Delaware Becomes Twelfth State to Enact Comprehensive Privacy Law
Key takeaways: The Delaware Personal Data Privacy Act, which takes effect January 1, 2025, is similar to the Oregon Consumer Privacy Act and Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring, but contains a lower applicability threshold, likely to account for Delaware’s smaller population.
On September 11, 2023, Delaware Governor John Carney signed the Delaware Personal Data Privacy Act (the “Delaware Act”) into law. The Delaware Act will go into effect January 1, 2025, with Director of the Delaware Department of Justice’s Fraud and Consumer Protection Division Owen Lefkon stating that a public outreach period designed to inform consumers of their rights and businesses of their obligations under the Delaware Act will begin no later than July 1, 2024.
The Delaware Act generally aligns with the Oregon Consumer Privacy Act and Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring; however, there are a few key distinctions.
Applicability and Scope
The Delaware Act applies to persons that conduct business in Delaware or that produce products or services that are targeted to Delaware residents and that during the preceding calendar year either: (1) controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data. Like all state laws other than California, personal data used in a commercial or employment context is outside the scope of the law.
Contrary to Connecticut, the Delaware Act does not broadly exempt non-profit organizations from its scope. Non-profit organizations that are dedicated exclusively to preventing and addressing insurance crime are exempt from the Delaware Act. Personal data collected by non-profits where such data comes from a victim of or witness to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking is also exempt. Otherwise, non-profit organizations are subject to the Delaware Act.
The Delaware Act includes both entity and data specific exemptions as found in other jurisdictions’ data privacy laws.
Entity Type Exemptions:
Like other states, the Delaware Act provides exemptions for governmental organizations (but not institutes of higher education), financial institutions subject to Title V of the Gramm Leach Bliley Act (“GLBA”), and securities associations registered pursuant to the Securities Exchange Act.
Data Type Exemptions:
The Delaware Act also exempts data that is subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Driver’s Privacy Protection Act of 1994, the Family Educational Rights and Privacy Act (“FERPA”), the Farm Credit Act, the Airline Deregulation Act, or the Children’s Online Privacy Protection Rule (“COPPA”).
Requirements for Controllers
Controllers of personal data must limit their collection to what is adequate, reasonably necessary, and relevant for their disclosed purposes. They must establish strong data security practices and provide a simple mechanism for consumers to revoke consent. Additionally, controllers must obtain consent to process sensitive data or to process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed. Sensitive data is defined as data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status; genetic or biometric data; personal data of a known child; and precise geolocation data.
Controllers are obligated to provide consumers with a clear, meaningful privacy notice outlining the data processed, the purposes of the processing, how consumers can exercise their rights, any third-party sharing, and contact details for the controller.
If a controller sells data or uses it for targeted advertising or profiling, it must disclose this sale or use and provide a mechanism for consumers to opt out of the sale or use, including through the use of an opt-out preference signal. Controllers are prohibited from processing the personal data of a consumer for the purposes of targeted advertising or from selling personal data without the consumer’s consent where a controller has actual knowledge or willfully disregards that the consumer is between the ages of 13 and 18.
If a controller controls or processes the data of at least 100,000 consumers, data protection assessments must be completed for each processing activity that present a heightened risk of harm to the consumers. This includes (1) the processing of personal data for the purposes of targeted advertising; (2) the sale of personal data; (3) the processing of sensitive data; and (4) the processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of any of the following: (a) unfair or deceptive treatment of, or unlawful disparate impact on, consumers, (b) financial, physical, or reputational injury to consumers, (c) a physical or other intrusion upon the solitude or seclusion, or private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (d) other substantial injury to consumers.
Requirements for Processors
Processors must adhere to the controller’s instructions and assist them in meeting their obligations under the Delaware Act. Contracts between controllers and processors must include requirements for confidentiality, provision for deletion or return of personal data, and the option for controllers to object to subcontractors.
The Delaware Act grants consumers the right to:
- Confirm whether their personal data is being processed and access their personal data;
- Correct inaccuracies in their personal data;
- Delete personal data provided by or obtained about the consumer;
- Obtain a copy of their personal data;
- Learn about the categories of third parties with whom their data has been shared; and
- Opt out of data processing for targeted advertising, data sales, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
Controllers must respond to consumer requests within 45 days, with a 45 day extension available in some circumstances.
The Delaware Department of Justice (“DOJ”) has the authority to enforce the Delaware Act. Unlike California, the Delaware Act does not provide consumers with any private right of action.
Until December 31, 2025, the DOJ must issue a notice of violation to the controller if the DOJ finds a violation and believes the violation is curable. Upon receiving this notice, the controller has sixty (60) days to cure the violation before the DOJ may bring an enforcement action.
Delaware’s new privacy law underscores the state’s commitment to data privacy and protection, defining stringent obligations for data controllers and processors. Businesses must reassess and refine their data practices in line with these obligations, especially around obtaining consumer consent and responding to consumer requests.
Koley Jessen will continue to monitor developments related to the law and advise as updates become available. If you have questions on whether your business needs to comply with the law or what steps you must take to comply, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area.
*Special thanks to summer associate Patrick Fallon for his contributions to this article.