On September 11, 2023, Delaware Governor John Carney signed into law House Bill No. 154 ("Delaware Personal Data Privacy Act"), Delaware's new state consumer privacy law, which will become effective January 1, 2025. Delaware now joins California, Utah, Colorado, Connecticut, Virginia, Iowa, Indiana, Tennessee, Montana, Florida, Texas and Oregon as states with their own consumer privacy laws (together, "US State Data Privacy Laws"). The Delaware Personal Data Privacy Act does not stand out from the group of existing US State Data Privacy Laws in its requirements generally. However, unlike other US State Data Privacy Laws, it does not exempt most nonprofit organizations or institutions of higher education. Similar to our other client alerts on US State Data Privacy Laws, we summarize the key components of the Delaware Personal Data Privacy Act below, including its applicability, the rights afforded to consumers and enforcement mechanisms.
To whom does the Delaware Personal Data Privacy Act apply?
The Delaware Personal Data Privacy Act imposes transparency and disclosure obligations on a "controller" (a person that, alone or jointly with others, determines the purpose and means of processing personal data), who either:
- conducts business in Delaware; or
- produces products or services that are targeted to the residents of Delaware;
and that, during the preceding calendar year:
- controlled or processed personal data of not less than 35,000 Delaware residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- controlled or processed personal data of not less than 10,000 Delaware residents and derived more than 20 percent of its gross revenue from the sale of personal data.
Notably, the Delaware Personal Data Privacy Act does not have a revenue threshold for entities to be subject to privacy obligations. In addition, the Delaware Personal Data Privacy Act does not generally apply to government entities and Gramm-Leach-Bliley Act-regulated entities and data. The Delaware Personal Data Privacy Act alsodoes not generally apply to certain classes of data, including protected health information under HIPAA, scientific research data, consumer credit-reporting data, data regulated by the Family Educational Rights and Privacy Act or the federal Farm Credit Act, and employment-related information. Unlike other US State Data Privacy Laws, the Delaware Personal Data Privacy Act does not generally exempt nonprofits or institutions of higher education.
What rights does the Delaware Personal Data Privacy Act grant consumers?
The Delaware Personal Data Privacy Act grants Delaware residents acting in an individual capacity, and not in a commercial or employment context ("consumers"), certain access and control rights concerning their personal data. A consumer may submit authenticated requests to a controller to:
- confirm whether the controller is processing the consumer's data and provide access to the consumer's data;
- correct inaccurate personal data of the consumer;
- delete personal data about the consumer;
- obtain a copy of the consumer's personal data (i.e., data portability);
- obtain a list of the categories of third parties to which the controller has disclosed the consumer's personal data; and
- opt out of the processing of the consumer's personal data for purposes of targeted advertising, the sale of personal data or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
A controller must respond to consumer requests to exercise their rights granted by the statute within 45 days, though that time period may be extended for an additional 45 days when reasonably necessary considering the complexity and number of the consumer's requests. The Delaware Personal Data Privacy Act also grants consumers the right to appeal the controller's refusal to take action on requests to exercise their rights. A controller must respond to an appeal in writing within 60 days and, if the appeal is denied, the controller must provide the consumer with an online mechanism, if available, or other method for contacting the Delaware Department of Justice to submit a complaint.
What obligations does the Delaware Personal Data Privacy Act impose on controllers and processors?
The Delaware Personal Data Privacy Act applies to "personal data." Personal data is defined as any information that is linked or reasonably linkable to an identified or identifiable individual. The definition of personal data notably excludes de-identified data or publicly available information.
The Delaware Personal Data Privacy Act requires controllers to:
- Limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the disclosed purposes for which the personal data is processed;
- Establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of consumers' personal data appropriate to the volume and nature of the personal data at issue;
- Process consumers' sensitive data only after obtaining the consumer's consent. Sensitive data is defined to include genetic or biometric data for the purpose of uniquely identifying an individual, precise geolocation data, personal data of a known child and personal information revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or non-binary, national origin, citizenship status or immigration status;
- Refrain from discriminating against consumers who exercise the rights granted by the statute;
- Clearly and conspicuously disclose if the controller sells consumers' personal data to third parties or processes personal data for targeted advertising, and provide consumers an opportunity to opt out via a link on the controller's website;
- By no later than January 1, 2026, allow consumers to opt out of the selling or processing of their personal data for the purposes of targeted advertising through an opt-out preference signal;
- Controllers that control or process the data of 100,000 or more consumers, excluding data controlled or processed solely for completing payment transactions, must conduct and document, on a regular basis, a data protection assessment on the processing of personal data that presents a heightened risk of harm to consumers, including targeted advertising, the sale of personal data, the processing of sensitive data and profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment of or unlawful disparate impact; and
- When in possession of de-identified data, take reasonable measures to ensure that the data cannot be associated with an individual, publicly commit to processing the data only in a de-identified fashion and contractually obligate any recipients of the data to comply with the Delaware Personal Data Privacy Act.
The Delaware Personal Data Privacy Act imposes additional requirement on processors. A processor must assist the controller in meeting its obligations under the act, including its obligations regarding consumer rights requests and security of data processing. The Delaware Personal Data Privacy Act also requires that all processing be governed by a contract between the controller and processor that outlines relevant consumer privacy provisions.
Key Aspects of the Delaware Personal Data Privacy Act
- Right for Consumers to Opt Out: The Delaware Personal Data Privacy Act permits consumers to opt out of the processing of personal data for the sale of personal data, targeted advertising, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning a consumer. The means of opt out must be clear and conspicuous.
- Processing Agreement Required between Controllers and Processors: Like certain other US State Data Privacy Laws, the Delaware Personal Data Privacy Act requires controllers to enter into contracts with processors that regulate how processors process data. Contracts under the Delaware Personal Data Privacy Act must clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the parties' rights and obligations. The contracts also must include a duty of confidentiality and must require that processors only engage subcontractors after providing the controller an opportunity to object and pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data. The Delaware Personal Data Privacy Act also requires processors to delete or return personal data upon the controller's request and permit an assessment of its technical and organizational measures.
- Delaware Department of Justice Investigations and Enforcement: Like most of the US State Data Privacy Laws, the Delaware Personal Data Privacy Act does not provide for a private right of action. The Delaware Department of Justice has exclusive authority to enforce violations. Until December 31, 2025, the Delaware Department of Justice must issue a notice of violation and allow controllers 60 days to cure the violation, if it determines that such violation could be cured. Beginning January 1, 2026, the Delaware Department of Justice may choose, but is not required, to provide an opportunity to cure an alleged violation.
The Delaware Personal Data Privacy Act provides the Delaware Department of Justice the power to investigate and prosecute violations in accordance with Delaware's consumer protection statute, which permits issuing cease and desist orders, pursuing administrative remedies, initiating judicial actions and promulgating necessary rules and regulations. In a judicial action, a court may order the violator to pay a civil penalty of up to US$10,000 for each willful violation.
While the Delaware Personal Data Privacy Act is not significantly distinguishable in substance from other US State Data Privacy Laws, businesses should take note of the slight differences, namely the lack of general exclusions for nonprofits and institutions of higher learning.
White & Case's Data, Privacy and Cybersecurity team will continue to provide updates as these laws and regulations emerge. Please reference our US Data Privacy Guide and other client alerts for general steps to take to comply with US data privacy laws.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2023 White & Case LLP