Delaware Gov. John Carney on Sept. 11 signed into law House Bill 154, the Delaware Personal Data Privacy Act. This makes Delaware the 12th state to enact a comprehensive consumer data privacy law, following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, and Oregon. The Act will go into effect Jan. 1, 2025.
The Act applies to persons that conduct business in Delaware or persons that produce products or services that are targeted to residents of Delaware and that during the preceding calendar year did any of the following:
- Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
- Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data.
Exemptions include, but are not limited to:
- Any financial institution or affiliate of a financial institution, all as defined in 15 U.S.C. 6809, to the extent that the financial institution or affiliate is subject to Title V of the Gramm Leach Bliley Act and the rules and implementing regulations promulgated thereunder;
- Data subject to the Gramm Leach Bliley Act and the rules and implementing regulations promulgated thereunder;
- Protected health information under HIPAA;
- Activities regulated by the Fair Credit Reporting Act.
Consumers have the right to:
- Confirm processing of their personal data and access such data;
- Correct inaccuracies, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data;
- Delete personal data provided by, or obtained about, the consumer;
- Obtain a copy of the consumer’s personal data processed by the controller;
- Obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data;
- Opt out of processing if for the purpose of targeted advertising, sale, or profiling.
Sensitive Personal Information
Sensitive personal data may not be processed without the consumer’s consent or, in the case of a known child, without first obtaining consent from the child’s parent or lawful guardian and otherwise complying with the Delaware Online Privacy and Protection Act, specifically Del. Code Ann. tit. 6, § 1204C.
Sensitive Data means personal data that includes any of the following:
- Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status.
- Genetic or biometric data.
- Personal data of a known child.
- Precise geolocation data.
A contract between a controller and processor must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties and:
- Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.
- At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.
- Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in this chapter.
- After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data.
- Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor.
Data Protection Assessments
A controller that controls or processes the data of not less than 100,000 consumers must conduct and document on a “regular basis” a data protection assessment for processing activities that presents a heightened risk of harm to a consumer, including:
- Processing for the purpose of targeted advertising;
- Processing for the purpose of selling personal data;
- Processing for the purpose of certain profiling; and
- Processing sensitive data.
The “100,000 consumers” threshold excludes data controlled or processed solely for the purpose of completing a payment transaction.
The Act does not create a private right of action. A violation is an unlawful practice under Del. Code Ann. tit. 6, § 2513 and can be enforced solely by the Attorney General pursuant to Del. Code Ann. tit. 6, § 2522. Provided a person cannot cure a violation within 60 days, the Attorney General may seek injunctive relief and a civil penalty of not more than $10,000 for each willful violation. The opportunity to cure provision expires Dec. 31, 2025.
For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.