The march of new state privacy legislation continues as Delaware has now passed the country’s 13th comprehensive privacy law.
While many of these laws share similar features, no two of them are exactly alike, making compliance an increasingly complicated endeavor. The Delaware Personal Data Privacy Act continues the overall trend of taking inspiration from Virginia’s law, but also has a few distinguishing features of its own.
Here are the essential details that businesses and other organizations should know about the DPDPA.
The Delaware Personal Data Privacy Act will go into effect on January 1, 2025.
The DPDPA applies to any person or organization that does business in the state of Delaware, or targets its products or services toward state residents, and meets at least one of the following requirements:
The thresholds here are notable for being significantly lower than other states, though this is probably due to Delaware’s smaller population in comparison with larger states like California or Virginia.
While the DPDPA does have many of the same exemptions as other laws, including for government bodies and personal data already regulated by federal laws such as the GLBA or HIPAA, nonprofit organizations are not exempt from DPDPA compliance. (The one exception to this is for nonprofits that are “dedicated exclusively to preventing and addressing insurance crime.”) This is unusual but not unheard of, as Colorado and Oregon’s privacy laws also apply to nonprofits.
Delaware’s privacy law gives consumers the following rights.
The DPDPA also gives consumers the right to “obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data.” However, this information already must be included in an organization’s privacy notices, so it’s not clear that this actually gives rise to a new type of privacy request.
The DPDPA defines “personal data” in a way that more or less identical to other state privacy laws, i.e. any information “that is linked or reasonably linkable to an identified or identifiable individual.” Deidentified data or publicly available information is excluded from this definition.
Personal data is more than just names and email addresses, though, and can cover anything from IP addresses to internet cookies to shopping habits.
The Delaware Personal Data Privacy Act requires organizations to perform data protection assessments for certain types of processing activities, but only if that organization processes the personal data of at least 100,000 Delaware residents. In those cases, a data protection assessment is required for:
The DPDPA itself does not identify a specific dollar amount for fines. Instead, it states that a violation shall be considered an unlawful practice under Delaware’s consumer protection laws, which are punishable by penalties of up to $10,000 per willful violation.
The Delaware Personal Data Privacy Act Act does not grant a private right of action to consumers, meaning they cannot sue an organization over alleged violations.
The pace of state privacy legislation is picking up, with many more states likely to pass their own laws in the near future. With each new law, compliance becomes a little more complicated to manage, especially for businesses without in-house privacy experts.
TrueVault US helps businesses of all sizes get compliant with privacy laws from across the country with one streamlined platform. Built by attorneys, TrueVault US is a software solution that guides you at every step of the way, from onboarding vendors to responding to consumer privacy requests.
To learn more about how TrueVault US can help your business, contact our team today.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.