On September 11, 2023, Delaware became the most recent state to enact a comprehensive data privacy law when Governor John Carney signed the Delaware Personal Data Privacy Act (DPDPA). Joining eleven other states, this new law, which becomes effective on January 1, 2025, creates unique compliance challenges and risks for companies.
The DPDPA applies to entities that conduct business in Delaware or target products or services to Delaware consumers, and either: (i) controlled or processed personal data from at least 35,000 Delaware residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (ii) controlled or processed personal data at least 10,000 Delaware residents and derived more than 20 percent of its gross revenue from the sale of personal data. Delaware defines “personal data” as "any information that is linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data or publicly available information." The term "consumer" is narrowly defined to mean an individual residing in Delaware. However, the term “consumer” does not apply to individuals who act in a commercial or employment context.
The DPDPA grants "consumers" (i.e., Delaware residents acting in an individual capacity, and not in a commercial or employment context) certain access and control rights concerning their personal data. A consumer may submit authenticated requests to a controller to:
- Confirm whether the controller is processing the consumer's data and provide access to the consumer's data.
- Correct inaccurate personal data of the consumer.
- Delete personal data about the consumer.
- Obtain a copy of the consumer's personal data (i.e., data portability).
- Obtain a list of the categories of third parties to which the controller has disclosed the consumer's personal data.
- Opt out of the processing of the consumer's personal data for purposes of targeted advertising, the sale of personal data or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
In addition, the DPDPA requires controllers to take action including:
- Limiting the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes for which the personal data is processed.
- Establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of consumers' personal data appropriate to the volume and nature of the personal data at issue.
- Processing consumers' sensitive data only after obtaining the consumer's consent. Sensitive data is defined to include genetic or biometric data for the purpose of uniquely identifying an individual, precise geolocation data, personal data of a known child and personal information revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or non-binary, national origin, citizenship status or immigration status.
- Refraining from discriminating against consumers who exercise the rights granted by the statute.
- Clearly and conspicuously disclosing if the controller sells consumers' personal data to third parties or processes personal data for targeted advertising, and provide consumers an opportunity to opt out via a link on the controller's website.
- By no later than January 1, 2026, allowing consumers to opt out of the selling or processing of their personal data for the purposes of targeted advertising through an opt-out preference signal.
Companies should continue to evaluate their current data collection and privacy practices in light of the new data privacy law and other state privacy law regimes.