Last week, Delaware Governor John Carney signed into law the Delaware Personal Data Privacy Act (“DPDPA”), the state’s new consumer privacy law that will become effective January 1, 2025. The First State is now the 12th state to fully enact a comprehensive consumer data privacy law, joining California, Colorado, Connecticut, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. Our previous posts on laws in those states can be found here. Though the DPDPA generally tracks consumer privacy laws in other states—particularly those in Colorado, Connecticut, and Oregon—it does contain nuances that organizations should note, particularly a lack of general exclusions for nonprofits and higher education institutions as well as a lower threshold for applicability.
Below is an overview of some key components of the DPDPA—the latest tongue-twisting initialism in the state privacy law space (see, e.g., CCPA/CPRA/CPPA; CPA; CTDPA; TDPSA).
Applicability and Scope
The DPDPA does not include a revenue threshold for covered businesses like the California Consumer Privacy Act. To be subject to the DPDPA, a company must do business in Delaware or target products or services to Delaware residents and either:
- control or process personal data of at least 35,000 Delaware residents excluding information controlled or processed solely for the purpose of completing a payment transaction, or
- control or process personal data of at least 10,000 Delaware residents and derive more than 20 percent of gross revenue from the sale of that information.
The 35,000-resident threshold is notably the lowest among the states with consumer privacy laws, likely reflecting Delaware’s relatively small population of just over 1 million individuals. By comparison, Montana, with a population of about 1.1 million, contains a 50,000-consumer threshold.
As noted above, the DPDPA does not generally exempt higher education institutions and nonprofits, though it does contain exceptions for (1) “[a]ny nonprofit organization dedicated exclusively to preventing and addressing insurance crime” and (2) personal data of a “victim of or witness to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking that is collected, processed, or maintained by a nonprofit organization that provides services to [such victims or witnesses].” Additionally, the DPDPA creates exemptions for government entities as well as institutions subject to the Gramm–Leach–Bliley Act, including asset managers.
The DPDPA also does not apply to certain classes of data, including protected health information under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), though the law does not provide an entity-level exemption for covered entities and business associates subject to HIPAA.
The DPDPA grants certain data rights to Delaware residents acting in an individual capacity (“consumers”), as opposed to persons acting in the employment or B2B context. Such rights generally align with those granted by other state privacy laws, including the right to:
- confirm whether a data controller is processing a consumer’s personal data and to access such data;
- correct inaccurate personal data;
- delete personal data;
- obtain a copy of personal data in a format that allows a consumer to transmit that data to another controller;
- obtain a list of categories of third parties to which the controller has disclosed personal data; and
- opt out of the processing of personal data for (1) targeted advertising, (2) the sale of personal data, and (3) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
Under the DPDPA, controllers must adhere to certain requirements, including:
- limiting the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed;
- refraining from processing personal data for purposes that are not reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed;
- refraining from processing sensitive data without consumer consent;
- providing an effective mechanism for a consumer to revoke consent and cease to process the data within 15 days after receipt of such revocation request;
- establishing, implementing, and maintaining reasonable security practices to protect the confidentiality, integrity, and accessibility of personal data;
- not processing the personal data of a consumer for targeted advertising or selling the consumer’s personal data without consumer consent where the consumer is between 13 and 18 years old; and
- not discriminating against a consumer for exercising any consumer rights.
Opt-Out Preference Signals. Like other state privacy laws, the DPDPA requires covered entities that sell a consumer’s personal data or use it for targeted advertising purposes to allow a consumer to opt out of such processing through an opt-out preference signal. Controllers must also recognize universal opt-out mechanisms beginning January 1, 2026.
Sensitive Data. Under the DPDPA, controllers may only process a consumer’s sensitive data after obtaining the consumer’s consent. Sensitive data includes one’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or non-binary, citizenship or immigration status, personal data of a child, genetic or biometric data, and precise geolocation data. The inclusion of transgender or nonbinary status—a feature of Oregon’s law—underscores a broader approach to sensitive data.
Children’s Privacy. The DPDPA prohibits a covered entity from processing the personal data of a consumer for the purposes of targeted advertising or from selling personal data without the consumer’s consent where a controller has actual knowledge or willfully disregards that the consumer is between the ages of 13 and 18.
Agreements Between Controllers and Processors. The DPDPA also requires controllers to enter into contracts with processors imposing a duty of confidentiality. Processors are also required to:
- delete or return personal data upon the controller’s request
- permit an assessment of the processor’s technical and organizational measures
- demonstrate compliance with the DPDPA
- cooperate with the controller’s data protection assessments
- engage subcontractors that are subject to the same privacy requirements as processors, and permit controllers to object to the use of those subcontractors.
Though Delaware is not the first state to pass a consumer privacy law, its relatively unique approach to scope may require some businesses to comply that otherwise fall outside the thresholds or requirements of other privacy laws. Companies, especially those with operations in Delaware, should assess their compliance programs and implement appropriate controls around their collection and use of personal data.
Several other states are currently considering similar laws. Massachusetts, New Jersey, North Carolina, and Pennsylvania all have bills currently in legislative committees. Ropes & Gray will continue to track developments in this area.