Articles

What is the Delaware Personal Data Privacy Act (DPDPA): The Basics

Written by Matt Davis, CIPM (IAPP) | November 17, 2023

The patchwork of U.S. states enacting consumer data privacy laws continues to expand with the Delaware Personal Data Privacy Act (DPDPA).  

The law is being touted as “the strongest data privacy bill in the nation.” While that’s not exactly the case — California still holds this title — it is more consumer-friendly than other state laws, and it applies to more businesses (and not just large companies). 

Let’s explore the DPDPA and what it means for companies doing business with Delawareans. 

What Is the DPDPA?    

As a reminder, while there are laws that protect certain types of data, like health information, there’s no federal law dictating how personal data is collected, stored, or shared. Not only do consumers not know what data is being collected, they don’t know how it’s being shared or used.  

To address this, states are implementing their own data protection policies, giving consumers rights and providing responsibilities for those that collect, process, store, or sell consumer data. 

Delaware is the 12th state in the nation to implement a comprehensive data privacy act to give consumers more control over their personal data. The law takes effect Jan. 1, 2025 and provides an additional year to begin recognizing universal opt-out mechanisms.  

Who Must Comply With Delaware’s Privacy Act? 

So far, exemptions have left some entities relatively unscathed by state privacy acts. Delaware’s privacy act, though, has lower applicability thresholds, which means some companies that haven’t had to comply in the past will now be on the hook for DPDPA compliance. 

DPDPA applies to any company that does business in the state or produces products or services that are targeted to residents of the state and that, during the previous calendar year, met one of the following:  

  • Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.  
  • Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data. 

The 35,000-consumer threshold is the lowest among data privacy laws so far. This, combined with the gross revenue threshold — just 20 percent — means the DPDPA will apply to more small and medium-sized companies than its predecessors.  

DPDPA Exemptions  

Like other laws, the DPDPA provides exemptions based on the entity and type of data.  

Exempt entities include government bodies, higher education institutions, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), nonprofit organizations dedicated to preventing insurance crimes and those registered under the Commodity Exchange Act or national securities association registered under the Securities Exchange Act.  

The list of exempt data types is longer but is still relatively standard among privacy laws. It includes:  

  • Protected health information under the Health Insurance Portability and Accountability Act (HIPAA) and certain health information that identifies patients and human subjects or relates to public health activities. 
  • Financial information that would have a bearing on a consumer’s credit, including their credit worthiness, credit standing, capacity, and general reputation. 
  • Personal data collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act (FERPA), or Farm Credit Act.  
  • Data processed for employment purposes or as an emergency contact for another person. 
  • Price, route, or service data used in the Airline Deregulation Act. 
  • Personal data of a victim or witness to child abuse, domestic violence, human trafficking, sexual assault, a violent felony or stalking when the information is collected, processed or maintained by a nonprofit that provides services to the victims or witnesses.  
  • Data subject to the Gramm Leach Bliley Act. 

Rights the Delaware Privacy Act Grants Consumers 

DPDPA aligns with all other state laws in terms of the rights it grants consumers, including to:  

  1. Confirm whether a controller is processing their personal data and to access such personal data (unless access would reveal a trade secret). 

  2. Correct inaccuracies in their personal data.  

  3. Delete personal data provided by or obtained about the consumer. 

  4. Obtain a copy of their data collected in a portable and readily usable format.  

  5. Obtain a list of categories of third parties to which the controller has disclosed their personal data.  

  6. Opt-out of processing of personal data for targeted advertising, sale, or profiling. 

Again, comparable to other laws, the DPDPA gives controllers 45 days to respond to a consumer’s request, allows an extension of 45 days in certain circumstances, and requires the controller to notify the consumer if they decline to take action as well as provide instructions for appealing the decision.  

Controller Duties Under Delaware’s Privacy Act 

Delaware’s privacy law requires controllers to limit the collection of personal data to what is “adequate, relevant, and reasonably necessary based on the purpose disclosed to the consumer, and to not process it if otherwise.   

