Legal writer at TermsFeed.
Widener University School of Law graduate, Managing Legal Editor at TermsFeed.
On this page
- 1. What is the Delaware Personal Data Privacy Act (DPDPA)?
- 2. Who Does the Delaware Personal Data Privacy Act (DPDPA) Apply to?
- 3. How to Comply With the Delaware Personal Data Privacy Act (DPDPA)
- 3.1.1. The Types of Personal Data You Process
- 3.1.2. Your Reasons for Processing Personal Data
- 3.1.3. How Consumers Can Exercise Their Rights
- 3.1.4. What Kinds of Personal Data You Share With Third Parties
- 3.1.5. Your Online Contact Information
- 3.1.6. How to Opt Out
- 3.2. Respond to Consumer Requests
- 3.3. Conduct Data Protection Assessments
- 3.4. Fulfill Data Controller Duties
- 4. What Happens If You Violate the Delaware Personal Data Privacy Act (DPDPA )?
- 5. Summary
On June 30th, 2023, Delaware passed HB154, a privacy law that protects the personal data and privacy rights of Delaware consumers. The Delaware Personal Data Privacy Act (DPDPA) is set to go into effect as soon as it is signed by the Governor.
This article will explain what the DPDPA is, who it applies to, how to comply with the law, and what happens if you violate the DPDPA.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
What is the Delaware Personal Data Privacy Act (DPDPA)?
The Delaware Personal Data Privacy Act (DPDPA) is a comprehensive privacy and data protection law that gives Delaware residents certain rights and requires applicable organizations to take steps to protect the personal data they control (make decisions about) or process (collect, store, use, or modify).
Personal data is any information that can be used to identify an individual.
The DPDPA grants residents of Delaware the following rights:
- The right to know what information is being collected about them
- The right to access their personal data
- The right to correct inaccuracies within their personal data
- The right to request their personal data be deleted
- The right to obtain a portable copy of their personal data
- The right to receive a list of third parties that their personal data has been shared with
- The right to opt out of the sale of their personal data or the use of their personal data for targeted advertising (marketing based on tracking consumers' online behavior) or certain profiling purposes
Section 12D-104 of the DPDPA explains consumers' rights concerning their personal data:
Who Does the Delaware Personal Data Privacy Act (DPDPA) Apply to?
The DPDPA applies to organizations or individuals that, in the preceding calendar year, did business in Delaware and:
- Controlled or processed personal data belonging to 35,000 or more consumers
- Controlled or processed personal data belonging to 10,000 or more consumers, and
- Got more than 20% of their gross revenue from the sale of personal data
Here's how Section 12D-103 of the DPDPA describes who the law applies to:
The DPDPA does not apply to state agencies or judicial bodies (excluding higher education institutions), financial institutions subject to Title V of the Gramm Leach Bliley Act, nonprofits in the insurance crime prevention industry, or certain national securities associations.
The law does not apply to certain types of data, including:
- Information regulated by or in compliance with HIPAA, the Fair Credit Reporting Act, the Gramm Leach Bliley Act, and the Driver's Privacy Protection Act (among other Acts)
- Certain employee data
- Emergency contact information
How to Comply With the Delaware Personal Data Privacy Act (DPDPA)
The Types of Personal Data You Process
This clause describes the types of personal data you process, and can include names, email addresses, device and browser data, and payment information.
Your Reasons for Processing Personal Data
You need to inform consumers why you process their personal data. Some common reasons include to fulfill orders, for advertising purposes, and to create a customized user experience.
How Consumers Can Exercise Their Rights
The DPDPA requires you to give consumers a way to exercise their rights.
This clause should also include information about how consumers can appeal your decisions.
Whatever method you choose, you need to make sure that you have a process in place for dealing with consumer requests as you receive them.
What Kinds of Personal Data You Share With Third Parties
You should let consumers know what kind of personal data you share with third parties. The personal data you share with third parties may be collected directly, such as when consumers provide you with their contact, shipping, and payment information, or indirectly, such as when you obtain personal data from cookies or analytics software.
Note that it also lists the categories and types of third parties it shares consumers' personal data with, such as affiliates, advertisers and analytics providers.
Your Online Contact Information
The DPDPA requires you to provide consumers with an email address or another way for them to contact you online, such as via a website messaging form.
How to Opt Out
This clause notifies consumers if you sell their data or use it for targeted advertising or certain types of profiling, and gives them a way to opt out.
You can also use this clause to let consumers know how opting out may affect their experience of your services.
When users click the request submission link, they are taken to Ticketmaster's Privacy Request Portal, which they can use to opt out of marketing or request, correct, or delete their personal information. The portal includes a link that users can follow if they wish to opt out of the sale or sharing of their data:
Respond to Consumer Requests
The DPDPA requires you to respond to consumer requests within 45 days of receiving them. If you choose not to take the action the consumer is requesting, you will need to respond to the consumer within 45 days of receiving their request to let them know why you aren't taking action and to give them a means of appealing your decision.
