Delaware’s DPDPA: Putting Residents Privacy First
Since the introduction of landmark legislations like the General Data Protection Regulation (GDPR) in 2016 and California Consumer Privacy Act (CCPA) in 2018—several US states have passed their own iterations in the hopes of better protecting the data privacy of their state’s respective citizens. One of the latest states to join the ranks is Delaware with the passing of The Delaware Personal Data Privacy Act (DPDPA) on September 11, 2023.
In this comprehensive guide, we delve into the intricacies of the DPDPA, comparing it with its counterparts—the GDPR and the CCPA. We’ll explore who the DPDPA applies to, its exemptions and thresholds, the rights it affords to individuals, and more.
What is the Delaware Personal Data Privacy Act?
The DPDPA makes Delaware the 13th state to enact a comprehensive consumer data privacy law— joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Florida, Texas, and Oregon. At its core, the Delaware Personal Data Privacy Act (DPDPA) is a landmark legislation designed to enhance the protection of personal data and privacy rights of individuals within the state of Delaware.
Modeled after the GDPR and CCPA, the DPDPA imposes strict requirements on organizations handling personal data, mandating transparency, accountability, and proactive measures to safeguard sensitive information. The DPDPA will become effective on January 1, 2025.
How Does DPDPA Compare to GDPR and CCPA?
Like the vast majority of data privacy laws, the Delaware data privacy law follows the EU’s General Data Protection Regulation (GDPR) when it comes to the definition of valid consent: “a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.”
Unlike the CCPA (California), the DPDPA has no separate threshold that could be triggered based solely on annual revenue. Also unlike the CCPA, the Delaware law excludes from the definition of “consumer” individuals acting in a commercial or employment context, leaving California as the only state whose general privacy law covers personal data in the context of human resources, employment and B2B.
Who Does the Delaware Privacy Act Apply to?
The DPDPA will apply to entities that conduct business in the State of Delaware who controlled or processed the personal data of not less than 35,000 consumers or controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data.
The Delaware privacy law requires the Delaware Department of Justice to engage in public outreach to educate consumers and the business community about the Act beginning at least 6 months prior to the effective date of the DPPA.
DPDPA Exemptions & Thresholds
While the DPPA imposes stringent obligations on data controllers and processors, certain exemptions and thresholds may apply under specific circumstances. Exempted entities and their services include:
- Governmental agencies, including regulatory, administrative, legislative or judicial bodies
- Public health organizations Financial institutions (also entities and affiliates subject to the GLBA)
- Press, wire, or other information service (and non-commercial activities of media entities)
- Victims or witnesses of criminal activities
Exempted regulations (and data processed relevant to them) include:
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm-Leach-Bliley Act (GLBA)
- Fair Credit Reporting Act (FCRA)
- Driver’s Privacy Protection Act
- Family Educational Rights and Privacy Act (FERPA)
- Farm Credit Act
- Airline Deregulation Act
Individual Rights Under Delaware Privacy Law
The Delaware Personal Data Privacy Act affords Delaware residents— referred to as “consumers” —specific access and control rights regarding their personal data. Consumers have the right to make authenticated requests to a controller, which include:
- Verifying if the controller is processing their data and accessing their data
- Rectifying any inaccurate personal data
- Deleting personal data
- Receiving a copy of their personal data (data portability)
- Receiving a list of categories of third parties with whom the controller has shared their personal data
- Opting out of the processing of their personal data for targeted advertising, sale, or profiling for solely automated decisions with significant legal effects
Controllers are required to respond to consumer requests to exercise these rights within 45 days, with the option to extend this period by an additional 45 days if necessary due to the complexity or volume of requests.
Data Processing & Consent Requirements Under DPDPA
Similar to several other data privacy laws in the US, the Delaware Personal Data Privacy Act mandates controllers to establish contracts with processors to regulate the processing of data. These contracts under the Delaware Personal Data Privacy Act are required to explicitly outline instructions for processing personal data, the purpose and nature of processing, the categories of data subject to processing, the duration of processing, and the respective rights and responsibilities of the parties involved.
