A Major Milestone for Osano...and the Industry
When we founded Osano, our goals were ambitious. We wanted to...Read Now
November 17, 2023
The patchwork of U.S. states enacting consumer data privacy laws continues to expand with the Delaware Personal Data Privacy Act (DPDPA).
The law is being touted as “the strongest data privacy bill in the nation.” While that’s not exactly the case — California still holds this title — it is more consumer-friendly than other state laws, and it applies to more businesses (and not just large companies).
Let’s explore the DPDPA and what it means for companies doing business with Delawareans.
As a reminder, while there are laws that protect certain types of data, like health information, there’s no federal law dictating how personal data is collected, stored, or shared. Not only do consumers not know what data is being collected, they don’t know how it’s being shared or used.
To address this, states are implementing their own data protection policies, giving consumers rights and providing responsibilities for those that collect, process, store, or sell consumer data.
Delaware is the 12th state in the nation to implement a comprehensive data privacy act to give consumers more control over their personal data. The law takes effect Jan. 1, 2025 and provides an additional year to begin recognizing universal opt-out mechanisms.
So far, exemptions have left some entities relatively unscathed by state privacy acts. Delaware’s privacy act, though, has lower applicability thresholds, which means some companies that haven’t had to comply in the past will now be on the hook for DPDPA compliance.
DPDPA applies to any company that does business in the state or produces products or services that are targeted to residents of the state and that, during the previous calendar year, met one of the following:
The 35,000-consumer threshold is the lowest among data privacy laws so far. This, combined with the gross revenue threshold — just 20 percent — means the DPDPA will apply to more small and medium-sized companies than its predecessors.
Like other laws, the DPDPA provides exemptions based on the entity and type of data.
Exempt entities include government bodies, higher education institutions, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), nonprofit organizations dedicated to preventing insurance crimes and those registered under the Commodity Exchange Act or national securities association registered under the Securities Exchange Act.
The list of exempt data types is longer but is still relatively standard among privacy laws. It includes:
DPDPA aligns with all other state laws in terms of the rights it grants consumers, including to:
Confirm whether a controller is processing their personal data and to access such personal data (unless access would reveal a trade secret).
Correct inaccuracies in their personal data.
Delete personal data provided by or obtained about the consumer.
Obtain a copy of their data collected in a portable and readily usable format.
Obtain a list of categories of third parties to which the controller has disclosed their personal data.
Opt-out of processing of personal data for targeted advertising, sale, or profiling.
Again, comparable to other laws, the DPDPA gives controllers 45 days to respond to a consumer’s request, allows an extension of 45 days in certain circumstances, and requires the controller to notify the consumer if they decline to take action as well as provide instructions for appealing the decision.
Delaware’s privacy law requires controllers to limit the collection of personal data to what is “adequate, relevant, and reasonably necessary based on the purpose disclosed to the consumer, and to not process it if otherwise.
It also states that controllers must set up safety and security measures to protect personal data of consumers. Companies can’t process data if it would enable discrimination, nor can they discriminate against those who exercise their rights.
Controllers must gain opt-in consent to process sensitive data or data of a known child.
Finally, controllers must provide consumers with a privacy notice that gives them a clear explanation of what data they collect, how it’s used and shared, how to exercise their rights, and how to opt out of the sale of personal data and use of their data for targeted advertising.
Processors, or those who process data on behalf of a controller, must help controllers meet their obligations and be in a contract that governs data processing procedures.
If you control or process data of at least 100,000 consumers, Delaware’s privacy law says you must conduct a data protection assessment for any activity that presents a heightened risk of harm to a consumer. These activities include:
The DPDPA gives enforcement authority to its Department of Justice (DOJ).
Like other state laws, those who violate the law will be given a right to “cure” the issue. The DPDPA doesn’t specifically outline the penalty for violating the law, but states the Department may “investigate and prosecute violations of this chapter in accordance with the provisions of Subchapter II of Chapter 25 of Title 29.” In other words, if you break the law, the penalty could be up to $10,000 per violation.
The cure provision, which is 60 days, is only meant to help businesses transition to the law. Like several other state laws, including Oregon, California, Connecticut, and Colorado, Delaware’s cure period “sunsets” on Jan. 1, 2026. The idea is that over time, businesses should know and understand their expectations and ensure they’re in compliance before they receive an enforcement notice.
After the cure period sunsets, the Department can choose whether to provide a cure period based on several factors, such as the number of violations, size and complexity of the controller or processor, likelihood of injury to the public, and other considerations.
Many Delaware businesses and companies that operate in multiple states will need to ensure they understand the DPDPA and its requirements for protecting consumer’s data. Seek out legal counsel and work to create compliant policies and procedures to meet the law.
If you find your head swirling with all the new and upcoming laws, it may be time to look into Osano’s Consent Management Platform, which can take the headache out of maintaining compliance with not just Delaware’s law, but other state laws and those still on the horizon.
The Delaware Personal Data Privacy Act goes into effect Jan. 1, 2025.
Sensitive data is defined as data that reveals:
DPDPA states that sensitive data can’t be processed without the consumer’s (or their parent or guardian’s) consent.
No. When the DPDPA was passed, the only state with a private right of action was California, and only in certain circumstances.
Businesses must recognize Global Privacy Controls (GPC) and other universal opt-out mechanisms by Jan. 1, 2026.
Need to get compliant with the many U.S. state privacy laws coming online in 2023 and beyond? This action plan checklist shows you what you need to accomplish to support data privacy compliance.Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.