Cybersecurity & Data Privacy

Publications

Privacy Laws by the Dozen: Delaware Becomes 12th State to Enact Comprehensive Privacy Law

On September 11, 2023, Delaware’s Governor, John Carney, signed House Bill 154, enacting the Delaware Personal Data Privacy Act (the “DPDPA”). Delaware is the twelfth state to enact a state comprehensive privacy law, and the DPDPA is the seventh of such laws to be enacted since the end of March 2023. The DPDPA will take effect on January 1, 2025, and has many similarities to the other state comprehensive privacy laws. Of note, like the Oregon Consumer Data Privacy Act and the Colorado Privacy Act, the DPDPA applies to non-profit organizations and institutions of higher education.

Applicability

The DPDPA applies to persons or entities conducting business in Delaware or producing products or services that are targeted to residents of Delaware and that, during the preceding calendar year, either:

  1. controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. controlled or processed the personal data of not less than 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data.

Notably, the DPDPA does not apply to governmental entities (other than institutions of higher education), financial institutions governed by the Gramm-Leach-Bliley Act, or non-profit organizations dedicated exclusively to preventing and addressing insurance crime, among other entities. Other non-profit organizations are not exempt from the DPDPA, although the DPDPA exempts personal data of a victim of or witness to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking that is collected, processed, or maintained by a nonprofit organization that provides services to such victims or witnesses.

Additionally, while the DPDPA does not exempt HIPAA covered entities or business associates or institutions of higher education, it exempts certain types of information typically held by such entities, including protected health information under HIPAA and certain other patient-identifying information; information provided by or to a HIPAA covered entity for public, community, or population health activities and purposes authorized by HIPAA; and personal data regulated by the Family Educational Rights and Privacy Act. The DPDPA also exempts data processed or maintained in the course of employment.

Key Definitions         

Like the vast majority of the state comprehensive privacy laws, the DPDPA narrowly defines “consumer” to mean an individual who is a Delaware resident acting in any capacity other than in a commercial or employment context. As a result, employee personal data and business contact personal data fall outside the scope of the DPDPA.

With respect to such consumers, the DPDPA regulates their “personal data,” in addition to a special category of personal data known as “sensitive data,” which it defines as (i) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status; (ii) genetic or biometric data; (iii) personal data of a known child (i.e., an individual under thirteen); or (iv) precise geolocation data.

Under the DPDPA, the “sale of personal data” means the exchange of personal data for monetary consideration or other valuable consideration by the controller to a third party, which aligns with the definitions in the state comprehensive privacy laws in California, Connecticut, Colorado, Montana, Florida, Texas, and Oregon. The DPDPA also provides broad exceptions to the definition of “sale” that are similar to exceptions in other state comprehensive privacy laws and should cover many ordinary business activities, such as disclosure of personal data to a processor who processes the personal data on behalf of a controller or to a third party or affiliate for the purpose of providing a product or service requested by a consumer.

Compliance

In general, the compliance obligations found in the DPDPA are substantially similar to those found in the other state comprehensive privacy laws, including the requirement for controllers to provide a compliant privacy notice to consumers and to enter into contracts with processors that process personal data on their behalf. Further, like the privacy laws in Colorado, Connecticut, Florida, Indiana, Montana, Tennessee, Texas, Virginia, and Oregon, the DPDPA requires controllers to conduct and document, on a regular basis, data protection assessments of any processing activities that involve personal data used in targeting advertising, the sale of personal data, the processing of sensitive data, or, in certain instances, profiling. However, the DPDPA is unique in that the obligation to conduct these assessments only applies to controllers that process the data of at least 100,000 consumers.

Consumer Rights and Requests

The DPDPA also aligns with the other state comprehensive privacy laws in that it grants consumers rights regarding their personal data. Specifically, the DPDPA grants consumers the right to make requests to (1) confirm whether a controller is processing the consumer’s personal data and access such personal data; (2) correct inaccuracies in their personal data; (3) delete their personal data; (4) obtain a copy of their personal data; (5) obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data; and (6) opt out of the processing of their personal data for targeted advertising, the sale of personal data, or certain types of profiling.

Under the DPDPA, when a consumer requests to exercise these rights, a controller has 45 days to respond, which may be extended once by an additional 45 days when reasonably necessary considering the complexity and number of the consumer’s requests. Additionally, the DPDPA requires a controller to provide consumers with an appeals process if it denies a consumer’s request, and a controller has 60 days to respond to an appeal. The state comprehensive privacy laws in California and Utah do not contain a right to appeal.

Enforcement

Similar to other state comprehensive privacy laws, the DPDPA does not permit private rights of action. Rather, the Delaware Department of Justice has exclusive enforcement authority, and it can seek civil penalties of up to $10,000 for each “willful” violation of the law, meaning the violating controller or processor knew or should have known it was violating the law.

If the Delaware Department of Justice determines a violation is curable, then, before the Delaware Department of Justice can bring an enforcement action, the violating controller or processor will receive a 60-day period to cure such violation. However, this right to cure sunsets on December 31, 2025, after which it is within the Delaware Department of Justice’s discretion to offer the right to cure. Beginning on January 1, 2026, the Delaware Department of Justice may, in determining whether to grant an opportunity to cure an alleged violation, consider the following: (1) the number of violations; (2) the size and complexity of the controller or processor; (3) the nature and extent of the controller’s or processor’s processing activities; (4) the substantial likelihood of injury to the public; (5) the safety of persons or property; (6) whether such alleged violation was likely caused by human or technical error; and (7) the extent to which the controller or processor has violated this or similar laws in the past.

Conclusion

The passage of state comprehensive privacy laws continues apace. While these laws contain many similarities, they are not uniform. In particular, the DPDPA furthers the recent trend of pulling non-profit organizations into the scope of the law. Maintaining compliance efforts with the state comprehensive privacy laws will be important for all covered businesses, but especially for businesses, whether for-profit or non-profit, that have not been subject to such laws in the past.

If you would like assistance with, or have any questions about, complying with the DPDPA or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Cybersecurity & Data Privacy attorneys. Check out our U.S. Privacy Laws page for more information.

Special thanks to Nate W. Gatter for his contributions to this article.

Firm Highlights
Client Alert

Federal Funds Available for Energy Investments Powering Up in 2024

More
Client Alert

Department of Labor Retools FLSA Independent Contractor Rule – Again

More
Diversity & Inclusion

BLSA Recognizes Lewis Rice with “Leader in Diversity” Award

More
Client Alert

Important Update – The Corporate Transparency Act: What Small (and Not-So-Small) Businesses Need to Do

More
News

Lewis Rice Kansas City Office Names Four New Members of the Firm

More
News

Lewis Rice Names Three New Members of the Firm

More
News

FarmProgress Discusses Rails to Trails Compensation

More
News

Michael P. Davidson Named to Missouri’s 2024 POWER List in Health Care Law

More
Client Alert

New Hampshire: the 14th State to Enact a Comprehensive Privacy Law

More

Lewis Rice LLC (“we”) use cookies to improve our products and your experience on our websites by evaluating the use of our website and services, to personalize content and ads, to provide social media features and to analyze our traffic. We also share information about your use of our site with our social media, advertising and analytics service providers. For more information, please see our Cookie Policy.

By continuing to browse or by clicking “Accept All Cookies” you direct us to disclose your personal information to these service providers for those purposes and agree to the storing of first-party and third-party cookies on your device.