On September 11, 2023, Delaware Governor John Carney signed the Delaware Personal Data Privacy Act (HB 154) into law, making Delaware the twelfth US state to pass a consumer privacy law (and the seventh in 2023 alone). Like Connecticut, Colorado and Indiana, Delaware’s new law occupies a middle ground between detailed privacy regimes like the California Consumer Privacy Act (CCPA, as modified by the California Privacy Rights Act) and more business-friendly mandates like those in Iowa or Utah. While the new Delaware law eschews the CCPA’s broad application and its prescriptive disclosure requirements, it also features more extensive consumer rights than the Iowa and Utah laws.
The Delaware Personal Data Privacy Act will become effective on January 1, 2025.
Who and what data are protected?
The Delaware Personal Data Privacy Act defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable individual” excluding both de-identified and publicly available information. Data regarding consumers when they are acting in a commercial or employment context is also outside the scope of the Delaware Personal Data Privacy Act.
Who must comply?
The Delaware act contains a relatively low processing threshold applying to persons that controlled or processed at least 35,000 Delaware residents’ personal data in the preceding year. While this is lower in absolute terms than the 100,000 resident threshold adopted by states like Colorado, Utah, Iowa, and Connecticut, it should be noted that it represents a greater proportion of Delaware’s statewide population than 100,000 threshold does in those respective states. It should also be noted that the “data merchant” provision also diverges from other states’ privacy legislation in that it applies to persons that control or process the personal data of at least 10,000 Delawareans and derive at least 20% of their gross revenue from the sale of data (whereas most states put this figure at either 25% or 50%).
The Delaware Personal Data Privacy Act contains numerous exceptions and carve-outs including a data-level exception for protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). It also contains some unique exceptions including an exception for nonprofits “dedicated exclusively to preventing and addressing insurance crime”, though other nonprofits will be subject to the new law.
Data Subject Rights. The Delaware Personal Data Privacy Act gives consumers the right to:
- Confirm if a controller is processing their personal data and to access such data;
- Correct inaccurate personal data;
- Request the deletion of their personal data;
- Obtain a copy of their personal data in a portable, readily usable format;
- Obtain a list of the categories of personal data a controller shares with third parties;
- Opt out of targeted advertising, the sale of their personal data (as is becoming increasingly common, “sale” is defined to include exchange for both monetary and other valuable consideration); profiling for automated decisions that produce legal or significant effects on the consumer.
A controller in receipt of a request by a consumer to exercise their rights must respond without delay and not later than 45 days after the receipt of the request, which can be extended an additional 45 days when reasonably necessary. If a controller declines to take the requested action, it should inform the consumer of the justification for refusing to take action.
The controller must also establish an appeal process, which should be conspicuously available and similar to the process for submitting requests. Consumers should be informed of appeal decisions within 60 days of receipt of the appeal and, if the appeal is denied, the consumer should be provided with a justification along with instructions for contacting the Department of Justice to submit a complaint.
Privacy Notices. Controllers must provide a reasonably accessible, clear, and meaningful privacy notice that describes the categories of personal data processed, the purpose of the processing, how consumers can exercise their rights (including a secure, reliable means to submit requests to exercise data subject rights and verify the identity of the requestor and including instructions on how to appeal decisions), the categories of data shared with third parties and the categories of third parties with whom data is shared, and an active email address or other online mechanism through which consumers can contact the controller. The controller must also disclose clearly and conspicuously if it sells personal data for the purpose of targeted advertising, as well as the manner though which consumers can opt out of such processing.
Other Requirements. The Delaware Personal Data Privacy Act contains data minimization principles and a requirement to obtain consent for the processing of “sensitive data”, which is defined broadly and includes transgender and non-binary status.
Further, a controller that controls or processes the personal data of at least 100,000 consumers (excluding data processed solely for the purpose of completing a payment) must complete a data protection assessment for each processing activity that poses a heightened risk of harm, including for the purpose of targeted advertising, the sale of personal data, the processing of sensitive data, and processing of personal data for profiling involving a risk of unfair or deceptive treatment of consumers. Like the GDPR, controllers and processors must enter into binding agreements that set forth instructions for processing of personal data.
The Delaware Department of Justice has enforcement authority. Until December 31, 2025, the Department of Justice must provide a 60 day cure period to alleged violators before commencing enforcement and after January 1, 2026 the cure period will be at the discretion of the Department of Justice. The Act does not specify any fines or other remedies that the Delaware Department of Justice may seek for violations of the Act and there is no private right of action.
In the first instance, businesses should undertake data mapping to determine whether the new Delaware Personal Data Privacy Act applies to them. Because of the novel applicability provisions, businesses should not necessarily presume that they are outside the scope of the Act based on experiences with other consumer privacy laws. Should you have questions about this or other data privacy issues, reach out to any of the Baker McKenzie attorneys listed in this alert.