Delaware Privacy Law

Delaware Governor John Carney signed House Bill 154, the Delaware Personal Data Privacy Act (DPDPA) into law on September 11, 2023. The DPDPA’s main provisions become effective on January 1, 2025. Unlike most other state privacy laws, the DPDPA does not exempt most nonprofit organizations or institutions of higher education from compliance.

Like other state privacy laws, the Delaware law creates obligations on “controllers” and “processors” of personal data; defined as the persons who, alone or jointly with others, determine the purposes and means for processing personal data, and the natural or legal entities who process personal data on behalf of a controller, respectively.

The DPDPA applies to any persons who conduct business in Delaware producing products or services that are targeted to Delaware residents, and that during the preceding calendar year: (1) controlled or processed personal data of not less than 35,000 Delaware residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) controlled or processed personal data of not less than 10,000 Delaware residents and derived more than 20% of its gross revenue from the sale of personal data.

Like other states’ privacy laws, information and data exempt from the provisions of the DPDPA include, among other types, personal data subject to regulation under the FRCA, HIPAA, FERPA, and GLBA.  

Controllers have the following obligations under the DPDPA:

• Privacy Notice: controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the categories of personal data processed by the controller; the purpose for processing personal data; the categories of personal data that the controller shares with third parties, if any; the categories of third parties, if any, with which the controller shares personal data; how consumers may exercise their consumer rights and appeal any controller’s decision regarding a consumer’s request; and an active email address or other online mechanism that the consumer may use to contact the controller.
• Restraint: controllers must limit the controller’s collection of personal data to that personal data adequate, relevant and reasonably necessary for the purposes of processing, and must obtain consumer consent for any processing outside of previously disclosed purposes.
• Security: controllers must have reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.
• Rights Request Mechanism: controllers must provide an effective means by which a consumer may exercise its rights under the DPDPA, including the revocation of his or her consent under the DPDPA.

Consumer rights under the DPDPA include the right to:

• Confirm whether a controller is processing the consumer’s personal data and grant the consumer access to that personal data, unless such access would require the controller to reveal a trade secret;
• Require a controller to correct inaccuracies in personal data about the consumer;
• Require a controller to delete personal data about the consumer;
• Obtain a copy of the consumer’s personal data previously provided by the consumer to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another controller;
• Obtain a list of the specific third parties to which the controller has disclosed the consumer’s personal data; and,
• Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling the consumer in furtherance of decisions made by the controller that produce legal effects or effects of similar significance for the consumer, such as those that result in the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, or access to essential goods or services.

Controllers must respond to a consumer’s rights request within 45 days of receipt of the consumer’s request, with an option to extend such response by an additional 45 days with notice to the consumer.

Like most of the recent data privacy laws being enacted, the DPDPA does not provide a private right of action, with violations only enforceable by the Delaware Department of Justice. Prior to December 31, 2025, the Delaware Department of Justice must issue a notice of violation to a controller prior to initiating any action for violation of the DPDPA, and if the controller fails to cure the violation within 60 days of the notice, the attorney general may bring an action under the DPDPA. Starting January 1, 2026, the Delaware Department of Justice may choose, but is not required, to provide an opportunity to cure a violation. An action brought by the Delaware Department of Justice may result in an injunction or a civil penalty of up to $10,000 for each willful violation.

Have more Questions?