consent before sellingpersonal data or processingpersonal data for targeted advertising with respect to individuals between the ages of 13 and 18.
- Provide a clear and conspicuous link on your website for individuals to opt out of sale and targeted advertising.
- Implement or update your process for receiving and responding to Individual Rights Requests(including appeals).
- Create or update Data Protection Assessments (or Privacy Impact Assessments, if completed for GDPR).
- Ensure that your vendor contractsinclude appropriate privacy protections.
- Update your technology so that you can recognize universal opt-out mechanisms as of January 1, 2026.
Key Components of DDPA
Delaware adopts the definition of personal data found in many other state laws.
Like many of the recently enacted state privacy laws, Delaware expands the definition of sensitive data as we previously knew it – in addition to the usual elements, such as:
- racial or ethnic origin,
- religious beliefs,
- mental or physical condition or diagnosis (specifically including pregnancy),
- sex life and sexual orientation,
- citizenship status or immigration status (introduced by several state laws passed earlier this year),
- personal data about a child,
- precise geolocation data, and
- genetic or biometric data.
DDPA – like Oregon – adds:
- status as transgender or nonbinary.
In a word: Yes!
Consent is needed before processing personal data about a child between the ages of 13 and 18 for the purposes of targeted advertising or sale.
Like many of the other state laws, under the new Delaware law, a Privacy Notice must:
- list the categories of personal data that are processed;
- describe the purposes for processing personal data;
- describe how a consumer may exercise their rights (see below) and appeal a decision to not fulfill a request;
- list all categories of personal data that are shared with third parties;
- describe the categories of third parties with which personal data is shared;
- disclose any sale of personal data and targeted advertising activities, and provide a procedure for opting out of sale or the processing for targeted advertising; and
- provide an email address or other online method(s) by which a consumer can submit a request to exercise their individual rights.
Of course, don’t forget the requirements of DelOPPA, which include specifics about where the privacy notice should be posted and that the link to the notice must include the word “privacy” and be noticeable (for example, by using all capital letters, larger font size, contrasting font or color, etc.). Under DelOPPA, since January 1, 2016, there was already a requirement in Delaware to include the following in a posted privacy notice:
- the categories of personal data collected;
- a description of the process for individuals to request access to and corrections of personal data collected by the website;
- how the website operator notifies website visitors of material changes to the privacy notice;
- the effective date of the privacy notice;
- how the website operator responds to “Do Not Track” and other signals; and
- whether others collect personal data through the website.
Delaware follows the lead of California in defining ‘sale’ to include exchange for monetary or other valuable consideration.
Like almost all the state laws, including Utah, Virginia, Colorado, Connecticut, Montana, Iowa, Tennessee, Indiana, and Oregon, under DDPA enforcement is the responsibility of the Delaware Department of Justice – headed by the state Attorney General.
- Under DDPA, the Attorney General may bring an enforcement action after providing 60 days’ notice and an opportunity for the business to cure the alleged violation(s); the mandatory cure period will end on December 31, 2025, after which the Department of Justice has discretion whether to grant an opportunity to cure an alleged violation.
- Actions can be brought that seek injunctive relief (the company must immediately stop certain behaviors) and/or civil penalties of up to $10,000 per violation.
Individual Rights
The Individual Rights created under DDPA generally align with those provided under other state laws. If DDPA applies to your business, you must allow consumers to:
- Confirm whether your business is processing any data and have access to it;
- Obtain a list of third parties to which you have disclosed personal data about the consumer (this is like the requirement we saw in the new Oregon law);
- Correct inaccuracies in personal data;
- Delete personal data;
- Get a copy of certain personal data (data portability);
- Opt-out of the sale of personal data and processing for profiling and targeted advertising.
Delaware, like many other states, requires businesses to respond to individual rights requests within 45 days of receipt (unless the business has been unable to authenticate a request), with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge at least once a year. If the business declines to take a requested action, the business must notify the consumer in writing, along with instructions for appeal.
Like we have seen with other recent state privacy laws, including Montana, Iowa, Tennessee, and Oregon, the appeal process must be conspicuously available to the consumer and similar to the process for submitting requests. In Delaware, businesses must respond to appeals within 60 days of receipt and like with the other recent state laws, if denying an appeal, must provide an online mechanism, if available, or other method for contacting the Delaware State Attorney General to submit a complaint.
Like many of the recent state laws, including Virginia, Montana, Iowa, Tennessee, Indiana, and Oregon, the DDPA exempts de-identified data from the consumer rights. It also follows Texas’s lead in exempting pseudonymous data from individual rights responses.
Privacy Impact Assessments
Like many of the recent state privacy laws, including Virginia, Connecticut, Montana, Tennessee, Indiana, and Oregon, DDPA requires that regulated businesses that control or process data about at least 100,000 consumers conduct and document Data Protection or Privacy Impact Assessments. The circumstances under which businesses must complete Assessments align with these other laws. Like its predecessors, DDPA also includes an allowance for use of Assessments conducted for compliance with other laws to satisfy its requirements, if they have a “reasonably similar in scope and effect.”
DDPA requires assessments for activities created or generated after July 1, 2025, that present a heightened risk of harm, specifically including:
- Processing for targeted advertising;
- Selling personal data;
- Processing for the purposes of profiling if it presents a ‘reasonably foreseeable risk’ of
- Unfair or deceptive treatment or unlawful disparate impact on consumers;
- Financial, physical, or reputational injury to consumers;
- Physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, which would be offensive to a reasonable person; or
- Other substantial injury; and
- Processing sensitive data.
Vendor Contracts
Like Iowa, Montana, Tennessee, Indiana, Oregon, and many other state laws, DDCPA requires that a contract be in place that dictates what vendors must do with respect to processing personal data. Contracts must be binding and “clearly set forth clear instructions for processing data, the nature and purpose of processing, the type of data that is subject to processing and the duration of processing” and specify the rights and obligations of both parties. In addition, the contract must require that the processor:
- ensure that each person that processes personal data is subject to a duty of confidentiality;
- delete or return all personal data at the controller’s direction or when it has completed the services, unless retention of the personal data is required by law;
- make available all information necessary to demonstrate the processor’s compliance with its obligations;
- provide the controller with an opportunity to object to subcontractors and, barring any, pass along the same obligations to any subcontractor in a written contract;and
- make itself available for audits by the controller, or arrange for an independent auditor to review its policies and practices and provide a report of the assessment to the controller.
Business Friendly Exceptions
Like the most recent state laws, including the laws in Colorado, Connecticut, Montana, Iowa, Tennessee, Indiana, and Oregon, DDPA specifies that it should not be construed to restrict a business’s collection, use, or retention of personal data for:
- protecting any person’s health and safety;
- preventing, detecting, protecting against or responding to, and investigating, reporting or prosecuting persons responsible for security incidents, identity theft, fraud, harassment, other malicious or deceptive activities, or any illegal activity;
- conduct public or peer-reviewed research;
- conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
- product recalls;
- identifying and repairing technical errors that impair existing or intended functionality;
- performing internal operations; and
- negotiating, entering into, or performing a contract with a consumer, including to fulfill a warranty.
Data Privacy is Just Good Business
Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.
You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.