Delaware Enacts Comprehensive Personal Data Privacy Law

Delaware recently enacted the Delaware Personal Data Privacy Act (DPDPA).  DPDPA is a comprehensive state personal data privacy law.  Multiple other states have enacted data privacy laws including: California, Colorado, Connecticut, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia.  DPDPA becomes effective on January 1, 2025.

Scope

DPDPA applies to persons doing business in the state or producing and targeting products or services towards Delaware residents and that in the prior calendar year, (i) controlled or processed the personal data of 35,000 or more consumers (excluding personal data used only for completing a payment transaction); or (ii) derived more than 20 percent of its gross revenue from the sale of personal data and controlled or processed the personal data of 10,000 or more consumers.  “Personal data” is defined as “information that is linked or reasonably linkable to an identified or identifiable individual,” but excludes de-identified or publicly available information.  DPDPA also addresses the processing of de-identified data and the limitations of the law.

Certain entities are excluded from DPDPA, including, but not limited to, (i) financial institutions and their affiliates to the extent each is subject to Title V of the Gramm-Leach-Bliley Act; (ii) national securities associations registered under Section 15A of the Securities Exchange Act of 1934 or futures associations registered under Section 17 of the Commodity Exchange Act; (iii) any governmental body of Delaware or of a political subdivision of Delaware (but excluding higher education institutions); and (iv) non-profit organizations dedicated exclusively to insurance crime prevention.  Certain data also is excluded from coverage under DPDPA, including, for example, protected health information under HIPAA.

DPDPA differentiates a “controller,” which is an entity that determines the purpose and means of processing personal data, from a “processor,” which is the person that processes personal information on behalf of the controller.

Consumer Rights

DPDPA grants Delaware consumers certain rights with respect to their personal data.  Consumers may request, (i) confirmation of whether the controller is processing the consumer’s personal information and access to that information (unless access requires the controller to reveal a trade secret); (ii) correction of inaccuracies; (iii) deletion of the data obtained about or provided by the consumer; (iv) a copy of that information in a portable and usable format so the consumer can transmit it to another controller (unless it reveals a controller’s trade secret); (v) a list of the third party categories to which the personal data was disclosed; and (vi) to opt out of any data processing for sale (with an exception), targeted advertising, or certain types of profiling for automated decisions.

A controller must reply to a consumer’s request within 45 days of receipt, but can extend this time by 45 days if reasonably necessary and the consumer is informed of the extension and reason within the original 45-day time period.  Responses to a consumer’s request are required to be provided once a year for free, with some exceptions.  If the controller cannot authenticate the consumer’s request, it is not required to comply with it, but must give notice to the consumer stating that it is unable to authenticate the request until additional information is provided.  An opt-out request does not need to be authenticated and can be denied if the controller believes it is a fraudulent request, but the controller must give notice and an explanation to the consumer.  A controller can decline to act on the request, but must inform the consumer within 45 days of receiving the request, explain why no action was taken, and provide instructions for how to appeal.  The appeal process, along with additional requirements, must be conspicuous and similar to the original request process. 

Notice Requirements and Other Obligations

Among other duties, the controller must provide a privacy notice that includes certain information, including, but not limited to, the categories of personal data that it processes, the reason it is processing personal data, any categories of personal data that are shared with third parties, and the process for consumers to exercise their rights under DPDPA, which must include a link on the controller’s website for opting out.  Additionally, DPDPA requires a contract between the controller and processor, and details the contractual requirements.  A controller controlling and processing 100,000 or more consumers’ data, excluding data for a payment transaction, must conduct regular data protection assessments as detailed in the law.

Penalties and Enforcement

There is no private right of action.  The Delaware Department of Justice has exclusive enforcement authority.