VIEWPOINT: What to know about Delaware’s Data Privacy Law
Delaware has recently joined the continuously expanding group of states to adopt data privacy regulations. On Sept. 11, Gov. John Carney signed into law the Delaware Personal Data Privacy Act (DPDPA), which is scheduled to take effect Jan. 1, 2025. The DPDPA follows the lead of other privacy legislation that have come before it, and as a result, many companies will be able to leverage their current privacy programs to meet the requirements; however, the Delaware Bill does contain some nuances that must be accounted for in order to remain in compliance and avoid regulatory enforcement.
Will this affect your business?
Delaware distinguishes itself from other data privacy regulations by imposing a notably low applicability threshold for businesses. For a business to be subject to the DPDPA, it must do business in Delaware or target products and services in Delaware, and they must either control or process the personal data of 35,000 or more consumers (not including the control or processing of personal data for the purpose of completing a payment transaction), or control or process the personal data of 10,000 or more consumers and derive 20% of their gross revenue from the sale of personal data. Unlike other privacy legislation, such as Colorado and Virginia that both require a significantly higher threshold of applicability at 100,000 consumers, Delaware’s lower requirement may be attributed to its relatively small population size.
Exemptions in the DPDPA closely resemble those found in similar bills; however, the Delaware Bill does provide narrowly tailored exemptions in some cases. First, both information-level and entity-level exemptions exist for financial institutions and information subject to the GBLA (Gramm-Leach-Bliley Act), which requires those affected to explain their information-sharing practices to their customers and to safeguard sensitive data. Next, the Act does not provide an entity-level exemption for businesses subject to HIPAA, but does provide an information-level exemption for protected health information under HIPAA. Finally, the Bill provides a full exemption for non-profit entities; however, it does provide a narrow exemption for any non-profit organization dedicated exclusively to preventing and addressing insurance crime. It also provides an exemption for personal data of victims or witnesses that are collected, processed, or maintained by a nonprofit organization that provides services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking.
Consumer rights & duties of the controller
With any new data privacy legislation, it’s important to understand both consumer rights and duties of the controller. Under the DPDPA, a consumer has the right to confirm whether a controller is processing their personal data, correct inaccuracies in their data, and more. Duties of the controller include limiting the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed as disclosed to the consumer, not processing personal data for purposes that are not reasonably necessary or compatible with the disclosed purposes for which such personal data is processed, and more. These are just a few examples, and because of the extensive nature of this Bill, it’s important to review it thoroughly.
Although many similarities exist between the DPDPA and previously enacted privacy legislation, a number of small nuances in addition to a new enforcement agency increases the risk of potential non-compliance. With that in mind, having a well-designed privacy program should be a top priority for businesses. To stay compliant, make sure you thoroughly review and understand the Bill, assess whether your business aligns with the criteria for enforcement as outlined in the DPDPA, and audit your current privacy program to ensure it’s comprehensive enough to cover all provisions.
Emily Johnson, JD, MBA, is a data privacy consultant with Zaviant Consulting, a leading data privacy and cyber risk consulting firm based in Philadelphia.