Demystifying the Delaware Personal Data Privacy Act: What Businesses Need to Know

By Dr. Scott Allendevaux , CIPP/US, CIPT, CIPM, CISSP, HCISPP

Greetings fellow privacy enthusiasts. As of 11 September 2023, there are now one dozen comprehensive state privacy laws in the United States. With Governor John Carney’s signature, Delaware aligns itself to join the ranks of comprehensive state privacy laws by passing the Delaware Personal Data Privacy Act (DPDPA). This groundbreaking legislation aims to protect the personal information of Delaware residents while also imposing certain obligations on businesses that collect and process such data. In this article, we will provide an overview of the DPDPA, highlight its key provisions, and compare it to other state privacy laws to help you better understand its implications and requirements.

I. Overview of Delaware Personal Data Privacy Act (DPDPA)

The DPDPA is designed to safeguard the personal data of Delaware residents by regulating the collection, use, and disclosure of their information. The law applies to businesses, known as "controllers," that conduct business in Delaware or target its residents, and meet certain jurisdictional thresholds. The DPDPA outlines a set of consumer rights, such as the right to access, correct, and delete personal data, as well as controller obligations, including data collection limitations, consent requirements for sensitive data processing, and the implementation of security practices and privacy notices.

DPDPA At-a-Glance Checklist

Before delving into the specifics, most readers tell me they want to peruse a high-level compliance checklist. Here it is, at-a-glance:

• Determine Applicability: Confirm if the law applies to your organization based on the decision-tree of applicability.
• Map Personal Data: Identify and document the types of personal data your organization collects, processes, and stores related to Delaware residents.
• Review and Update Privacy Notice: (a) Ensure your privacy notice includes all required information as per the DPDPA. (b) Make the privacy notice conspicuously available on your website, online services, applications, or mobile applications.
• Implement Consumer Rights Mechanisms: (a) Establish processes for handling consumer rights requests, such as access, correction, deletion, and data portability. (b) Create a clear and conspicuous opt-out link or mechanism for consumers to exercise their opt-out rights regarding targeted advertising, data sale, and automated decisions.
• Obtain Valid Consent for Sensitive Data Processing: Ensure that your organization obtains valid consent from consumers before processing sensitive data, including parental consent for minors under the age of 18.
• Data Security Practices: Implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
• Data Protection Assessments: Conduct data protection assessments for processing activities that present a heightened risk of harm, if your organization controls or processes the personal data of more than 100,000 consumers.
• Vendor Management: (a) Review contracts with third-party vendors and ensure they comply with the DPDPA requirements. (b) Monitor third-party vendors for compliance with the law and your organization's privacy policies.
• Employee Training: Train relevant employees on the requirements of the DPDPA and how to handle consumer rights requests.
• Monitor Updates and Changes: Stay up-to-date with any changes or updates to the DPDPA and adjust your organization's compliance efforts accordingly.

There are additional elements the DPDPA requires, but the the list above conveys the highlights.

Comparison to Other State Privacy Laws

While the DPDPA shares similarities with other state privacy laws, such as California's Consumer Privacy Act (CCPA) and Virginia's Consumer Data Protection Act (CDPA), there are some notable differences. The DPDPA has lower jurisdictional thresholds compared to other states, making it applicable to a wider range of businesses. Additionally, the law does not provide broad exemptions for nonprofits and higher education institutions, unlike some other state privacy laws.

In terms of consumer rights and controller obligations, the DPDPA aligns closely with other state privacy laws, emphasizing transparency, user control, and data protection. However, the law introduces unique elements that businesses must pay attention to, such as the specific requirements for valid consent and the broader definition of sensitive data.

Overall, the Delaware Personal Data Privacy Act adds to the complex landscape of state data privacy laws in the US, requiring businesses to adapt their compliance strategies to meet its specific provisions and protect the personal information of Delaware residents.

But does the law apply to your organization? Reading the next section will help you make that determination.

II. Applicability Exercise

Often, the first starting point for many readers is to know if the law applies to their organization. The following exercise will help you make that determination.

Step 1: Determine if your business collects personal data of individuals in Delaware. [1]

• If YES, proceed to Step 2.
• If NO, the law does not apply to your organization.

Step 2: Assess if your business operates in Delaware or targets Delaware residents. [2]

• If YES, proceed to Step 3.
• If NO, the law does not apply to your organization.

Step 3: Assess if your organization meets either of the following criteria during the preceding calendar year: a) Controls or processes the personal data of 35,000 or more Delaware residents (excluding payment transactions) b) Controls or processes the personal data of 10,000 or more Delaware residents and derives more than 20% of its gross revenue from the sale of personal data.

• If your organization meets either criterion (a) or (b), proceed to Step 4.
• If your organization does not meet either criterion, the law does not apply to your organization.

Step 4: Check if your organization falls under any specific exemptions, such as: a) Nonprofit organizations dedicated exclusively to preventing and addressing insurance crime b) Nonprofit organizations that provide services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking.

• If your organization falls under any of these exemptions, the law does not apply to your organization.
• If your organization does not fall under these exemptions, the law applies to your organization, and you must comply with its provisions.

This applicability exercise is intended to be representational of most outcomes but may not cover some scenarios.

