Delaware Personal Data Privacy Act (DPDPA): Exploring the Delaware privacy law

The "Incorporation Capital of the World," Delaware, has been in dire need of privacy law for years. In September 2023, Delaware Governor John Carney signed House Bill No. 154 into law, marking an emphatic response to widespread calls for such legislation. In so doing, Delaware became the 12th state in the U.S. to enact the Delaware Personal Data Privacy Act (DPDPA). 

‍

Set to enter into force on January 1, 2025, the law marks another addition to the evolving patchwork of data privacy regulations in the United States. The DPDPA now plants Delaware in the same category with similar states in the US, such as California, Virginia, Colorado, Indiana, Connecticut, Utah, Iowa, Montana, Oregon, Tennessee, Florida, and Texas — all of which have implemented similar laws of their own. 

‍

In this post, we’ll dive into the details of the law. More importantly, we’ll explore how companies doing business with Delawareans or in Delaware can position for compliance even before the law is in operation. 

‍

Overview of the Delaware Personal Data Privacy Act

For Delawareans, The DPDPA represents a proactive approach to addressing growing concerns over consumer privacy and the protection of consumer's personal data. The comprehensive data privacy law’s first iteration came in the shape of House Bill 154, pushed by Representative Krista Griffith on the 12th of May, 2023.

‍

Following agitations from consumer advocacy groups about the need to enact similar privacy laws to empower consumers across the state, the stage was set for its birth. Meanwhile, similar laws were being passed across other states, adding another layer of momentum that would later expedite the DPDPA.

‍

The journey to enactment has been far from smooth. House Bill 154 went through its fair share of amendments, votes, and contemplations to address stakeholder concerns. Ultimately, Governor John Carney signed it off on the 11th of September, 2023. Like the Florida Digital Bill of Rights (FDBR), the Delaware Personal Data Privacy Act (DPDPA) is split into three parts:

• ‍The first part covers consumer rights, stating what rights apply to consumers within the state.‍
• The second part covers business obligations, which outlines businesses’ responsibilities to consumers. For instance, consent requirements and transparent data privacy practices.‍
• The third part entails enforcement and compliance mechanisms the act will employ to enforce the law. It also discusses the role of the Delaware Department of Justice in overseeing adherence to the law.

Some notable provisions of the DPDPA

To inform your compliance strategy, it’s worth going over some notable provisions contained in the DPDPA:

‍

Universal opt-out mechanisms & enforcement

From January 1, 2026, data controllers are required to recognize universal opt-out mechanisms, allowing consumers to opt out of data processing activities easily.

‍

The statutory “60-day cure period” and “sunset” provision

The DPDPA provides a 60-day period to rectify any violations after a business that processes personal data (whether as controller or processor) receives a notice from the Delaware Department of Justice. However, this cure provision will sunset (or expire) on December 31, 2025, after which the Department may exercise its discretion to allow the Controller or Processor to cure their violation.

‍

Definitions of profiling, sensitive data, and genetic data

Like other state privacy laws, consumers may opt out of “profiling” under the DPDPA. The law includes “demographic characteristics” in its definition of profiling features, which expands the scope further and grants consumers broader rights to opt out. It thoughtfully classifies “status as transgender or nonbinary” as sensitive data while also grouping “genetic data” right in this category. This would mark the first such act in U.S. state privacy legislation.

‍

Additional requirements for liability shield

A controller or processor will not be held liable for violations committed by their processors or third parties if:

1. They had no actual knowledge of such violations at the time of disclosure and
2. They maintained compliance with their obligations to disclose the said violation.

This aspect is another notable divergence from other state privacy laws where liability falls on the receiving entity.

‍

Children’s data : restrictions on sales and targeted advertising

Once a controller is aware or willfully disregards that a consumer is between the ages of 13 and 18, they are prohibited from processing that consumer’s personal data for targeted advertising or selling it without consent. Additionally, companies must provide consumers with the option to opt-out of the sale of personal data.

‍

Furthermore, the DPDPA states that controllers and processors that meet COPPA’s standards for verifiable parental consent have satisfied the DPDPA’s parental consent requirements for child consumers.

‍

How is personal data defined in the DPDPA? 

Per the DPDPA, personal data is defined as “any information that is linked or reasonably linkable to an identified or identifiable individual.” This definition explicitly excludes de-identified data and publicly available information. 

‍

De-identified data refers to information that cannot reasonably be used to infer details about, or be linked to, an individual or a device associated with that individual. 

‍

Scope and Application of the DPDPA

In line with the required standard in most US privacy state laws, the DPDPA applies to companies doing business in Delaware or targeting Delaware residents. 

‍

Does the DPDPA apply to your Business? 