If a consumer appeals your decision, you will need to respond to the consumer within 60 days of receiving the appeal to let them know what action you have decided to take (or not take). If you have denied their appeal, you will need to provide them with a way to submit a complaint to the Department of Justice.
Section 12D-104 of the DPDPA explains that applicable entities need to provide a way for consumers to exercise their rights, and have a process in place for responding to consumer requests in a timely manner:
Paypal's Privacy Statement explains that if it denies a user's request, it will provide information about how the appeals process works:
Conduct Data Protection Assessments
A data protection assessment is an audit of your organization's data processing activities.
The DPDPA requires any entity that controls or processes personal data belonging to 100,000 or more consumers (unless the data is used strictly to complete a payment) to conduct a data protection assessment for each of the following types of processing activities:
- Using personal data for targeted advertising purposes
- Selling personal data
- Processing personal data for profiling that potentially carries a risk of harm to the consumer
- Processing sensitive data
Sensitive data is defined by the DPDPA as any personal data concerning race, ethnicity, religious beliefs, health conditions or diagnosis (including pregnancy), sexual orientation, gender identity, citizenship or immigration statuses, genetic data, personal data belonging to a child, or precise geolocation data.
Section 12D-108 of the DPDPA explains that a data protection assessment should identify and weigh the risks vs benefits of data processing activities, and help to identify ways to reduce risks to consumers:
Fulfill Data Controller Duties
The DPDPA requires data controllers (those who make decisions about how to handle consumers' personal data) to fulfill the following duties:
- Only collect and process personal data that is necessary (unless they get consent from the consumer to process data for other reasons)
- Inform consumers why they are collecting personal data
- Keep the personal data they collect secure
- Only process sensitive personal data with consent (or with a parent's consent if the sensitive personal data belongs to a child)
- Provide an easy way for consumers to withdraw their consent
- Get consumer consent before selling personal data or using it for targeted advertising purposes
- Don't discriminate against consumers for exercising their rights
- Understand exactly what personal data you are collecting and how you are obtaining it. You should keep a record of the types of information you collect from consumers, and whether you collect the data directly or indirectly.
- Keep the data you collect secure. The best ways to keep the personal data you collect and process safe are to have physical security measures (such as security guards and cameras) and technical safeguards (such as firewalls and virus protection) in place, as well as training your staff on how to keep data secure.
- Get consent. You should provide consumers with the choice to actively consent to the sale of their personal data, processing of their sensitive data, or the use of their personal data for targeted advertising or profiling. One way to do this is through the use of "I Agree" checkboxes that consumers must tick before accessing your website, making a purchase, or subscribing to a newsletter. If a consumer chooses to withdraw their consent, you will need to stop processing their personal data within 15 days of receiving their request.
- Ensure that consumers aren't penalized for exercising their rights. Consumers should be treated fairly regardless of any requests they may make pertaining to their personal information. That means you can't do things like deny goods to or change prices for certain consumers.
Section 12D-106 of the DPDPA explains the duties of data controllers, including getting consumers' consent, keeping data safe, and only collecting personal data that is necessary for the purposes they have given the consumer:
What Happens If You Violate the Delaware Personal Data Privacy Act (DPDPA )?
The Department of Justice is responsible for enforcing the DPDPA. The Department of Justice will notify you if you are in violation of the DPDPA and there is a cure available.
If you fail to cure the violation within 60 days of receiving the notification, then the Department of Justice can take action against you.
The DPDPA is Delaware's comprehensive privacy law. It provides Delaware citizens with rights regarding their personal data and requires applicable organizations to:
- Get consent before processing sensitive data, selling personal data, or processing personal data for targeted advertising or certain profiling purposes
- Respond to consumer requests
- Conduct data protection assessments
- Provide consumers with a way to opt out
- Keep the data they collect safe
- Not discriminate against consumers for making requests
- Only collect personal data that is necessary for the purposes that they disclose to consumers
The DPDPA applies to any organizations that offer goods or services to residents of Delaware and meet the following criteria for the preceding calendar year:
- Controlled or processed personal data belonging to 35,000 or more consumers or
- Controlled or processed personal data belonging to 10,000 or more consumers, and
- Obtained 20% or more of their gross revenue from the sale of personal data
- The types of personal data you collect or process
- Why you collect or process consumers' personal data
- How consumers can exercise their rights (including how they can appeal your decisions)
- What kinds of personal data you share with third parties
- What categories of third parties you share personal data with
- Your online contact information
- A way for consumers to opt out of the collection or processing of their personal data
The Department of Justice is responsible for enforcing the DPDPA. If the Department of Justice finds you in violation of the DPDPA and there is a cure available, they will send you a notice. You must cure the violation within 60 days of receiving the notification, or the Department of Justice may take action against you.