Any chancery you might be impacted by the Delaware Personal Data Privacy Act (DPDPA)? (See what we did there?) Impacted companies need to gear up and prepare for compliance as the DPDPA becomes effective on January 1, 2025. The article that follows explains who is covered by the law and provides details about the requirements those businesses need to be aware of.
To Whom Does the Delaware Personal Data Privacy Act Apply?
The DPDPA applies to entities that:
- conduct business in Delaware or produce products or services targeted to residents of Delaware; and, during the prior calendar year;
- control or process personal data of at least 35,000 Delaware consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
- control or process personal data of at least 10,000 Delaware consumers and derive over twenty percent (20%) of their annual gross revenue from the sale of personal data.
Notably, the 35,000-consumer threshold is among the lowest for state privacy laws in effect in the U.S. While this threshold could portend a more sweeping applicability to smaller business as compared to similar laws in other states, this may not come to pass in practice given the state’s relatively small population. But, it is of interest to note that while neighbors Maryland and Delaware both have a 35,000-consumer threshold, in practice, Maryland’s is much lower equating to just about 0.6% of the state’s population versus about 3.4% of the population of Delaware.1
The DPDPA defines consumer as an individual who is a resident of Delaware, and like most other states, specifically excludes individuals acting in a commercial or employment context.
Exemptions
The DPDPA exempts government entities and financial institutions. Additionally, the DPDPA exempts specific types of data such as consumer credit-reporting data, protected health information under HIPAA, information regulated by the Gramm-Leach-Bliley Act the Family Educational Rights and Privacy Act, the Airline Deregulation Act, the Farm Credit Act, and the Driver’s Privacy Protection Act.
Like many other state consumer privacy laws, the DPDPA also excludes business-to-business personal data and data provided in the employment context. However, the DPDPA diverges from most other states and does not exempt non-profit organizations (other than nonprofits dedicated to preventing insurance crime, and for data collected by nonprofit entities related to victims or witnesses of certain crimes) or public higher education institutions. Delaware’s law is even more stringent than states like Oregon using a similar approach, as it does not defer applicability for non-profits for a period of time. Under the DPDPA, non-profit organizations subject to the law need to be ready for compliance from day one (1/1/2025).
Finally, the DPDPA does not contain an entity-level exemption for HIPAA-covered entities and business associates, and instead solely protects certain data covered under HIPAA. Businesses subject to HIPAA and the DPDPA should consider this distinction if their processing activities involve some data subject to HIPAA and some data that is not, as it is possible the DPDPA could still apply to such businesses insofar as their business activities involving data outside the DPDPA’s exemptions.
Consumer Rights
Consumers have the following rights under the DPDPA:
- right to confirm whether or not their personal data is processed (unless access would require the business to reveal a trade secret);
- right to access their personal data (again, unless access would require the business to reveal a trade secret);
- right to correct inaccuracies in their personal data;
- right to deletion of their personal data;
- right to obtain a copy of their personal data;
- right to opt-out of the processing of their personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer; and
- opt-in rights for sensitive data processing.
Business Obligations to Consumers
The DPDPA requires covered entities to;
- respond to consumer requests under the DPDPA within 45 days of receipt of such request (which may be extended an additional 45 days when reasonably necessary, depending on number and complexity of requests);
- if the business declines to act on the consumer’s request, it must inform the consumer and provide instructions on how to appeal the decision that are conspicuously available and similar to the process for submitting consumer rights requests; and
- within 60 days of receipt of a request for appeal, the business must inform the consumer of any action or inaction in response to the appeal, and if denied, provide the consumer with an online mechanism or other method through which the consumer may reach the Delaware Department of Justice to submit a complaint.
Notices to Consumers
Covered entities must provide consumers with a “reasonably accessible, clear and meaningful” privacy notice that includes at a minimum the following:
- the categories of personal data that the business processes;
- the purposes for processing personal data;
- the categories of personal data that a business shares with third parties;
- the categories of third parties with which the business shares personal data;
- an active e-mail address or other online mechanism that the consumer may use to contact the business, and
- the manner in which consumers can exercise their rights under the DPDPA, including the process for appeals of denials of consumer requests.
