Clifford Chance

On September 11, 2023, Delaware governor John Carney signed the Delaware Personal Data Privacy Act (the Delaware Personal Data Privacy Act or DPDPA), making Delaware the thirteenth state in the U.S. to enact comprehensive data privacy legislation. The DPDPA will take effect on January 1, 2025. The DPDPA joins the other U.S. state data privacy laws are either in effect or will soon come into force (together with the DPDPA, the "State Data Privacy Laws"). This article summarizes key provisions of the DPDPA.

Scope and Applicability

The DPDPA applies to persons that conduct business in Delaware or produce products or services targeted to residents of Delaware and that meet thresholds during the preceding calendar year as follows:

• control or process personal data of at least 35,000 Delaware consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction
• control or process personal data of at least 10,000 Delaware consumers and derive over twenty percent (20%) of their annual gross revenue from the sale of personal data.

In contrast to most other State Data Privacy Laws, the first prong of the DPDPA's applicability threshold excludes entities that process personal data of Delaware consumers solely for the purpose of completing a payment transaction, likely exempting many brick-and-mortar stores that only collect payment data. Like the Oregon Consumer Data Privacy Act, the DPDPA applies to most non-profit companies, a marked shift from most other State Data Privacy Laws. However, unlike the Oregon law, the DPDPA does not have an additional grace period for non-profit companies, thus their applicable obligations will come into effect at the same time as for-profit entities.

On the other hand, the DPDPA is similar to most other State Data Privacy Laws with respect to certain exemptions and exclusions. For example, the DPDPA only applies to personal data collected from "an individual who is a resident of [the state]" and, like most State Data Privacy Laws other than the California Consumer Privacy Act and California Privacy Rights Act, expressly excludes personal data collected or processed from individuals acting in an employment or commercial context (e.g., business-to-business activities). The DPDPA also includes exemptions in line with most other State Data Privacy Laws, such as for state political subdivisions or entities (other than institutions of higher education), and any information or data regulated by certain other privacy laws, including Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act. 

Controller and Processor Regime

The DPDPA, like other State Data Privacy Laws, contains the regulatory framework of the European Union's General Data Protection Regulation, which distinguishes roles and responsibilities between controllers and processors. The DPDPA defines a "controller" as an entity that, alone or jointly with others, determines the purpose and means of processing personal data; and a "processor" as an entity that processes personal data on behalf of a controller.

The DPDPA requires controllers to provide consumers with a reasonably accessible, clear, and meaningful privacy notice, which, among other things, discloses:

• the categories of personal data processed by the controller and the purpose of such processing
• the categories of personal data and third parties with whom the controller shares personal data
• how consumers may contact the controller and exercise their privacy rights, including the appeals process. Controllers may only process personal data that is "adequate, relevant and reasonably necessary" for certain specified purposes.

Controllers are also required to implement reasonable administrative, technical, and physical safeguards to protect the confidentiality, integrity, and accessibility of personal data.

Similar to certain other State Data Privacy Laws, the DPDPA requires that controllers conduct and document data protection assessments for certain processing activity, such as targeted advertising, processing sensitive data, selling personal data, or using personal data for certain profiling purposes. However, unlike many other State Data Privacy Laws, these requirements only apply to controllers that process data of more than 100,000 consumers (other than solely for payment processing purposes). A data protection assessment must identify and weigh the benefits of the processing activity with potential risks to consumers (as mitigated by the safeguards employed by the controller related to such risks). Data protection assessment obligations under the DPDPA apply to activities created or generated after six months following the DPDPA's effective date (i.e., July 1, 2025) and are not retroactive. Controllers may also use data protection assessments created pursuant to other laws with similar requirements, including other relevant State Date Privacy Laws, for DPDPA compliance purposes.

Like most other State Data Privacy Laws, the DPDPA requires controllers and processors to enter into a written contract, which governs the processor's data processing procedures performed on behalf of the controller. These contractual provisions must clearly set out instructions for the processing of applicable data, describe the type of data subject to and the duration, nature, and purpose of such processing, and specify the rights and obligations of each party. Processors must be subject to a duty of confidentiality with respect to the applicable data and enter into subcontracts with sub-processors to ensure similar protections. Processors also must assist controllers with complying with applicable obligations (1) under the DPDPA (e.g., responding to consumer rights requests and completing data protection assessments) and (2) related to the security of personal data processing and notification of security breaches under Delaware Code Chapter 12B.

Consumer Rights and Requests

The DPDPA provides a variety of individual consumer rights that align with those found in most other State Data Privacy Laws. These rights provide consumers with a right to access, correct, delete, and obtain a copy of their personal data, and to opt-out of the selling of personal data and/or sharing of personal data for targeted advertising.

The DPDPA also permits parents and guardians to exercise rights on behalf of their children (defined by reference to COPPA (as defined below) as individuals under the age of thirteen (13)). Children's data must be processed in accordance with the Children's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq. (COPPA), which requires consent from parents or guardians.

