Delaware is already known for being the mecca of corporations, seriously 66% of the Fortune 500 call the state “home”. Now it can include being the 13th state to roll out consumer data privacy laws to its repertoire if you will. Governor Carney signed HB154 into law on Monday, September 11th, and the law will take effect on January 1, 2025. What do you need to know, let’s unpack!
The new consumer data privacy law will apply to persons that conduct business in the State or persons that produce products or services that are targeted to residents of the State and that during the preceding calendar year did any of the following:
(1) Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
(2) Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data
Notice the parameters are much, much lower compared to states that have passed similar laws, the threshold is not very high in Delaware.
Consumers will have the right to request the following for free once during a 12-month period.
- Right to know and access
- Right to correct
- Right to delete
- Right to data portability
- Right to obtain a list of third parties with whom their personal data was shared
- Right to opt out of
- Targeted Advertising
- Sale of personal data
- Decision Profiling
Businesses must establish secure and reliable means for consumers to exercise their rights.
Businesses must respond to consumer requests within 45 days, may extend response time by an additional 45 days when reasonably necessary but must inform consumers of the extension within the initial 45day period.
If the business denies a consumer data privacy request, they must inform them within 45 days of the reason for denying the request along with instructions for how the consumer may appeal the decision.
Businesses must establish an appeal process for consumers whose requests are not handled within a reasonable period. The appeal process must be conspicuously available and similar to the process of exercising a request. Businesses must notify the consumer in writing within 60 days of any action taken or not taken with a written explanation. If an appeal is denied a business shall provide a consumer with an online option or other method to contact the Department of Justice to submit a complaint.
Businesses shall comply with the following:
- Limit collection of personal data reasonably necessary for the purpose
- Establish and maintain data security practices to protect the confidentiality and integrity of personal data
- Provide an effective mechanism for consumers to revoke consent as easily as it was provided. Upon revocation processing of data must cease within 15 days
- Provide at least one way or more secure ways for consumers to submit requests to exercise their rights
- Establish data protection assessment practices
A Business cannot:
- Process personal data for purposes that are not necessary for the purpose disclosed unless business obtains consumer consent
- Must have consumer consent to process sensitive data
- Discriminate against consumers who exercise their consumer rights
Privacy notice shall include:
- Categories of personal data processed
- Purpose of processing personal data
- How a consumer can exercise their rights, including how they can appeal a decision regarding their request
- Categories of personal data shared with third parties
- categories of third parties with which the business shares personal data
- Email or other online option a consumer may use to contact a business
If the business sells personal data to third parties or processes personal data for targeted advertising, it shall clearly and conspicuously disclose to consumers and offer a manner in which the consumer can opt-out.
Enforcement authority is given to the Department of Justice. There is a cure period starting from the effective date of January 1st through December 31st of 2025 where the DOJ must provide prior notice before taking action. If the business cannot cure the violation within 60 days of notice the DOJ will bring enforcement action. From January 1st of 2026 forward the DOJ will determine whether they will grant a business an opportunity to cure based on
- The number of violations
- The size and complexity of the business
- The nature and extent of the processing activities
- The substantial likelihood of injury to the public
- The safety of persons or property
- Whether such alleged violation was likely caused by human or technical error
- The extent to which the business has violated this or similar laws in the past
There is no private right of action provided under this new law.