§12D-103 of the DPDPA sets forth the requirement - For the law to become applicable in your preceding calendar year, you must’ve fulfilled either of the following thresholds: 

1. Managed or processed the personal data of at least 35,000 Delaware residents (excluding data processed solely to complete payment transactions); or
2. Managed or processed the personal data of at least 10,000 Delaware residents while earning over 20% of its gross revenue from selling that data.

It’s worth noting that the use of tools like Google Analytics or Facebook Pixel to process user data may quickly bring you within touching distance of these thresholds, which may trigger DPDPA compliance requirements.

‍

In fact, most companies with a digital presence will find themselves impacted by the law, regardless of the threshold.

What exemptions (and derogations) are made in the DPDPA? 

In terms of material scope, the law also allows for certain exemptions and some notable provisions that go against the trend of other state privacy laws in the U.S.

‍

On a data level, the DPDPA excludes de-identified data and publicly available information from its definition of personal information. Carve-outs are also made for all personal data governed by: 

• The Gramm-Leach-Bliley (GBLA) Act, 
• HIPAA; 
• The Fair Credit Reporting Act (FCRA);
• The Driver’s Privacy Protection Act (DPPA);
• The Family Education Rights and Privacy Act (FERPA); 
• The Farm Credit Act; and
• The Airline Deregulation Act.

Under the DPDPA, data subjects are also said to “not include an individual acting in a commercial or employment context…”. This signals the neutral stance of the law where the data is used in a B2B/Employment context. More particularly in cases of emergency contact information or employee data. 

‍

Similar exemptions are also made for protected health information, HIPAA, and patient-identifying information for purposes of 42 U.S.C. § 290dd-2. These allowances also cover human subject research, patient safety work product under the Patient Safety and Quality Improvement Act (PSQIA), and data used for HIPAA-authorized public health purposes. 

‍

On an entity level, the DPDPA exempts the following: 

• State entities (with the exclusion of institutions of higher education)
• Financial institutions or affiliates that are subject to The Gramm-Leach-Bliley (GBLA) Act, HIPAA, and 
• National securities associations or registered futures associations

The law applies to non-profit organizations and institutions of higher education. But in a bid to align with public policy objectives, the DPDPA will not apply to a non-profit where: 

1. The non-profit is created to prevent or address an insurance crime; or
2. The non-profit renders services to victims of or witnesses to domestic violence, child abuse, sexual assault, human trafficking, stalking, or a violent felony, and the personal data in issue relates to such victims or witnesses.

The DPDPA takes a nuanced approach to HIPAA-related data. While protected health information under HIPAA is explicitly exempt, the law does not provide a blanket exemption for all HIPAA-regulated entities. This differs from some other state privacy laws that offer broader HIPAA-entity exemptions.

‍

Consumer rights and controller/processor obligations

What are consumers’ rights under the DPDPA? 

Delawareans are granted a set of rights parallel to other comprehensive state privacy laws. In the DPDPA, Consumers are entitled to: 

1. Confirm whether a data controller is processing their personal data and to access that data; 
2. Correct any inaccuracies in their personal data; 
3. Request the deletion of personal data that they have provided, or that has been collected about them; 
4. Obtain a copy of their personal data in a format that enables them to transmit it to another controller, as long as this does not require the disclosure of any trade secrets; and 
5. Opt out of processing for:
   1. Targeted advertising; 
   2. The sale of their personal data (with certain exceptions); or 
   3. Profiling activities that lead to solely automated decisions with legal or similarly significant effects on the consumers.

As in Oregon’s state laws, consumers may obtain a list of categories of third parties to whom their data has been disclosed. In this case, the third parties cited in response to the request must concern only the consumer making the request. This runs counter to other state laws that require lists relating to all the consumers whose data they hold.

‍

§ 12D-104(d) also provides for consumers’ right of appeal. Controllers must respond to DSRs (Data Subject Requests) within 45 days. This deadline is renewable by another 45 days if needed due to high volumes of requests or in cases of complex requests. 

‍

Denied requests must come with an explanation from the controller, alongside clear instructions for an appeal. Once an appeal is filed, the controller has 60 days to notify the consumer of any actions taken. If denied, they must also offer a way for the consumer to contact the Delaware Department of Justice to lodge a complaint.

