The latest addition to US privacy laws, the Delaware Personal Data Privacy Act (House Bill-154) sets the standards for handling personal data. The law shares a resemblance with Oregon and Colorado privacy laws.

Enforcement date: Jan 1, 2025

Official text: House Bill-154

What is the DPDP Act of Delaware?

DPDPA is the data privacy law of Delaware and defines the lengths and boundaries of managing Delaware residents’ personal data. It imposes duties upon businesses such as data minimization, purpose limitation, contractual relationships, privacy notice, etc. 

Unlike US privacy laws like CCPA, the act does not prescribe the penalty, instead, it refers to § 2513 of Chapter 25, Subchapter II of Chapter 25 of Title 6, and Subchapter II of Chapter 25 OF Title 29. When read with these laws, the penalty can go up to $10,000 per violation.

The law does not provide a blanket exemption to non-profit organizations or higher education institutions like most privacy laws. Similarly, it does not exempt all entities that the HIPAA covers, rather it only exempts certain data covered by it. 

The Department of Justice is the enforcement agency of DPDPA.

Who does Delaware privacy law apply to?

DPDPA applies to businesses in Delaware or elsewhere that target their products and services to Delaware residents and met any of the following requirements in the previous year:

  • Controlled/processed the personal data of 35,000 or more consumers except for payment transactions.
  • Controlled/processed the personal data of 10,000 or more consumers and derived more than 20% of the gross annual revenue from the sale of personal data.

Who is a consumer under DPDPA?

The definition of consumer under DPDPA is similar to that under Montana privacy law.

A resident of Delaware who does not act in the following contexts comes under the purview of consumers under the act:

  • Commercial/employment context
  • Capacity of an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit organization, or government agency whose interactions are within the context of that individual’s role.

Who does Delaware privacy law not apply to?

The act exempts certain entities and categories of personal data from its applicability. Let us take a closer look at the exemptions.

DPDPA does not apply to the following entities:

  • Government bodies and political subdivisions of Delaware like regulatory, legislative, executive bodies and bureaus, etc. It does not exempt higher education institutions.
  • Financial institutions covered by the Gramm-Leach-Bliley Act.
  • Non-profit organizations solely engaged in insurance crime prevention.
  • A registered national securities association or futures association.

Apart from these entity-level exemptions, certain personal data are also exempted such as those covered under HIPAA, Driver’s Privacy Protection Act, credit-related information, patient-identifying information, etc. It also exempts information processed by non-profit organizations to provide services to victims of crimes like domestic violence, stalking, child abuse, sexual assaults, human trafficking, violent felonies, etc.

The act does not apply to the processing of personal data in a household/personal context.

What is personal data under Delaware privacy law?

Times have changed, and privacy is no longer an attribute of the rich. Consumers are vigilant and demand the protection of their personal data.

Any information that can identify an individual is personal data. This includes but is not limited to phone numbers, personal identification numbers, addresses, etc. However, personal data does not include de-identified data and publicly available information.

De-identified data is data stored in such a way that it has lost its potential to identify the individual/device of the individual to whom it relates. 

Publicly available information is any information made available through government records or by the individual to a public audience. For instance, a personal experience shared in an autobiography may not be personal information once it is available to the public.

What is sensitive data under DPDPA?

Sensitive data is the personal information of an individual that poses a serious threat, harm, or discrimination if compromised. Therefore it is given a special status and protection under many privacy laws including DPDPA.

DPDPA classifies the following types of data as sensitive:

  • Data that reveals:
    • racial/ethnic origin
    • religious beliefs
    • mental/physical health conditions
    • pregnancy
    • sex life and sexual orientation
    • transgender or non-binary status
    • Immigration status
  •  Genetic/biometric data, for example- fingerprint, eye retinas
  •  Personal data of a child under the age of 13, if known
  •  Precise geolocation (within the radius of 1750 feet)    

What are the obligations of businesses under Delaware privacy law?

The backbone of any law is the obligations imposed by it. This ensures that the intended purpose of the law is achieved without any hindrances. Likewise, DPDPA also mandates the following duties upon organizations like businesses:

Data minimization and purpose limitation

Businesses might need to collect a sheer amount of personal data for different purposes thereby raising privacy concerns. Therefore the law requires businesses to collect only the personal data that is reasonably and adequately required for the specific purpose for which it was collected.

Similarly, limit the processing of personal data to the extent required to fulfill the specific purpose. If you need to use it for other purposes, obtain consent from the consumers.

Implement security safeguards

Businesses are required to set up safeguards within their internal systems to prevent any breaches or data leaks. Ensure the confidentiality and integrity of your personal data. There are several mechanisms like encryption, strong authentication, access controls, etc. 

Consent

Do not process sensitive data without the consent of the consumer (opt-in mechanisms). In the case of children, parents or legal guardians are the authorized persons to give consent.

Obtain consent from consumers before using the personal data of children between 13 and 18 years of age for sale or targeted advertising.

Valid consent is an affirmative action signifying an agreement that is given freely, specifically, and unambiguously after being informed of the reason, purpose, consequences, etc of such action. 

Consent obtained through dark patterns, or non-affirmative actions like hovering over, muting, or closing a content seeking consent is not valid.

Manage cookie consent
without any hassle

Add a cookie consent banner and manage cookie consent to comply with Delaware Privacy Law

Try for free

14-day free trialCancel anytime

 

Non-discrimination 

Do not retaliate against consumers by increasing the price or decreasing the quality of products offered solely based on their exercise of rights. But there is an exception, if the service requires personal information not collected by you, you are not legally bound to provide it. 

You can offer products at different prices, quantities, qualities, etc, or even for free based on customers’ participation in loyalty programs, discounts, coupons, or clubcards.

