Delaware Privacy Bill Signed Into Law
On September 12, Delaware governor, Governor John Carney, signed into law the Delaware Personal Data Privacy Act (DPDPA). According to a statement provided to Delaware Public Media by Owen Lefkon, Director of the Department of Justice's Fraud and Consumer Protection Division, the bill "puts the control back in the hands of the consumer."
Key Provisions Under the Act
Applicability
The DPDPA applies to two tiers of data controllers and processors. The first tier includes persons conducting business in Delaware or producing products or services targeted to Delaware residents who also control or process the personal data of at least 35,000 consumers. The second tier includes controllers and processors who handle the data of at least 10,000 consumers and derive 20 percent of their gross revenue from consumers’ personal data.
For both tiers, personal data controlled or processed for the sole purpose of completing a payment transaction is excluded. Notably, the DPDPA also exempts:
● Nonprofit organizations that are “dedicated exclusively to preventing and addressing insurance crime”
● Personal data belonging to a victim of or witness to “child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking that is collected, processed, or maintained by a nonprofit organization that provides services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking”
● State governmental entities, except for “any institution of higher education”
● Protected health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
● Financial institutions covered by the Gramm-Leach-Bliley Act (GLBA).
Consumer Rights
The consumer rights outlined in the DPDPA are similar to those rights provided under the Connecticut Data Privacy Act (CDPA), which was signed into law on April 28 2022. Consumers have the right to:
● Confirm with a data controller that their personal data is being collected and request access to said collected data, unless complying with this request would require the controller to “reveal a trade secret”
● Correct any inaccuracies in the consumer’s collected personal data
● Delete incorrectly-collected or retained personal data
● Obtain a copy of their collected personal data “in a portable and . . . readily usable format”
● Opt-out of the processing of their personal data for the purposes of:
○ Targeted advertising
○ Sale to a third-party
○ Profiling the consumer solely for the purpose of advancing “automated decisions that produce legal or similarly significant effects concerning the consumer.”
Distinct from the rights granted under the CDPA, the DPDPA also provides consumers with the right to:
● Opt-out, without the request having to be authenticated;
● Obtain “a list of the categories of third parties to which the controller has disclosed the consumer’s personal data”
The DPDPA also authorizes the Delaware Attorney General’s Office (AG) to publish a list on its website of authorized agents that consumers can designate “to act on the consumer’s behalf to opt out of the processing of such consumer’s personal data” based on the specific circumstances outlined under Section (a)(6) of the DPDPA.
Furthermore, similar to most other privacy legislations passed in the United States, the DPDPA contains specific provisions surrounding privacy rights when the consumer is a child and where the information being processed is deemed “sensitive.”
Under the DPDPA, a data controller is required to obtain a consumer’s consent to process their personal data for the purposes of engaging in targeted advertising or selling the data if the consumer is between the ages of 13 and 18. For children under the age of 13, this consent must be given by the child’s parents or lawful guardians. This mirrors the age requirement in Connecticut, with the passage of Senate Bill 3, which was signed by the Connecticut Governor, Governor Ned Lamont, on June 26, 2023, and increased Connecticut's maximum age of consent from 16 to 18 years.
Along with many other state privacy laws already passed, the DPDPA requires any data that is sensitive—defined as information that reveals, among other things, the race, ethnicity, or mental or physical health of an individual, discloses their status as transgender or nonbinary, provides the consumer’s precise geolocation data, or meets the definition of genetic or biometric data —be subject to consumer consent prior to processing.
Enforcement
The Act will be enforced by the AG and there is no private right of action granted to consumers. If a violation of the Act is assessed, the Act grants a Covered Entity a 60-day cure period to correct any violations. However, this automatic provision of a cure period is revoked on December 31, 2025. After which, the ability to cure will be subject to the determination and assessment of the AG.
Effective Date
The Act will go into effect January 1, 2025. However, Lefkon confirmed that the Delaware Department of Justice will begin public outreach efforts no later than July 1, 2024 “to inform consumers of their rights and businesses of their obligation.”