Written by

Cara Hartley

Legal writer at TermsFeed.

Cara Hartley

Edited by

Sara Pegarella

Widener University School of Law graduate, Managing Legal Editor at TermsFeed.

Sara Pegarella

On this page

On June 30th, 2023, Delaware passed HB154, a privacy law that protects the personal data and privacy rights of Delaware consumers. The Delaware Personal Data Privacy Act (DPDPA) is set to go into effect as soon as it is signed by the Governor.

This article will explain what the DPDPA is, who it applies to, how to comply with the law, and what happens if you violate the DPDPA.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What is the Delaware Personal Data Privacy Act (DPDPA)?

The Delaware Personal Data Privacy Act (DPDPA) is a comprehensive privacy and data protection law that gives Delaware residents certain rights and requires applicable organizations to take steps to protect the personal data they control (make decisions about) or process (collect, store, use, or modify).

Personal data is any information that can be used to identify an individual.

The DPDPA grants residents of Delaware the following rights:

  • The right to know what information is being collected about them
  • The right to access their personal data
  • The right to correct inaccuracies within their personal data
  • The right to request their personal data be deleted
  • The right to obtain a portable copy of their personal data
  • The right to receive a list of third parties that their personal data has been shared with
  • The right to opt out of the sale of their personal data or the use of their personal data for targeted advertising (marketing based on tracking consumers' online behavior) or certain profiling purposes

Section 12D-104 of the DPDPA explains consumers' rights concerning their personal data:

Delaware DPDPA: Consumer personal data rights section

Who Does the Delaware Personal Data Privacy Act (DPDPA) Apply to?

Who Does the Delaware Personal Data Privacy Act (DPDPA) Apply to?

The DPDPA applies to organizations or individuals that, in the preceding calendar year, did business in Delaware and:

  • Controlled or processed personal data belonging to 35,000 or more consumers

or

  • Controlled or processed personal data belonging to 10,000 or more consumers, and
  • Got more than 20% of their gross revenue from the sale of personal data

Here's how Section 12D-103 of the DPDPA describes who the law applies to:

Delaware DPDPA: Who the law applies to

The DPDPA does not apply to state agencies or judicial bodies (excluding higher education institutions), financial institutions subject to Title V of the Gramm Leach Bliley Act, nonprofits in the insurance crime prevention industry, or certain national securities associations.

The law does not apply to certain types of data, including:

  • Information regulated by or in compliance with HIPAA, the Fair Credit Reporting Act, the Gramm Leach Bliley Act, and the Driver's Privacy Protection Act (among other Acts)
  • Certain employee data
  • Emergency contact information

How to Comply With the Delaware Personal Data Privacy Act (DPDPA)

How to Comply With the Delaware Personal Data Privacy Act (DPDPA)

There are a few steps you can take to ensure compliance with the DPDPA, including creating and maintaining a Privacy Policy, responding to consumer requests, conducting data protection assessments, and fulfilling data controller duties.

Have a Privacy Policy

The DPDPA requires data controllers (those who make decisions about how to use consumers' personal data) to maintain a Privacy Policy on their websites that includes clauses describing the types of personal data they process, how consumers can exercise their rights, and the types of third parties they share personal data with, among others.

Section 12D-106 of the DPDPA explains that data controllers must provide consumers with an accessible, clearly written Privacy Policy.

Delaware DPDPA: Privacy notice requirement

Let's take a look at the full list of clauses that you should include to ensure your Privacy Policy is DPDPA-compliant.

The Types of Personal Data You Process

This clause describes the types of personal data you process, and can include names, email addresses, device and browser data, and payment information.

Apple's Privacy Policy informs users of the types of personal data it collects, including account, device, contact, payment, and transaction information:

Apple Privacy Policy: Information we may collect clause excerpt

Your Reasons for Processing Personal Data

You need to inform consumers why you process their personal data. Some common reasons include to fulfill orders, for advertising purposes, and to create a customized user experience.