In addition to these obligations, businesses are expected to comply with anti-discrimination laws at the federal level.

Consent withdrawal

Provide convenient mechanisms by which consumers can easily revoke their consent. They should be as simple as those used to obtain consent. 

Once consent is revoked, cease to process the personal data as soon as possible, but within 15 days. 

Opt-out mechanisms

Businesses must provide consumers with mechanisms to opt out of targeted advertising, the sale of personal data, and user profiling. 

Businesses must also recognize global opt-out signals before Jan 1, 2026 (one year after enforcement).

Response plan

Practice and maintain a good response culture to consumer requests. The law requires businesses to respond and deliver the request within 45 days which can be extended to another 45 days if necessary. Inform the consumer of such an extension within the initial period. Deliver the request free of charge once a year (per consumer).

Respond to the appeals from consumers within 60 days. 

Contractual relationship

Enter into a contractual relationship with data processors and third parties engaged in the data processing. A processor processes personal data on behalf of controllers like businesses.

The contract must determine the rights and obligations of the parties, ensure confidentiality of personal data, and require all parties engaged in data processing to adhere to the law. It should also determine the purpose and nature of the processing, its duration, types of data, etc.

Data protection assessments

The law compels businesses that process the personal data of 100,000 consumers (except for payment transactions) or more to conduct data protection assessments for activities that pose a high risk. This includes the processing of sensitive data, and the processing of personal data for sale, targeted advertising, and profiling.

These assessments must be recorded and are confidential.

Privacy notice

Draft and publish a privacy notice to inform users about your data practices. It should be posted conspicuously and easily accessible. 

A privacy notice acts as the wheels of your “data transparency” cart. If you are wondering what to include in the notice, don’t worry, you are sorted. We will deal with privacy notice requirements in the subsequent section. 

What are the privacy notice requirements under Delaware privacy law?

The objective behind a privacy notice is data transparency. Consumers are entitled to be aware of the information practices of businesses including how businesses handle their personal data.

The following information must be provided in your privacy notice:

  • Categories of personal data collected
  • The specific purpose of processing personal data
  • The process of exercising consumer rights and appeals
  • Categories of personal data shared with third parties and the categories of those third parties
  • E-mail address or other online contact information
  • The process to opt-out if the controller sells personal data or processes it for targeted advertising.
  • One or more methods to submit consumer requests
  • Opt-out links for targeted advertising and sale

The act does not expressly mention opt-out links for profiling but confers a right to opt out of profiling on consumers. Therefore the best approach is to provide opt-out links for profiling as well.

What are the rights of consumers under Delaware privacy law?

Right to confirm and access

Consumers have the right to confirm whether their personal data is being processed by businesses. They can also access such personal data. However, the rights cannot be exercised if any of the above-said activities compromise trade secrets.

Right to correct

Consumers can request businesses to correct any inaccuracies in the personal data maintained by them.

Right to delete

Consumers have the right to request deletion of their personal data regardless of whether it was collected from them or other sources.

Right to obtain and portability

Consumers are conferred with the right to obtain a copy of their personal data processed by businesses in a portable format. They can also obtain the list of categories of third parties with whom personal data is shared.

Right to opt-out

Consumers have the right to opt out of targeted advertising, sale of personal data, and profiling. They can do this by themselves or designate an authorized agent including global device settings and browser extensions.

What are the enforcement actions and penalties under DPDPA?

The provisions for enforcement of privacy laws strengthen the privacy legal landscape. As mentioned, The Department of Justice has investigative and enforcement authority. The act must be read with Subchapter II of Chapter 25 of Title 29; therefore, the penalty might reach up to $10,000 for a single violation.

Like many US privacy laws, DPDPA also provides a cure period for businesses. Before initiating legal actions, the enforcement agency has to give the violator a 60-day notice. If the breach is cured within that period, there might not be any legal repercussions. However, this is available only until 31 December, 2025. Later on, a cure period will be at the agency’s discretion.

The decision of whether to grant a cure period will depend on several factors, including the number of violations, the nature of the processing, and the injury to the public.

The law does not confer a right to private action on consumers.

Compliance checklist for Delaware Personal Data Privacy Act

  • Purpose limitation and data minimization
  • Implement adequate security measures
  • Obtain consent for processing sensitive data
  • Provide opt-out mechanisms to opt out of targeted advertising, sale of personal data, and profiling
  • Do not discriminate against consumers for exercising consumer rights
  • Have a contractual relationship with processors and third parties involved in personal data processing
  • Have an effective response plan
  • Provide a convenient consent withdrawal mechanism to consumers
  • Conduct data protection assessments regularly
  • Provide a clear and unambiguous privacy notice to consumers with all necessary information
  • Recognize global opt-out signals within Jan 1, 2026

Infographic: California CCPA vs Delaware DPDPA 

CCPA vs Delaware privacy law

FAQ on Delaware PDPA

Does Delaware have a privacy law?

Yes, the Delaware Personal Data Privacy Act is the privacy law of Delaware and it is also the 12th State in the US to have a data privacy law. The penalty for a single violation may go up to $10,000.

Are breach notifications mandatory under DPDPA? 

Even though the DPDPA does not provide guidelines for breach notifications, businesses are still obliged by the breach notification law of Delaware. Under this law, businesses must report security breaches to the person whose personal information was breached within 60 days after discovery. If the security breach affects more than 500 people, businesses must also notify the Attorney General. 

What is the PII law of Delaware?

The PII law of Delaware is the Delaware Personal Data Privacy Act. The Governor of Delaware approved it on September 11, 2023, and becomes effective on Jan 1, 2025.