The Delaware Personal Data Privacy Act was introduced on May 12, 2023, and swiftly made its way through legislative channels. On September 11, 2023, Delaware Governor John Carney signed the Act into law. The Act is set to take effect on January 1, 2025, giving organizations time to prepare for compliance. (Read the full text of the Delaware Personal Data Privacy Act here.)

Defining Key Terms in the Delaware Privacy Law

One of the first notable aspects of the Delaware Personal Data Privacy Act is its comprehensive definitions. Several of the most important definitions included in the Act are:

• Controller: someone who determines the purpose and means of processing personal data.
• Personal data: information linked or reasonably linked to an identified or identifiable individual.
• Sensitive data: data that discloses a person’s religious beliefs, sexual orientation, geographic location, health conditions, citizenship status, or genetic data. The term also applies to any data collected on a person known to be underage.

Scope of the Delaware Privacy Law

The Delaware Personal Data Privacy Act applies to entities conducting business in Delaware or targeting Delaware residents, provided they meet certain thresholds related to the volume of personal data processed or revenue generated from its sale. Exemptions include government bodies, financial institutions under the Gramm Leach Bliley Act, and non-profit organizations exclusively dedicated to preventing and addressing insurance crime.

Consumer Rights

A central aspect of the Delaware Personal Data Privacy Act is establishing robust consumer rights. These include:

• The right to confirm if personal data is being processed
• The right to access personal data
• The right to correct inaccuracies in collected data
• The right to delete personal data
• The right to receive a copy of one’s personal data in a portable format
• The right to request a list of third parties with whom data has been shared
• The right to opt out of specific data processing activities, like targeted advertising or the sale of personal data

Controller Obligations

Controllers responsible for personal data processing must adhere to strict guidelines. They must limit data collection to what is necessary and obtain consent for data processing. Controllers must also establish data security measures, refrain from processing sensitive data without consent, and provide easy mechanisms for consumers to revoke their consent.

Controllers must also create and disclose a comprehensive privacy notice that outlines categories of data processed, purposes of processing, how consumers can exercise their rights, and information about data sharing with third parties. Finally, controllers must establish secure and user-friendly means for consumers to exercise their rights without requiring them to create new accounts.

Data Protection Assessments (DPAs)

For high-risk processing activities, controllers must conduct and document data protection assessments. These assessments evaluate the benefits and risks of data processing and consider the use of de-identified data, consumer expectations, and the relationship between the controller and the consumer. Importantly, DPAs are not retroactive and apply to processing activities generated after the Delaware Personal Data Privacy Act’s effective date.

Use of De-Identified Data

The Act recognizes the value of de-identified data, defined as data that cannot be reasonably linked to a specific individual, and does not require re-identification. Controllers are not obligated to maintain data in identifiable form or collect additional information to associate a request with personal data unless reasonable and not overly burdensome. Pseudonymous data, where identification information is kept separately, is also exempt.

Processor Obligations

Processors, entities that assist controllers with data processing, must strictly follow controller instructions. They are responsible for implementing security measures, notifying controllers of data breaches, and providing necessary information for DPAs. A contractual relationship must govern the controller-processor relationship, outlining roles, responsibilities, and data handling specifics.

Limitations & Enforcement

The Delaware Personal Data Privacy Act does not restrict certain actions, such as compliance with legal obligations or responding to security incidents. It also protects freedom of speech and press rights and excludes purely personal or household activities from its scope.

Enforcement of the Act falls under the jurisdiction of the Department of Justice, with penalties for non-compliance. Controllers are granted an opportunity to remedy violations before facing enforcement actions. Importantly, the Act does not provide for private rights of action, meaning individuals cannot sue organizations for violations.

Conclusion

The Delaware Personal Data Privacy Act is one of the most substantial state privacy laws passed to date. By clearly defining terms, establishing consumer rights, and outlining obligations for controllers and processors, this legislation seeks to safeguard personal data and empower consumers.

As the Act’s effective date approaches, organizations operating in Delaware or dealing with Delaware residents should proactively assess their data processing practices to ensure compliance with these new requirements. Stay on top of this and other new privacy laws with our flagship privacy compliance software, 4Comply, a user-friendly system that lets you maximize your marketing without compromising your legal obligations. Get in touch with us today for a free demo.