Delaware enacts Delaware Personal Data Privacy Act
On June 30, 2023, Delaware’s state legislature unanimously passed a comprehensive data privacy bill, House Bill 154 (HB 154), which was subsequently signed into law as the Delaware Personal Data Privacy Act on September 11, 2023, by Gov. John Carney. Delaware has become the twelfth state to adopt data privacy measures aimed at giving consumers more control over their personally identifiable information, following in the footsteps of California, Colorado, Connecticut, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia.
Effective January 1, 2025, businesses operating within the state of Delaware or engaging in the collection of data from Delaware residents will be mandated to observe certain data privacy principles when collecting personal information. This measure is intended to empower consumers by granting them explicit rights concerning the collection and utilization of their personal information, while also mandating the establishment of mechanisms and procedures that facilitate consumers in the exercise of these newly acquired rights.
Applicability of Delaware’s data privacy law
Similar to other state data privacy laws aimed at safeguarding consumers, the Delaware Personal Data Privacy Act incorporates specific compliance thresholds for businesses.
Delaware’s data privacy law applies to entities conducting business in Delaware (or producing products or services targeted to Delaware residents) and entities that control or process the personal data of not less than 35,000 Delaware residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction. This is a notable deviation from the traditional 100,000 consumer threshold of the majority of states. Entities also covered by the Delaware Personal Data Privacy Act include those that control or process the personal data of not less than 10,000 Delaware residents and derive more than 20% of its gross revenue from the sale of personal data. Again, this lowers the applicability threshold compared to other states with similar laws.
However, the Delaware Personal Data Privacy Act lists a number of notable exemptions for certain entities and information including:
- State entities and political subdivisions of the state
- Any financial institution or affiliate of a financial institution subject to the Gramm-Leach-Bliley Act (GLBA)
- Health information protected under the Health Insurance Portability and Accountability Act (HIPAA)
- Non-profit organizations that are dedicated exclusively to preventing and addressing insurance crime and non-profit organizations that provide services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking
Delaware also enumerates additional privacy protections for children between the ages of 13 and 18, wherein controllers cannot process the personal data of a consumer for purposes of targeted advertising or sell personal data without the consumer’s consent if there is actual knowledge or willfully disregard that the consumer is at least 13 years of age but younger than 18 years of age. In doing so, Delaware joins Connecticut by elevating the age limit found in other currently passed state consumer data privacy laws from under 16 years of age to under 18.
Delaware privacy notice requirements
Under the law, controllers are required to provide Delaware residents with a privacy notice that specifies:
- Categories of personal data processed
- Purposes for processing personal data
- How consumers may exercise their consumer rights
- Categories of personal data that is shared with third parties
- Categories of third parties with which the controller shares personal data
- Email address or online mechanism that the consumer may use to contact the controller
Controllers will be required to establish, and describe in their privacy notice, one or more secure and reliable means for consumers to submit a request to exercise their consumer rights. Specifically, this will need to include a link on the controller’s website to opt-out of targeted advertising or the sale of personal data.
Consumer rights to control personal data in Delaware
The Delaware Personal Data Privacy Act gives consumers specific rights to control their personal data. Consumers have the following personal data rights:
- Right to confirm whether a controller is processing
- Right to correct personal data
- Right to delete personal data
- Right to access personal data in a portable format
- Right to obtain a list of the categories of third parties to which personal data has been disclosed
- Opt out of the processing of personal data for purposes of any of the following activities:
- Targeted advertising
- Sale of personal data
- Profiling
Remedies under the Delaware’s data privacy law
The Attorney General and the Director of the Division of Consumer Protection have standing to bring legal actions on behalf of the State. Entities in violation of the law may be subject to pay a maximum civil penalty of $10,000 for each violation. There can be additional remedies where a willful violation is found and includes such things as a cease and desist order, freezing assets of the violator and order restitution.
For more legislative updates on data privacy law from McDonald Hopkins, please subscribe to receive our publications or view the links below for recent updates on other state data privacy legislative updates.
- Click here for information on Iowa’s recent legislative update
- Click here for information on Tennessee’s recent legislative update
- Click here for information on Indiana's recent legislative update
- Click here for information on Montana’s recent legislative update