On September 11, 2023, Delaware Governor John Carney signed the Delaware Personal Data Privacy Act (DDPA), making Delaware the 13th state to enact a consumer privacy law. If you're a business in Delaware or selling to Delaware consumers, it's crucial to familiarize yourself with the DPDPA and its implications.
What is the Delaware Data Privacy Act (DDPA)?
The Delaware Personal Data Privacy Act (DDPA) aims to protect the consumer privacy rights of Delaware residents. The law grants specific rights to consumers and places obligations on businesses. Non-compliance with this law can lead to severe penalties for businesses.
The DPDPA shares similarities with consumer data privacy laws from other US states but has its unique provisions. The law emphasizes the protection of consumer data privacy, excluding employment-related data from its purview.
The DPDPA is set to take effect on 1 January 2025.
Does the DDPA apply to your business?
Delaware is the home of many businesses, but the state privacy law won't affect all of them. Your business falls under the DPDPA's jurisdiction if:
- You conduct business in Delaware or cater to Delaware customers.
- You either:
- Control or process personal data of at least 35,000 Delaware residents. - - Control or process the personal data of at least 10,000 Delaware residents and generate over 20% of your gross revenue from the sale of personal data.
Remember, tools like Google Analytics or Facebook Pixel, which process user data, can quickly help you reach these thresholds, making you subject to the DPDPA. Although there are thresholds, most of the companies operating online will be affected by the comprehensive privacy law.
What constitutes personal data under the Delaware Personal Data Privacy Act?
The DPDPA has a long definition of personal data, which covers "any personally identifiable information about a user of a commercial internet website, online or cloud computing service, online application, or mobile application that is collected online by the operator of that commercial internet website, online service, online application, or mobile application from that user and maintained by the operator in an accessible form, including a first and last name, a physical address, an e-mail address, a telephone number, a Social Security number, or any other identifier that permits the physical or online contacting of the user, and any other information concerning the user collected by the operator of the commercial internet website, online service, online application, or mobile application from the user and maintained in personally identifiable form in combination with any identifier described in this paragraph."
This broad definition covers various categories of personal data for the purposes of being processed by companies, from the collection of personal data such as names and email addresses to health records, online behavior, and more. However, employment data and information protected by the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act are explicitly excluded from the DDPA's scope.
What is sensitive data under the Delaware privacy law?
The DDPA definition of sensitive data includes:
- Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or non-binary, citizenship status, or immigration status
- Precise geolocation data
- Children's data
- Genetic or biometric data used for identification.
Under the DPDPA, businesses must obtain clear consent from users before processing sensitive data.
General duties of controllers and processors under the Delaware consumer privacy law
Controllers must:
- Ensure robust technical and organizational data security measures, including physical data security practices to protect consumer personal information
- Limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the disclosed purposes for which the personal data is processed
- Process only the necessary data
- Align data categories with processing intentions
- Obtain clear consent for sensitive data processing
- Conduct data protection assessments when required
- Offer transparent and meaningful privacy notices that includes the categories of personal data processed by the controller
- Honor consumer data requests
- Maintain compliant data processing contracts with processors
Processors are responsible for:
- Implementing adequate data security measures
- Ensure that personal data is processed based solely on the controller's agreement
- Assisting controllers in legal compliance
What is a data processing agreement under the DDPA?
A data processing agreement defines the relationship between the controller and processor. This contract ensures DPDPA compliance and should cover:
- Identification of both parties
- Data categories being processed
- Processing nature and purposes
- Data processing duration
- Clearly defined rights and responsibilities for both parties
- Confidentiality and data security provisions
- Subcontractor hiring provisions, if relevant.
DPDPA's privacy policy
Your DPDPA privacy policy, also known as privacy notice, should transparently communicate your data practices. It must include:
- Your identity
- Data processing purposes
- Processed data categories
- Data sale categories, if applicable
- Third-party data sale categories, if relevant
- Consumer rights and exercise instructions.
Do we have to obtain consent for data processing?
The DPDPA requires explicit consumer consent only for sensitive data processing. Collecting such data without consent can lead to penalties. For children's data, obtaining parental consent as per COPPA standards is essential.
Universal opt-out mechanisms under the Delaware state privacy law
Businesses must respect universal opt-out mechanisms like the Global Privacy Controls (GPC). If a GPC signal is received, treat it as a valid opt-out request.
This provision becomes effective from February 1, 2026.
What is a Data Protection Assessment under the Delaware comprehensive privacy legislation?
A Data Protection Assessment helps businesses identify and mitigate data processing risks. While not always mandatory, it's a recommended practice. The law specifically mandates this assessment for businesses that control or process the data of 100,000 or more consumers, excluding data controlled or processed solely for completing payment transactions. These controllers must conduct and document, on a regular basis, a data protection assessment on the processing of personal data that poses a heightened risk of harm to consumers, particularly about
- Targeted advertising
- The sale of personal data
- The processing of sensitive data and profiling that may result in unfair or deceptive treatment of or unlawful disparate impact.
DPDPA consumer rights and requests
Consumers have rights, including the rights to:
- Know about processing
- Access their data
- Data correction
- Data deletion
- Data portability
- Opt out of the processing of personal data for purposes of data sales, targeted advertising, or profiling
- Obtain a list of the categories of third parties to which the controller has disclosed the consumer's personal data.
Businesses have 45 days to respond to these requests, with a possible 45-day extension for complex cases.
The DPDPA enforcement and penalties
Delaware Department of Justice enforces the law. There is no right to action for consumers. Businesses receive a 60-day notice to rectify violations. Failure to comply can result in fines of up to $10,000 per violation, which is the highest in the US. From 2026 onwards, immediate penalties apply without any cure period.
Until December 31, 2025, the Delaware Department of Justice must issue a notice of violation and allow controllers 60 days to cure the violation, if it determines that such violation could be cured. Beginning January 1, 2026, the Delaware Department of Justice may choose but is not required, to provide an opportunity to cure an alleged violation.
