Privacy & Information Security Law Blog

On June 30, 2023, the Delaware House of Representatives passed the Delaware Personal Data Privacy Act (H.B. 154) (the “DPDPA”), a day after the Delaware Senate passed the legislation. The DPDPA heads to Governor John Carney for a final signature. This could make Delaware the 13th U.S. state to enact comprehensive privacy legislation.

Applicability

The DPDPA would apply to persons that conduct business in Delaware or persons that produce products or services that are targeted to Delaware residents and that during the preceding calendar year did any of the following: (1) controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data.

The DPDPA’s protections would apply to Delaware residents who act for a personal or household purpose, with express exemption for individuals acting in a commercial or employment context. The DPDPA also contains a number of exemptions, including exceptions for financial institutions, affiliates and data subject to Title V of the Gramm-Leach-Bliley Act,  covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996 and nonprofit organizations.

Controller Obligations

Similar to other comprehensive state privacy laws, the DPDPA would require controllers to limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer. In addition, controllers would need consumer’s consent to process sensitive data or to process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer. The DPDPA also requires controllers to establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.

The DPDPA also would require controllers to provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes, among other requirements: (1) the categories of personal data processed by the controller; (2) the purpose for processing personal data; (3) how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request; (4) the categories of personal data that the controller shares with third parties, if any; (5) the categories of third parties with which the controller shares personal data, if any; and (6) an active electronic mail address or other online mechanism that the consumer may use to contact the controller.

The DPDPA also would require controllers that control or process the data of not less than 100,000 consumers (excluding data controlled or processed solely for the purpose of completing a payment transaction) to conduct and document a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to the consumer. For the purposes of the DPDPA’s data protection assessment requirement, processing that presents a heightened risk of harm to a consumer includes: (1) the processing of personal data for the purposes of targeted advertising; (2) the sale of personal data; (3) the processing of sensitive data; and (4) the processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of any of the following: (a) unfair or deceptive treatment of, or unlawful disparate impact on, consumers, (b) financial, physical, or reputational injury to consumers, (c) a physical or other intrusion upon the solitude or seclusion, or private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (d) other substantial injury to consumers.

Consumer Rights

The DPDPA provides consumers with the following rights: (1) to confirm whether a controller is processing the consumer’s personal data and access such personal data; (2) to correct inaccuracies in the consumer’s personal data; (3) to delete personal data provided by, or obtained about, the consumer; (4) to obtain a copy of the consumer’s personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance; (5) to obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data; (6) to opt out of the processing of the personal data for purposes of (a) targeted advertising, (b) the sale of personal data and (c) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Controllers would have 45 days to respond to consumer rights requests, with a potential 45-day extension in certain circumstances.

Enforcement

The DPDPA does not contain a private right of action and would be enforced exclusively by the Delaware Department of Justice. The DPDPA provides a 60-day cure period for violations until December 31, 2025. If a violation is not cured, the Department of Justice may bring an enforcement proceeding.

Effective Date

If the DPDPA is enacted before or on January 1, 2024, the DPDPA would take effect on January 1, 2025. If the DPDPA is enacted after January 1, 2024, however, the DPDPA would take effect on January 1, 2026.

Update: On September 11, 2023, Delaware Governor John Carney signed H.B. 154 into law, making Delaware the 13^th state to enact a comprehensive privacy law.