Spotify's Privacy Policy contains a table that describes its reasons for processing personal data (such as account set up and link sharing) and the types of personal data it uses to fulfill those purposes:

Spotify Privacy Policy: Purpose for processing your data chart excerpt

How Consumers Can Exercise Their Rights

The DPDPA requires you to give consumers a way to exercise their rights.

You can include a means for consumers to exercise their rights within your Privacy Policy by providing a link to an email address, online request form, or a separate page describing the steps they need to take.

This clause should also include information about how consumers can appeal your decisions.

Whatever method you choose, you need to make sure that you have a process in place for dealing with consumer requests as you receive them.

Google's Privacy Policy contains links that consumers can click if they want to exert their rights to export or delete their personal data:

Google Privacy Policy: Export and Delete Information sections

What Kinds of Personal Data You Share With Third Parties

You should let consumers know what kind of personal data you share with third parties. The personal data you share with third parties may be collected directly, such as when consumers provide you with their contact, shipping, and payment information, or indirectly, such as when you obtain personal data from cookies or analytics software.

Chaco's Privacy Policy explains that it doesn't share consumers' personal information, and lists the categories of personal data it shares with third parties, including cookies and payment and contact information.

Chaco Privacy Policy: Sell or share personal information clause excerpt

Note that it also lists the categories and types of third parties it shares consumers' personal data with, such as affiliates, advertisers and analytics providers.

Your Online Contact Information

The DPDPA requires you to provide consumers with an email address or another way for them to contact you online, such as via a website messaging form.

Samsung's Privacy Policy contains a mailing address and an email address which consumers can use to contact it with questions or requests:

Samsung Privacy Policy: How to contact us clause

How to Opt Out

This clause notifies consumers if you sell their data or use it for targeted advertising or certain types of profiling, and gives them a way to opt out.

You can also use this clause to let consumers know how opting out may affect their experience of your services.

Ticketmaster's Privacy Policy lists its users' rights and includes a link that they can click to enact their rights. It informs users that they may also submit requests over the phone or via mail:

Ticketmaster Privacy Policy: Right to opt-out of sale and processing section

When users click the request submission link, they are taken to Ticketmaster's Privacy Request Portal, which they can use to opt out of marketing or request, correct, or delete their personal information. The portal includes a link that users can follow if they wish to opt out of the sale or sharing of their data:

Screenshot of Ticketmaster Privacy Request Portal

Respond to Consumer Requests

The DPDPA requires you to respond to consumer requests within 45 days of receiving them. If you choose not to take the action the consumer is requesting, you will need to respond to the consumer within 45 days of receiving their request to let them know why you aren't taking action and to give them a means of appealing your decision.

If a consumer appeals your decision, you will need to respond to the consumer within 60 days of receiving the appeal to let them know what action you have decided to take (or not take). If you have denied their appeal, you will need to provide them with a way to submit a complaint to the Department of Justice.

Section 12D-104 of the DPDPA explains that applicable entities need to provide a way for consumers to exercise their rights, and have a process in place for responding to consumer requests in a timely manner:

Delaware DPDPA: Respond to consumer rights request section

Paypal's Privacy Statement explains that if it denies a user's request, it will provide information about how the appeals process works:

PayPal Privacy Statement: Appeal decision section

Conduct Data Protection Assessments

A data protection assessment is an audit of your organization's data processing activities.

The DPDPA requires any entity that controls or processes personal data belonging to 100,000 or more consumers (unless the data is used strictly to complete a payment) to conduct a data protection assessment for each of the following types of processing activities:

  • Using personal data for targeted advertising purposes
  • Selling personal data
  • Processing personal data for profiling that potentially carries a risk of harm to the consumer
  • Processing sensitive data

Sensitive data is defined by the DPDPA as any personal data concerning race, ethnicity, religious beliefs, health conditions or diagnosis (including pregnancy), sexual orientation, gender identity, citizenship or immigration statuses, genetic data, personal data belonging to a child, or precise geolocation data.