It also states that controllers must set up safety and security measures to protect personal data of consumers. Companies can’t process data if it would enable discrimination, nor can they discriminate against those who exercise their rights.  

Controllers must gain opt-in consent to process sensitive data or data of a known child.  

Finally, controllers must provide consumers with a privacy notice that gives them a clear explanation of what data they collect, how it’s used and shared, how to exercise their rights, and how to opt out of the sale of personal data and use of their data for targeted advertising.  

Processors, or those who process data on behalf of a controller, must help controllers meet their obligations and be in a contract that governs data processing procedures. 

The DPDPA and Data Protection Assessments 

Delaware joins several other states that require Data Protection Assessments, including California, Colorado, Connecticut, Indiana. Montana, Oregon, Tennessee, Texas and Virginia 

If you control or process data of at least 100,000 consumers, Delaware’s privacy law says you must conduct a data protection assessment for any activity that presents a heightened risk of harm to a consumer. These activities include:  

  • Targeted advertising 
  • To sell personal data  
  • For profiling if there’s a risk of: 
  • Unfair or deceptive treatment to consumers  
  • Financial, physical or reputational injury  
  • Intrusion upon the solitude or seclusion of a consumer (if the intrusion would be “offensive to a reasonable person)  
  • Processing sensitive data 

Enforcement of the Delaware Personal Data Privacy Act 

The DPDPA gives enforcement authority to its Department of Justice (DOJ).  

Like other state laws, those who violate the law will be given a right to “cure” the issue. The DPDPA doesn’t specifically outline the penalty for violating the law, but states the Department may “investigate and prosecute violations of this chapter in accordance with the provisions of Subchapter II of Chapter 25 of Title 29.” In other words, if you break the law, the penalty could be up to $10,000 per violation.   

The cure provision, which is 60 days, is only meant to help businesses transition to the law. Like several other state laws, including Oregon, California, Connecticut, and Colorado, Delaware’s cure period “sunsets” on Jan. 1, 2026. The idea is that over time, businesses should know and understand their expectations and ensure they’re in compliance before they receive an enforcement notice.  

After the cure period sunsets, the Department can choose whether to provide a cure period based on several factors, such as the number of violations, size and complexity of the controller or processor, likelihood of injury to the public, and other considerations.   

Compliance with the DPDPA 

Many Delaware businesses and companies that operate in multiple states will need to ensure they understand the DPDPA and its requirements for protecting consumer’s data. Seek out legal counsel and work to create compliant policies and procedures to meet the law. 

 If you find your head swirling with all the new and upcoming laws, it may be time to look into Osano’s Consent Management Platform, which can take the headache out of maintaining compliance with not just Delaware’s law, but other state laws and those still on the horizon.   

Delaware Privacy Act FAQs 

What is the DPDPA effective date?  

The Delaware Personal Data Privacy Act goes into effect Jan. 1, 2025.   

How does Delaware’s privacy law define sensitive data and what are the rules?  

Sensitive data is defined as data that reveals:  

  • Racial or ethnic origin  
  • Religious beliefs  
  • Mental or physical health condition or diagnosis  
  • Sex life  
  • Sexual orientation 
  • Status as transgender or nonbinary  
  • Citizenship status or immigration status  
  • Genetic or biometric data 
  • Personal data of a known child (with child defined as those under 13 years of age)  
  • Precise geolocation data  

DPDPA states that sensitive data can’t be processed without the consumer’s (or their parent or guardian’s) consent. 

Does the DPDPA have a private right of action?  

No. When the DPDPA was passed, the only state with a private right of action was California, and only in certain circumstances.  

What does Delaware’s privacy act say about universal opt-out mechanisms? 

Businesses must recognize Global Privacy Controls (GPC) and other universal opt-out mechanisms by Jan. 1, 2026.