Delaware Personal Data Privacy Act (DPDPA)

On June 30th, 2023, Delaware passed HB154, a privacy law that protects the personal data and privacy rights of Delaware consumers. The Delaware Personal Data Privacy Act (DPDPA) is set to go into effect on Januar 1, 2025.

This article will explain what the Delaware Personal Data Privacy Act (DPDPA) is, who it applies to, how to comply with the law, and what happens if you violate the Delaware DPDPA.

What is the Delaware Personal Data Privacy Act (DPDPA)?

The Delaware Personal Data Privacy Act (DPDPA) is a comprehensive privacy and data protection law that gives Delaware residents certain rights and requires applicable organizations to take steps to protect the personal data they control (make decisions about) or process (collect, store, use, or modify).

Personal data is any information that can be used to identify an individual.

Who Does the Delaware Personal Data Privacy Act (DPDPA) Apply to?

The Delaware Personal Data Privacy Act (DPDPA) applies to organizations or individuals that, in the preceding calendar year, did business in Delaware and:

• Controlled or processed personal data belonging to 35,000 or more consumers

or

• Controlled or processed personal data belonging to 10,000 or more consumers, and
• Got more than 20% of their gross revenue from the sale of personal data

Here's how Section 12D-103 of the Delaware DPDPA describes who the law applies to:

Who Does the Delaware Personal Data Privacy Act (DPDPA) Not Apply to?

The Delaware Personal Data Privacy Act (DPDPA) does not apply to the following:

• State agencies or judicial bodies (excluding higher education institutions)
• Financial institutions subject to Title V of the Gramm Leach Bliley Act
• Nonprofits in the insurance crime prevention industry
• Certain national securities associations

What Types of Personal Data are Exempt from Delaware Personal Data Privacy Act (DPDPA)?

The law does not apply to certain types of data, including:

• Information regulated by or in compliance with HIPAA, the Fair Credit Reporting Act, the Gramm Leach Bliley Act, and the Driver's Privacy Protection Act (among other Acts)
• Certain employee data
• Emergency contact information

What Rights are Consumers Granted Under the Delaware Personal Data Privacy Act (DPDPA)?

The Delaware Personal Data Privacy Act (DPDPA) grants residents of Delaware the following rights:

• The right to know what information is being collected about them
• The right to access their personal data
• The right to correct inaccuracies within their personal data
• The right to request their personal data be deleted
• The right to obtain a portable copy of their personal data
• The right to receive a list of third parties that their personal data has been shared with
• The right to opt out of the sale of their personal data or the use of their personal data for targeted advertising (marketing based on tracking consumers' online behavior) or certain profiling purposes

Section 12D-104 of the Delaware DPDPA explains consumers' rights concerning their personal data:

Does the Delaware Personal Data Privacy Act (DPDPA) Affect My Cookies Policy?

Yes, if you use cookies for specific processing activities or if you collect certain types of personal data.

If you use cookies for the following purposes, you must update your Cookies Policy (and/or Privacy Policy) to disclose this, and allow them to opt out of this:

• Profiling
• Selling user data
• Targeted advertising

If you use cookies to collect sensitive personal information, you are required to obtain active opt-in consent before placing these cookies, and allow for opt-outs at any time, even after consent has been given.

Does the Delaware Personal Data Privacy Act (DPDPA) Affect My Privacy Policy?

Section 12D-106 of the Delaware Personal Data Privacy Act (DPDPA) requires data controllers to create and display a Privacy Policy that is “reasonably accessible, clear, and meaningful.”

A Delaware DPDPA-compliant Privacy Policy must disclose all of the following information:

• What categories of personal data will be processed
• Why the data is to be processed
• What categories of personal data are shared with any third parties
• The categories of these third parties data may be shared with
• What rights users have and how to exercise them, including appealing decisions about requests made
• At least one way for users to submit online rights requests to you, such as an email address or linked form
• A way for users to contact you with general inquiries, such as an email address or linked contact form
• Instructions for how users can opt out of allowing you to sell personal data or use it for targeted ads, if you do so
• A link to a separate web page where you allow users to opt out of having their data sold or used for targeted ads

How to Comply With the Delaware Personal Data Privacy Act (DPDPA)

There are a few steps you can take to ensure compliance with the Delaware Personal Data Privacy Act (DPDPA), including creating and maintaining a Privacy Policy, responding to consumer requests, conducting data protection assessments, and fulfilling data controller duties.

Have a Compliant Privacy Policy

The Delaware DPDPA requires data controllers (those who make decisions about how to use consumers' personal data) to maintain a Privacy Policy on their websites that includes clauses describing the types of personal data they process, how consumers can exercise their rights, and the types of third parties they share personal data with, among others.

Let's take a look at some of the clauses that you should include to ensure your Privacy Policy is Delaware DPDPA-compliant.