The DPDPA also grants consumers certain rights with respect to other "sensitive data." The DPDPA's definition of "sensitive data" is similar to definitions seen in most other State Data Privacy Laws, which encompass a consumer's racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship or immigration status, genetic or biometric data, children's data, and precise geolocation data. Similar to certain other State Data Privacy Laws, like the Virginia Consumer Data Protection Act, the DPDPA provides an "opt-in" regime with respect to the processing of sensitive data where controllers may not process a consumer's sensitive data "without obtaining the consumer's consent" (or in accordance with COPPA if the "sensitive data" is children's data).

Right to Appeal

Under the DPDPA, a controller must respond to a consumer's request to exercise a right within forty-five (45) days of receipt of such request. A controller can extend the response period by an additional forty-five (45) days when reasonably necessary and in consideration of the complexity and number of consumer requests received within the initial forty-five (45) day period by providing notice and an explanation to the consumer. Like most other State Data Privacy Laws, if the controller denies a consumer's request, the controller must explain the justification for the denial and include instructions for appeal that are conspicuously available and similar to the process for submitting consumer rights requests. Within sixty (60) days of receipt of an appeal request, a controller must inform the consumer of any action taken or not taken in response to the appeal. If the appeal is denied, the controller must provide the consumer with an online mechanism or other method through which the consumer may contact the Delaware Department of Justice to submit a complaint.

Selling Personal Data

The DPDPA defines the "sale of personal data" as "the exchange of personal data for monetary or other valuable consideration by the controller to a third party." The DPDPA also provides exceptions to the "sale of personal data" in line with other State Data Privacy Laws, including a controller's disclosure of personal data:

• to a processor that processes personal data on behalf of the controller
• to a third party for purposes of providing a product or service requested by the consumer
• to an affiliate
• at the direction of a consumer or disclosure of personal data that the consumer intentionally made available to the general public and did not restrict to a specific audience
• for the purpose of a proposed or completed merger, acquisition, bankruptcy, or similar transaction.

As noted above, controllers must provide consumers with the ability to opt-out of the selling of their personal data. Similar to the Connecticut Data Privacy Act and Colorado Privacy Act, controllers must provide an opt-out method that uses a preference signal sent with the consumer's consent to the controller no later than one year following the DPDPA's effective date (i.e., January 1, 2026). Such an opt-out method may not unfairly disadvantage another controller, must be consumer-friendly and easy to use, and may not use a default setting (i.e., the opt-out mechanism must require that the consumer make an affirmative, freely given, and unambiguous choice to opt-out).  

Targeted Advertising

The DPDPA defines "targeted advertising" as "displaying advertisements to a consumer where the advertisement is based on personal data obtained or inferred from that consumer's activities over time and across nonaffiliated Internet web sites or online applications to predict the consumer's preferences or interests." Like most other State Data Privacy Laws, the DPDPA expressly excludes certain activities from the definition of "targeted advertising," such as advertisements based on:

• activities within a controller's own web sites or online applications
• the context of a consumer's current search query or visit to a web site or online application
• the consumer's request for information or feedback
• processing that measures or reports the performance, reach, or frequency of an advertisement. 

The DPDPA imposes the same opt-out requirements on controllers in connection with targeted advertising as it does with respect to the sale of personal data.

De-identified and Pseudonymous Data

The DPDPA defines "de-identified data" as data that cannot reasonably be linked to an identified or identifiable individual, and such data is expressly excluded from the definition of "personal data." Similar to certain other State Data Privacy Laws, the DPDPA requires that controllers in possession of de-identified data take reasonable measures to ensure that such data cannot be associated with an individual and contractually obligate any recipients of de-identified data to comply with all applicable provisions of the DPDPA. Additionally, like some other State Data Privacy Laws, such as the Virginia Consumer Data Protection Act, Utah Consumer Privacy Act, and Connecticut Data Privacy Act, the DPDPA requires controllers to "publicly commit" not to re-identify de-identified data. 

The DPDPA defines "pseudonymous data" as personal data that cannot be attributed to a specific individual without the use of additional information. Certain consumer rights (e.g., right to access, delete, opt-out, etc.) under the DPDPA do not apply to pseudonymous data if the controller demonstrates that any additional information necessary to identify the consumer is kept separately and subject to effective technical and organizational measures that prevent the controller from accessing such information.

The DPDPA requires controllers that disclose de-identified data and/or pseudonymous data to exercise reasonable oversight to monitor compliance with any contractual commitments related to such de-identified data (including avoiding attempts to re-identify such data) and/or pseudonymous data and to take appropriate actions to address any breaches of such contractual commitments.

Enforcement and Penalties

In contrast to the California Consumer Privacy Act and California Privacy Rights Act, the DPDPA does not provide consumers with a private right of action and is not enforced by a dedicated privacy agency. Rather, the DPDPA is enforced by the Delaware Department of Justice. Under the DPDPA, the Delaware Department of Justice, prior to initiating an action, must first determine if a violation can be cured. If so, the Delaware Department of Justice must send notice to the controller of the violation and provide sixty (60) days to cure the violation. If uncured, the Delaware Department of Justice may initiate an action against the controller and/or processor. The right to cure provision sunsets on December 31, 2025, but the Delaware Department of Justice has the discretion to provide a controller and/or processor the opportunity to cure beginning on January 1, 2026. In contrast to most other State Data Privacy Laws, the DPDPA does not expressly specify a civil penalty amount for violations.