Other Business Obligations
Covered entities must (the DO’s):
- limit the processing of personal data to only the data that is “adequate, relevant, reasonably necessary, and proportionate” to serve the purposes for which the data is collected and processed;
- establish, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the confidentiality, integrity, and security of the personal data;
- clearly and conspicuously disclose if the business sells consumers' personal data to third parties or engages in targeted advertising;
- provide consumers an opportunity to opt out from the sale of their personal data to third parties or engaging in targeted advertising;
- provide an effective mechanism for consumers to revoke their consent, which should be as easy to use as the mechanism for giving consent;
- if the entity processes the data of more than 100,000 consumers, conduct and document data protection assessments for certain processing activities, such as:
- targeted advertising,
- processing sensitive data,
- selling personal data, or
- using personal data for certain profiling purposes
Please note that while these obligations become effective on January 1, 2025, requirements for data protection assessments are not retroactive and apply to only to activities created or generated on or after July 1, 2025.
Covered entities must not (the DON’Ts):
- process consumers’ sensitive data without presenting the consumer with clear notice and an opportunity to opt out of such processing; or if the consumer is a child, without first obtaining consent from the child’s parent or lawful guardian;
- Sensitive data is defined as personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status, genetic or biometric data, personal data of a known child, and precise geolocation data
- process personal data in violation of state and federal laws that prohibit unlawful discrimination against a consumer; and
- discriminate against consumers who exercise rights under the DPDPA.
Impact on Data Processors / Vendors
Processors such as vendors to covered businesses most often will have direct obligations under the DPDPA, such as:
- adhering to instructions from the covered entity;
- assisting the covered entity with its own compliance obligations; and
- providing necessary information to enable the covered entity to conduct and document data protection impact assessments.
A processor must enter into contracts with covered businesses that govern how it processes personal data on the covered businesses’ behalf. The DPDPA prescribes the following requirements that must be included in data processing agreements between the parties:
- instructions for processing personal data;
- the nature and purpose of processing;
- the type of data subject to processing;
- the duration of processing; and
- the rights and duties of both parties.
Furthermore, the contract must require the processor to do the following:
- ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
- at the business’ direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
- upon the reasonable request of the business, make available all information in its possession necessary to demonstrate the sub processor’s compliance with the obligations of the DPDPA;
- after providing the business an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and
- allow, and cooperate with, reasonable assessments by the business or the business’ designated assessor, or the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the obligations under the DPDPA. This assessment must be available to the business upon request.
De-identified and Pseudonymous Data
The DPDPA defines "de-identified data" as data that cannot reasonably be linked to an identified or identifiable individual, and such data is expressly excluded from the definition of "personal data." Like many other state privacy laws, the DPDPA requires businesses to take reasonable measures to ensure that such data cannot be associated with an individual and enter into a contract with a recipient of the deidentified data which will provide that the recipient must comply with the business’ obligations under the law.
Furthermore, the DPDPA defines “pseudonymous data” as “personal data that cannot be attributed to a specific individual without the use of additional information.” If a covered entity can show that any additional information necessary to identify the consumer is kept separately and subject to effective technical and organizational measures that prevent the business from accessing such information, then a consumer’s rights to access, delete, and opt-out are not available for such pseudonymous data.
Businesses who process these different types of data should take note of the distinctions and requirements, especially if they handle both de-identified and pseudonymous data. The DPDPA further requires businesses that disclose these two types of data to exercise reasonable oversight to monitor compliance with contractual agreements related to such data, and to take appropriate steps to address breaches of these contractual commitments.
Enforcement
The DPDPA does not provide for a private right of action. The DPDPA is exclusively enforced by the Delaware Department of Justice and provides for a 60-day cure period where, prior to bringing an enforcement action, the AG will notify a covered entity and grant it an opportunity to cure (if a cure is deemed possible). The cure period is not permanent and will end on December 31, 2025, and then the Delaware Department of Justice maintains discretion whether to provide a covered entity the opportunity to cure beginning January 1, 2026.
Fines and Penalties
Businesses that violate the DPDPA could face civil penalties up to $10,000 per violation, and the Delaware Department of Justice can also seek injunctive relief, restitution, and/or disgorgement.
Endnotes
[1] IAPP US State Privacy Laws Report, 2024 Session (members only)