‍

Controller/Processor Obligations for Processing Personal Data

§ 12D-106 and §12D-107 both set forth the fine print of controller and processor obligations under the DPDPA. In general, Controllers are charged to observe the following :

• Data Minimization & Purpose Limitation: Collect data only as needed for specific, disclosed purposes, ensuring that the data gathered is both relevant and adequate for those purposes;
• Data Security: Implement robust Technical and Organizational Measures (TOMs) and other physical data security practices with regard to the type and quantity of data managed;
• Sensitive Data: Obtain consumer consent before processing sensitive data. Where the consumer is a child. You are required to seek guardian or parental consent;
• Anti-discrimination: In processing personal data, controllers must adhere to federal/state anti-discrimination laws;
• Transparency: Offer clear, accessible privacy notices that spell out categories of personal data collected, the reasons for data processing, types of data shared, third-party recipients, and consumer rights;
• Data Processing Agreement: Implement contracts that outline the processing’s purpose, the data types involved, and each party’s rights and obligations - for instance, a clause mandating processors to delete personal data provided to them upon completion of the processing.
• Opt-out Preference Signal: By January 1, 2026, controllers must incorporate an opt-out preference signal to honor the right of consumers who wish to opt out of data sales or targeted advertising;
• Data Protection Assessment: From July 1, 2025, controllers processing data for 100,000 or more consumers must conduct regular data protection assessments if their data activities pose heightened consumer risks.
• De-identified data: Ensure de-identified data cannot be linked to individuals, publicly commit to de-identified processing, and ensure compliance of data recipients.

On the processor side, the critical requirement is to assist Controllers in compliance with DPDPA standards, ensuring the data remains safe and secure. They are also required to comply with confidentiality obligations to protect consumers’ data.

‍

Enforcement and penalties

§ 12D-111(a) of the DPDPA vests all enforcement powers exclusively in the state’s Attorney General, aided by the Delaware Department of Justice (DOJ). It can then be implied that, unlike in California privacy law, Delawareans do not have a private right of action (they cannot initiate private lawsuits). 

‍

Until December 31, 2025, the DPDPA requires the Attorney General to provide a formal notice of any violations. The notice shall offer a 60-day window for the controller to cure their default before the state commences enforcement proceedings. 

‍

Notably, this 60-day cure period will ‘sunset’ on January 1, 2026, after which the AG may (or may not) exercise the option to allow another opportunity to cure the violation before enforcement action.

‍

Fines can be as steep as $10,000 per violation of the DPDPA.

‍

How to get ready for the DPDPA?

Once you’ve established that your business falls under the regulatory scope of Delaware’s DPDPA, it’s time to get your compliance ducks in a row. 

‍

Specific requirements like Consent immediately come to mind, especially as you may be required to demonstrate validly obtained consent before processing customers’ sensitive data. Other requirements abound, so a catch-all solution is better suited to your compliance objectives. And that’s where Didomi comes in.  

‍

Our Global Privacy UX Solutions cover everything from a Consent Management Platform (CMP) to Preference Management, DSAR, and more. Reach out to our team to discuss and learn more about how the Delaware privacy law stacks up against other U.S. state laws in our comprehensive article on data privacy laws in the United states: 

{{us-map-link}}

Frequently Asked Questions (FAQ)

When does the DPDPA enter into force? 

The Delaware Personal Data Privacy Act (DPDPA) is set to enter into force on January 1, 2025. 

Do consumers have a private right of action?

No, the Act does not empower consumers with the right to sue in their private individual capacity when a controller is non-compliant with the law. You can still file a complaint with the Department of Justice, who may inform you about your remedies. 

What businesses are subject to the DPDPA?

The DPDPA applies to businesses that manage or process the personal data of at least 35,000 Delaware residents or 10,000 residents while earning over 20% of their gross revenue from selling that data.

What type of data is classified as sensitive under the DPDPA?

Sensitive data require consumer consent before processing, and they include:

• Citizenship status, immigration status, mental or physical health condition or diagnosis (including pregnancy status), racial or ethnic origin, religious beliefs, sex life, sexual orientation;
• Demographic characteristics;
• Precise geolocation data;
• Genetic or biometric data;
• Personal data of a known child (with “child” defined as those under 13 years of age); and
• Status as transgender or nonbinary

What happens if a consumer's request regarding their personal data is denied?

If a request is denied, the controller must provide an explanation and clear instructions to appeal the decision. Consumers can contact the Delaware Department of Justice to complain.

How does the DPDPA handle profiling activities?

Consumers have the right to opt out of profiling activities that lead to solely automated decisions that significantly affect them. Profiling includes demographic characteristics as part of its definition.

What are the enforcement mechanisms for the DPDPA?

The enforcement of the DPDPA is managed by the Delaware Attorney General, assisted by the Department of Justice. Businesses will receive a notice of violations and have a 60-day period to rectify issues before enforcement actions are taken.

What happens if a business violates the DPDPA?

If a business violates the DPDPA, it will receive a formal notice from the Attorney General and has a 60-day cure period to address the violation. After this period, enforcement actions may be initiated.