III. Key Provisions of the DPDPA

Understanding the key provisions of the Delaware Personal Data Privacy Act is essential for businesses to ensure compliance and protect the personal information of Delaware residents. In this section, we will delve into the main aspects of the DPDPA, including its scope and applicability, consumer rights, and controller obligations.

Scope and Applicability

The DPDPA applies to businesses, known as "controllers," that conduct business in Delaware or target its residents and meet specific jurisdictional thresholds. These thresholds are lower than those found in other state privacy laws, making the DPDPA applicable to a broader range of businesses. Notably, the law does not provide broad exemptions for nonprofits and higher education institutions, unlike some other state privacy laws.

Consumer Rights

The DPDPA grants several rights to consumers, aligning closely with those found in other state privacy laws. These rights include:

• Access, correction, and deletion of personal data: Consumers have the right to confirm if a controller is processing their personal data, access that data, correct any inaccuracies, and request the deletion of their personal data.
• Data portability and third-party disclosures: Consumers have the right to obtain a copy of their personal data in a portable, readily usable format, and access a list of third parties to which their data has been disclosed.
• Opt-out rights for targeted advertising, data sale, and automated decisions: Consumers have the right to opt out of the processing of their personal data for targeted advertising, the sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Controller Obligations

Controllers are required to meet specific obligations under the DPDPA. These obligations include:

• Data collection limitations: Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the intended purposes of processing.
• Consent requirements for sensitive data processing: Controllers are prohibited from processing sensitive data without obtaining valid consent from the consumer or, if the consumer is under the age of 18, consent from a parent or guardian.
• Security practices and privacy notices: Controllers must implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. They are also required to provide a privacy notice that outlines the categories of personal data processed, the purpose of processing, and how consumers can exercise their rights.

IV. Compliance and Enforcement

Ensuring compliance with the Delaware Personal Data Privacy Act is crucial for businesses to avoid penalties and maintain the trust of their customers. In this section, we will discuss the key aspects of compliance and enforcement, including valid consent and consumer rights requests, privacy notice requirements, data protection assessments, and the role of the Delaware Department of Justice in enforcing the law.

Valid consent and consumer rights requests.

Obtaining valid consent from consumers is a critical aspect of compliance with the DPDPA. Consent must be a clear affirmative act, freely given, specific, informed, and unambiguous. Businesses must also establish a process to handle consumer rights requests, such as access, correction, and deletion of personal data, and respond to these requests within 45 days, with a possible 45-day extension if necessary.

Privacy notice requirements.

To comply with the DPDPA's transparency obligations, businesses must provide a reasonably accessible, clear, and meaningful privacy notice to consumers. This notice should include information about the categories of personal data processed, the purpose of processing, how consumers can exercise their rights, and the categories of third parties with whom personal data is shared.

Data protection assessments.

Businesses that control or process the personal data of more than 100,000 consumers are required to conduct data protection assessments for each processing activity that presents a heightened risk of harm. These assessments involve identifying and weighing the benefits of the processing activity against the risk of harm to the consumer. Assessments completed in line with other similar privacy laws can be considered valid in Delaware.

Enforcement by Delaware Department of Justice.

The Delaware Department of Justice is responsible for implementing and enforcing the DPDPA. They have the authority to investigate and prosecute violations of the law. Violations of the DPDPA are considered unfair trade practices, with a maximum penalty of $10,000 per violation.

V. Conclusion

In conclusion, the Delaware Personal Data Privacy Act introduces a new approach to data privacy, requiring businesses to adapt their compliance strategies and protect the personal information of Delaware residents. As more states follow suit, staying ahead of the game and understanding the implications of these laws becomes a top priority for businesses operating in the US. By familiarizing themselves with the key provisions, consumer rights, and controller obligations, businesses can better navigate the complex landscape of state data privacy laws and ensure the protection of their customers' personal information.

Footnotes

[1] Personal data refers to any information that identifies, relates to, describes, or is associated with a particular individual. This may include, but is not limited to, a person's name, physical address, email address, telephone number, Social Security number, or any other identifier that permits the physical or online contacting of the individual. It also encompasses any other information about the individual collected by your organization and maintained in a personally identifiable form in combination with any of the previously mentioned identifiers.

[2] The DPDPA specifically applies to individuals who reside in Delaware. Therefore, your organization needs to assess whether the personal data it collects pertains to individuals living in the state.

About the Author

Scott Allendevaux has a doctorate in law and policy from Northeastern University and is senior practice lead of law and policy at Allendevaux & Company. He can be reached at [email protected] .

Need Any Help?

Data protection specialists at Allendevaux & Company implement and maintain data protection programs for multinational organizations, helping them weave the requirements of statutory and contractual laws into their policies and procedures. They usually choose a best-practice framework to employ, such as SOC2 or NIST standards. More popular as of late is stacking ISO standards to create a superstructure of heightened controls, such as ISO 27001 as a foundation, adding ISO 27017 for added cloud security controls, ISO 27018 for PII cloud processors, and ISO 27701 for a privacy management system. NIST controls can also be integrated into this stack. When taking this stackable approach, the requirements of domestic and foreign laws as well as contractual obligations can be integrated into a holistic data protection program, resulting in a certified management system audited by internal and external auditors, producing a certified attestation of assurance that your organization can be trusted to process information responsibly and lawfully. This is a primary focus of Allendevaux & Company, along with the supporting work of its cybersecurity division that provides vulnerability management and independent penetration assessments. More information is available at www.allendevaux.com .