The Types of Personal Data You Process

This clause describes the types of personal data you process, and can include names, email addresses, device and browser data, and payment information.

Apple's Privacy Policy informs users of the types of personal data it collects, including account, device, contact, payment, and transaction information:

Your Reasons for Processing Personal Data

You need to inform consumers why you process their personal data. Some common reasons include to fulfill orders, for advertising purposes, and to create a customized user experience.

Spotify's Privacy Policy contains a table that describes its reasons for processing personal data (such as account set up and link sharing) and the types of personal data it uses to fulfill those purposes:

How Consumers Can Exercise Their Rights

The Delaware Personal Data Privacy Act (DPDPA) requires you to give consumers a way to exercise their rights.

You can include a means for consumers to exercise their rights within your Privacy Policy by providing a link to an email address, online request form, or a separate page describing the steps they need to take.

This clause should also include information about how consumers can appeal your decisions.

Whatever method you choose, you need to make sure that you have a process in place for dealing with consumer requests as you receive them.

Google's Privacy Policy contains links that consumers can click if they want to exert their rights to export or delete their personal data:

What Kinds of Personal Data You Share With Third Parties

You should let consumers know what kind of personal data you share with third parties. The personal data you share with third parties may be collected directly, such as when consumers provide you with their contact, shipping, and payment information, or indirectly, such as when you obtain personal data from cookies or analytics software.

Chaco's Privacy Policy explains that it doesn't share consumers' personal information, and lists the categories of personal data it shares with third parties, including cookies and payment and contact information.

Note that it also lists the categories and types of third parties it shares consumers' personal data with, such as affiliates, advertisers and analytics providers.

Your Online Contact Information

The Delaware Personal Data Privacy Act (DPDPA) requires you to provide consumers with an email address or another way for them to contact you online, such as via a website messaging form.

Samsung's Privacy Policy contains a mailing address and an email address which consumers can use to contact it with questions or requests:

How to Opt Out

This clause notifies consumers if you sell their data or use it for targeted advertising or certain types of profiling, and gives them a way to opt out.

You can also use this clause to let consumers know how opting out may affect their experience of your services.

Ticketmaster's Privacy Policy lists its users' rights and includes a link that they can click to enact their rights. It informs users that they may also submit requests over the phone or via mail:

When users click the request submission link, they are taken to Ticketmaster's Privacy Request Portal, which they can use to opt out of marketing or request, correct, or delete their personal information. The portal includes a link that users can follow if they wish to opt out of the sale or sharing of their data:

Respond to Consumer Requests

The Delaware Personal Data Privacy Act (DPDPA) requires you to respond to consumer requests within 45 days of receiving them. If you choose not to take the action the consumer is requesting, you will need to respond to the consumer within 45 days of receiving their request to let them know why you aren't taking action and to give them a means of appealing your decision.

If a consumer appeals your decision, you will need to respond to the consumer within 60 days of receiving the appeal to let them know what action you have decided to take (or not take). If you have denied their appeal, you will need to provide them with a way to submit a complaint to the Department of Justice.

Section 12D-104 of the Delaware DPDPA explains that applicable entities need to provide a way for consumers to exercise their rights, and have a process in place for responding to consumer requests in a timely manner:

Paypal's Privacy Statement explains that if it denies a user's request, it will provide information about how the appeals process works:

Conduct Data Protection Assessments

A data protection assessment is an audit of your organization's data processing activities.

The Delaware DPDPA requires any entity that controls or processes personal data belonging to 100,000 or more consumers (unless the data is used strictly to complete a payment) to conduct a data protection assessment for each of the following types of processing activities:

• Using personal data for targeted advertising purposes
• Selling personal data
• Processing personal data for profiling that potentially carries a risk of harm to the consumer
• Processing sensitive data

Sensitive data is defined by the Delaware DPDPA as any personal data concerning race, ethnicity, religious beliefs, health conditions or diagnosis (including pregnancy), sexual orientation, gender identity, citizenship or immigration statuses, genetic data, personal data belonging to a child, or precise geolocation data.

Section 12D-108 of the Delaware DPDPA explains that a data protection assessment should identify and weigh the risks vs benefits of data processing activities, and help to identify ways to reduce risks to consumers:

Have a Contract in Place Between Data Processors and Controllers

Data processors and controllers must have a contract in place between themselves that outlines the parameters of the relationship, and how data is to be handled.

