Delaware Enacts Personal Data Privacy Act
September 20, 2023
On September 11, 2023, Governor Carney signed into law the Delaware Personal Data Privacy Act (the “Act”), making Delaware one of twelve states that have passed comprehensive data privacy laws in the absence of a national law. The Act, which takes effect on January 1, 2025, will require companies and individuals that fall under its purview to provide certain rights to consumers with respect to the collection, processing, and use of their personal data.
The Act applies to those that conduct business in Delaware (or produce products or services targeted to Delaware residents) and that in the preceding year controlled or processed the personal data of (1) not less than 35,000 consumers, with certain exclusions, or (2) not less than 10,000 consumers and that derive more than 20 percent of their gross revenue from the sale of personal data. Unlike many other states’ data privacy laws, the Act does not exclude non-profit companies (other than those dedicated exclusively to preventing and addressing insurance crime).
As defined in the Act, “personal data” means any information linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information. Companies become “controllers” of data under the Act if they determine the purpose and means of processing personal data. “Processing” includes any operation or set of operations performed, whether by manual or automated means, on personal data or sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
Companies to which the Act applies should be aware of both consumers’ rights and companies’ obligations under the law. The Act largely tracks the comprehensive data privacy laws passed in other states thus far. Like consumer privacy laws enacted in Virginia, Texas, Tennessee, Oregon, Montana, Indiana, Connecticut, and Colorado, the Act provides consumers with the following key rights: (1) to access, correct, and delete their personal data; (2) to opt out of processing for profiling and targeted advertising purposes; (3) to obtain a copy of their personal data in a portable format; and (4) to opt out of the sale of their personal data. Under the Act, consumers also have the right to designate an agent—which could include a platform, technology, or mechanism (like an internet link or global device setting)—to exercise such rights on their behalf.
The Act imposes certain duties and obligations on companies, including that such companies must: (1) limit collection of personal data to only what is adequate, relevant, and reasonably necessary for the purposes for which such data is collected; (2) process such data only for purposes that are reasonably necessary or compatible with the purpose disclosed to the consumer; (3) implement and maintain reasonable security practices to protect personal data; (4) not process sensitive data (such as biometric or geolocation data) without a consumer’s consent; (5) not process personal data in violation of Delaware or federal law; (6) provide an effective mechanism for consumers to revoke their consent; (7) not process personal data for targeted advertising or sell such data of consumers at least 13 but younger than 18 years old, without the consumer’s consent (which complements the already existing Delaware Online Privacy and Protection Act); and (8) not discriminate against any consumer who exercises his or her rights under the Act. Furthermore, companies must provide consumers with a privacy notice that includes the categories of personal data that will be processed, the purpose of such processing, how consumers can exercise their rights, the categories of personal data that are shared with third parties and the categories of such third parties, and an email address or other online mechanism that the consumer can use to contact the company.
Like most states that have enacted comprehensive consumer privacy laws, Delaware has not afforded consumers a private right of action under the Act. Instead, the Act will be enforced solely by the Delaware Department of Justice. During the Act’s first year, the Department of Justice is required to issue a notice of violation to companies before initiating any action if a cure is possible. Companies will have 60 days to cure any such violation, and the Department of Justice has the authority to bring an enforcement action if not cured within that time. Beginning on January 1, 2026, the issuance of any such notice prior to the initiation of any enforcement action is entirely within the discretion of the Department of Justice.
Compliance with the Act, which follows the enactment of Delaware’s laws regarding disclosure of data breaches that expose personal information, as well the state’s Online Privacy and Protection Act, will be critical for all entities that fall within its scope. While the Delaware Department of Justice will engage in public outreach to educate both consumers and the business community about the Act starting no later than July 1, 2024, companies should initiate conversations with their legal professionals as soon as possible to determine how best to prepare for when the Act goes into effect.