On Sept. 11, 2023, Governor John Carney of Delaware signed into law the new Delaware Personal Data Privacy Act. Advertised as the “strongest privacy bill in the nation,” the law adds to the growing complex tapestry of state data privacy laws now in place in the U.S. Here’s what you need to know about the new law and its potential impact on your business.
- The law takes effect on Jan. 1, 2025. The Delaware Department of Justice plans, no later than July 1, 2024, to begin a public campaign to advise consumers of their rights and businesses of their obligations under the law;
- The law applies to entities conducting business in Delaware that control or process the personal data of a) 35,000 or more Delaware residents or b) 10,000 Delaware residents if the entity derives more than 20 percent of its gross revenue from the sale of personal data;
- The law, like the recently passed Oregon law, does NOT include exemptions for entities covered by HIPAA or nonprofits (except those dedicated exclusively to preventing and addressing insurance crime), but does include an exemption for entities subject to the Gramm Leach Bliley Act and the SEC Act of 1934 and Commodity Exchange Act. This continues a trend of increasing protections over consumer health information that have shown up as new health data laws in other states;
- The law creates a number of consumer rights, including the right to:
- Confirm whether an entity is processing the consumer’s personal data and to access such personal data;
- Correct inaccuracies in the consumer’s personal data;
- Delete personal data provided by, or obtained about, the consumer;
- Obtain a copy of the consumer’s personal data in a portable, readily usable format;
- Obtain a list of the categories of third parties to which the entity has disclosed the consumer’s personal data; and the right to
- Opt out of the processing of personal data for the purposes of any of the following:
- Targeted advertising;
- The sale of personal data (with some exceptions);
- Profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
- Businesses have 45 days (with an optional 45-day extension where necessary) to respond to consumer requests concerning their personal data. And there must be an appeal process for consumer requests that are denied.
- Businesses are also required to take certain actions, including:
- Limiting the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed;
- Establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the data at issue;
- Not processing sensitive data concerning a consumer (i.e., information about racial/ethnic origin, religion, mental or physical health, sex life, sexual orientation, citizenship/immigration status, genetic/biometric data, data of a known child, or precise geolocation data), without that consumer’s consent or, if someone under the age of 18, consent of a parent/guardian;
- Allowing consumers to revoke consent; and
- Providing a privacy notice that includes:
- Categories of personal data processed;
- Purpose for processing personal data;
- How consumers can exercise their rights, including appealing a business decision with regard to a consumer request;
- Categories of personal data that the consumer shares with third parties;
- Categories of third parties with which the business shares personal data; and
- An active email address consumers may use to contact the business with privacy concerns.
While not entirely dissimilar from other recently enacted consumer data privacy laws, the Delaware law does create another set of procedures for businesses to comply with in connection with their collection and use of consumer personal information.