On September 11th, Gov. John Carney (D) signed the Delaware Personal Data Privacy Act into law. The Act will take effect January 1, 2025. With the DPDPA on the books, the number of states with comprehensive privacy laws increases to twelve.
Here are some of the highlights of the DPDPA:
Effective date and scope. Again, the Act will take effect on January 1, 2025, and it will apply to entities that conduct business in Delaware or that produce products or services that are targeted to Delaware residents and that during the preceding calendar year did any of the following:
- Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data.
Nonprofits. Delaware joins Colorado and Oregon as the only states with privacy laws that apply to nonprofits. Like Oregon, the Delaware law exempts nonprofit organizations that are dedicated exclusively to preventing and addressing insurance crime. The Delaware law is unique in that it also exempts personal data collected, processed, or maintained by a nonprofit organization that provides services to individuals who are victims of, or witnesses to, child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking. Apart from these two exemptions, all other nonprofit organizations must comply with the Act’s obligations.
Definition of “sensitive data.” The Act defines “sensitive data” as personal data that includes any of the following: (1) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status; (2) genetic or biometric data; (3) personal data of a known child; and (4) precise geolocation data.
Right to obtain a list of the categories of third parties. In addition to the usual set of consumer privacy rights found in many of the other state privacy laws, the Delaware law gives consumers the right to obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data.
Opt-out preference signal requirement. The Act’s opt-out preference signal requirement will go into effect no later than January 1, 2026. Most states with universal opt-out mechanism/opt-out preference signal requirements allow consumers to use the mechanisms to opt out of targeted advertising and the sale of their personal data. It appears that the Delaware law may allow consumers to use preference signals to opt out of profiling as well. But inconsistent cross-referencing in the legislative text makes this uncertain.