Additionally, these contracts must include provisions for confidentiality and stipulate that processors may only engage subcontractors after obtaining the controller’s approval and entering into a written agreement ensuring that the subcontractor complies with the processor’s obligations regarding personal data.
Delaware Online Privacy and Protection Act
On January 1, 2016, the Delaware Online Privacy and Protection Act (“DOPPA”) went into force, a law that provided strong online privacy protection for its residents. The new law targeted three areas of compliance: (1) advertising to children; (2) conspicuous posting of a compliant privacy policy; and (3) enhancing the privacy protections of users of digital books (“e-books”). The law granted the state’s Consumer Protection Unit of the Department of Justice the authority to investigate and prosecute violations of the law.
Under DOPPA, website and app operators that directed their services to children had to ensure that they did not advertise or market certain enumerated content considered by the law to be inappropriate for children’s viewing, such as alcohol, tobacco, firearms, pornography, and a host of other categories delineated by the law.
How is Personal Data Defined Under the Legislation?
Personal data— as defined under the DPDPA— refers to “any information that is linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data or publicly available information”.
Consequences of DPDPA Non-Compliance
Similar to many other US State Data Privacy Laws, the Delaware Personal Data Privacy Act does not include provisions for a private right of action. Instead, enforcement authority is exclusively vested in the Delaware Department of Justice. Until December 31, 2025, the Department of Justice is required to issue a notice of violation and provide controllers with a 60-day period to remedy the violation, if it deems such remediation feasible. From January 1, 2026, onwards, the Department of Justice may, at its discretion, offer an opportunity to cure an alleged violation.
Under the Delaware Personal Data Privacy Act, the Delaware Department of Justice is empowered to investigate and prosecute violations in accordance with Delaware’s consumer protection statute. This authority allows for the issuance of cease and desist orders, pursuit of administrative remedies, initiation of judicial actions, and establishment of necessary rules and regulations. In the event of a judicial proceeding, a court may impose civil penalties of up to US$10,000 for each willful violation committed.
Best Practices for Mitigating Risk
Implementing proactive measures to mitigate risks under the Delaware Personal Data Privacy Act (DPDPA) is essential for ensuring compliance and safeguarding sensitive data. Here are some best practices to consider:
- Conduct a Comprehensive Data Inventory: Start by conducting a thorough inventory of all personal data your organization collects, processes, and stores. Understand where this data resides, how it is used, and who has access to it.
- Update Privacy Policies and Notices: Ensure that your organization’s privacy policies and notices are updated to reflect the requirements of the DPDPA. Clearly communicate to individuals how their personal data is collected, processed, and protected.
- Obtain Valid Consent: Implement procedures to obtain valid consent from individuals before processing their personal data. Consent should be specific, informed, and freely given, in line with the DPDPA requirements.
- Establish Data Retention Policies: Develop clear data retention policies that outline how long personal data will be retained and the criteria for its deletion. Ensure that data is not kept for longer than necessary to fulfill its intended purpose.
BigID’s Approach to Achieving Compliance
While the DPDPA is similar to several other state privacy laws — organizations still need to take the necessary actions to comply with the specific aspects of Delaware’s privacy law. BigID enables organizations to proactively prepare for the DPDPA to achieve compliance with its industry leading platform for data privacy, security, and governance. With BigID you can:
- Discover Your Data: BigID’s data discovery and classification provides complete visibility on all personal and sensitive information subject to the DPDPA.
- Minimize Data: Implement data minimization by identifying and categorizing unnecessary ROT personal data to manage the data lifecycle from retention to deletion.
- Automate Data Rights Management: BigID enables organizations to automatically manage privacy requests, preferences, and consent, including UOOM for consumers to opt out of data sales, targeted advertising, and profiling.
- Implement DSPM: BigID provides next-gen data security posture management to protect all your sensitive data across your enterprise’s landscape whether in the cloud or on -prem so you can better safeguard data and comply with DPDPA.
- Assess Risk: BigID offers automated privacy impact assessments, data inventory reports, and remediation workflows to identify risks and report to the Delaware Department of Justice.
To see how BigID can help you achieve compliance with the DPDPA— schedule a 1:1 with our data privacy experts today.