Section 12D-108 of the DPDPA explains that a data protection assessment should identify and weigh the risks vs benefits of data processing activities, and help to identify ways to reduce risks to consumers:

Delaware DPDPA: Data protection assessment section

Fulfill Data Controller Duties

The DPDPA requires data controllers (those who make decisions about how to handle consumers' personal data) to fulfill the following duties:

  • Only collect and process personal data that is necessary (unless they get consent from the consumer to process data for other reasons)
  • Inform consumers why they are collecting personal data
  • Keep the personal data they collect secure
  • Only process sensitive personal data with consent (or with a parent's consent if the sensitive personal data belongs to a child)
  • Provide an easy way for consumers to withdraw their consent
  • Get consumer consent before selling personal data or using it for targeted advertising purposes
  • Don't discriminate against consumers for exercising their rights

While maintaining an up-to-date Privacy Policy can help you inform consumers about why you are processing their personal data and provide users with a way to opt out, you should also satisfy the following obligations:

  1. Understand exactly what personal data you are collecting and how you are obtaining it. You should keep a record of the types of information you collect from consumers, and whether you collect the data directly or indirectly.
  2. Keep the data you collect secure. The best ways to keep the personal data you collect and process safe are to have physical security measures (such as security guards and cameras) and technical safeguards (such as firewalls and virus protection) in place, as well as training your staff on how to keep data secure.
  3. Get consent. You should provide consumers with the choice to actively consent to the sale of their personal data, processing of their sensitive data, or the use of their personal data for targeted advertising or profiling. One way to do this is through the use of "I Agree" checkboxes that consumers must tick before accessing your website, making a purchase, or subscribing to a newsletter. If a consumer chooses to withdraw their consent, you will need to stop processing their personal data within 15 days of receiving their request.
  4. Ensure that consumers aren't penalized for exercising their rights. Consumers should be treated fairly regardless of any requests they may make pertaining to their personal information. That means you can't do things like deny goods to or change prices for certain consumers.

Section 12D-106 of the DPDPA explains the duties of data controllers, including getting consumers' consent, keeping data safe, and only collecting personal data that is necessary for the purposes they have given the consumer:

Delaware DPDPA: Duties of data controllers section

What Happens If You Violate the Delaware Personal Data Privacy Act (DPDPA )?

The Department of Justice is responsible for enforcing the DPDPA. The Department of Justice will notify you if you are in violation of the DPDPA and there is a cure available.

If you fail to cure the violation within 60 days of receiving the notification, then the Department of Justice can take action against you.

Summary

The DPDPA is Delaware's comprehensive privacy law. It provides Delaware citizens with rights regarding their personal data and requires applicable organizations to:

  • Maintain a Privacy Policy
  • Get consent before processing sensitive data, selling personal data, or processing personal data for targeted advertising or certain profiling purposes
  • Respond to consumer requests
  • Conduct data protection assessments
  • Provide consumers with a way to opt out
  • Keep the data they collect safe
  • Not discriminate against consumers for making requests
  • Only collect personal data that is necessary for the purposes that they disclose to consumers

The DPDPA applies to any organizations that offer goods or services to residents of Delaware and meet the following criteria for the preceding calendar year:

  • Controlled or processed personal data belonging to 35,000 or more consumers or
  • Controlled or processed personal data belonging to 10,000 or more consumers, and
  • Obtained 20% or more of their gross revenue from the sale of personal data

The DPDPA requires applicable entities to maintain a Privacy Policy with relevant clauses on their websites. A DPDPA-compliant Privacy Policy should contain the following clauses:

  • The types of personal data you collect or process
  • Why you collect or process consumers' personal data
  • How consumers can exercise their rights (including how they can appeal your decisions)
  • What kinds of personal data you share with third parties
  • What categories of third parties you share personal data with
  • Your online contact information
  • A way for consumers to opt out of the collection or processing of their personal data

The Department of Justice is responsible for enforcing the DPDPA. If the Department of Justice finds you in violation of the DPDPA and there is a cure available, they will send you a notice. You must cure the violation within 60 days of receiving the notification, or the Department of Justice may take action against you.