The contract must have the following attributes and information:

• Clear instructions for how data is to be processed
• The specific and exact nature and purpose of the data processing
• A list of what types of data are to be processed
• How long the processing of the data is to take place (the duration)
• A list of all the obligations and rights of each party under the contract

The contract must set out the following requirements specific to the data processor:

• A duty of confidentiality of the processor
• A requirement to delete or return to the controller all data subject to the agreement at the end of the contract term as instructed by the controller (unless the processor is required by law to retain the data)
• A requirement to make all of the data in its possession available to the controller if the controller reasonably requests access in order to show or prove compliance with the Delaware DPDPA
• A requirement that any subcontractors that work with the data processor are to be held to the same standards, requirements and guidelines if the data controller doesn't first object to the subcontractor being part of the contract
• A duty to cooperate with reasonable assessments made by the data controller, any designated assessors or a qualified independent assessor that is arranged by the data processor

Checklist: What Does Delaware Personal Data Privacy Act (DPDPA) Require from Data Controllers?

The Delaware Personal Data Privacy Act (DPDPA) requires data controllers (those who make decisions about how to handle consumers' personal data) to fulfill the following duties:

• Only collect and process personal data that is necessary (unless they get consent from the consumer to process data for other reasons)
• Inform consumers why they are collecting personal data
• Keep the personal data they collect secure
• Only process sensitive personal data with consent (or with a parent's consent if the sensitive personal data belongs to a child)
• Provide an easy way for consumers to withdraw their consent
• Get consumer consent before selling personal data or using it for targeted advertising purposes
• Don't discriminate against consumers for exercising their rights

While maintaining an up-to-date Privacy Policy can help you inform consumers about why you are processing their personal data and provide users with a way to opt out, you should also satisfy the following obligations:

1. Understand exactly what personal data you are collecting and how you are obtaining it. You should keep a record of the types of information you collect from consumers, and whether you collect the data directly or indirectly.
2. Keep the data you collect secure. The best ways to keep the personal data you collect and process safe are to have physical security measures (such as security guards and cameras) and technical safeguards (such as firewalls and virus protection) in place, as well as training your staff on how to keep data secure.
3. Get consent. You should provide consumers with the choice to actively consent to the sale of their personal data, processing of their sensitive data, or the use of their personal data for targeted advertising or profiling. One way to do this is through the use of "I Agree" checkboxes that consumers must tick before accessing your website, making a purchase, or subscribing to a newsletter. If a consumer chooses to withdraw their consent, you will need to stop processing their personal data within 15 days of receiving their request.

   Here's an example of how to obtain consent via a checkbox:

   

4. Ensure that consumers aren't penalized for exercising their rights. Consumers should be treated fairly regardless of any requests they may make pertaining to their personal information. That means you can't do things like deny goods to or change prices for certain consumers.

Section 12D-106 of the Delaware DPDPA explains the duties of data controllers, including getting consumers' consent, keeping data safe, and only collecting personal data that is necessary for the purposes they have given the consumer:

Who Enforces Violations of the Delaware Personal Data Privacy Act (DPDPA )?

The Department of Justice is responsible for enforcing the Delaware Personal Data Privacy Act (DPDPA). This is granted by Subchapter II of Chapter 25 of Title 29.

While there is no private right of action under this law, consumers are able to file grievances with the Department of Justice.

The Department of Justice will notify you if you are in violation of the Delaware DPDPA and there is a cure available.

If you fail to cure the violation within 60 days of receiving the notification, then the Department of Justice can take action against you.

What Fines Can You Face for Violations of the Delaware Personal Data Privacy Act (DPDPA )?

Fines can be as high as $10,000 per violation.

Summary

The Delaware Personal Data Privacy Act (DPDPA) is Delaware's comprehensive privacy law. It provides Delaware citizens with rights regarding their personal data and requires applicable organizations to:

• Maintain a Privacy Policy
• Get consent before processing sensitive data, selling personal data, or processing personal data for targeted advertising or certain profiling purposes
• Respond to consumer requests
• Conduct data protection assessments
• Provide consumers with a way to opt out
• Keep the data they collect safe
• Not discriminate against consumers for making requests
• Only collect personal data that is necessary for the purposes that they disclose to consumers

The Delaware DPDPA applies to any organizations that offer goods or services to residents of Delaware and meet the following criteria for the preceding calendar year:

• Controlled or processed personal data belonging to 35,000 or more consumers or
• Controlled or processed personal data belonging to 10,000 or more consumers, and
• Obtained 20% or more of their gross revenue from the sale of personal data

The Delaware DPDPA requires applicable entities to maintain a Privacy Policy with relevant clauses on their websites. A Delaware DPDPA-compliant Privacy Policy should contain the following clauses:

• The types of personal data you collect or process
• Why you collect or process consumers' personal data
• How consumers can exercise their rights (including how they can appeal your decisions)
• What kinds of personal data you share with third parties
• What categories of third parties you share personal data with
• Your online contact information
• A way for consumers to opt out of the collection or processing of their personal data

The Department of Justice is responsible for enforcing the Delaware DPDPA. If the Department of Justice finds you in violation of the DPDPA and there is a cure available, they will send you a notice. You must cure the violation within 60 days of receiving the notification, or the Department of Justice may take action against you.