On June 30, the Delaware legislature passed the Personal Data Privacy Act (“the Act”). The Act now moves to the Delaware Governor’s desk for consideration and, if signed into law, will make Delaware the seventh state this year to pass comprehensive privacy legislation (joining Oregon, Iowa, Indiana, Montana, Tennessee, and Texas) and the twelfth state overall with a comprehensive privacy law.
The Delaware Act is similar to the privacy laws passed in Colorado, Connecticut and Oregon in terms of having stronger privacy protections for consumers (compared to the laws that have passed in states like Utah, for example). Like the laws in Colorado and Connecticut, the Act requires opt-in processing for sensitive data, explicitly prohibits consent obtained through dark patterns, requires recognition of opt-out preference signals, and creates an opt-out requirement for profiling in furtherance of solely automated decisions that produce legal or similarly significant effects for consumers. Additionally, and like the recently passed Oregon privacy law, the Act does not provide entity level exemptions for covered entities and business associates regulated under the Health Insurance Portability and Accountability Act (HIPAA) and also does not provide a broad exception for nonprofits.
Delaware only adds to the complexity that US businesses have to deal with in terms of privacy compliance in the absence of a preemptive federal law. While companies should be able to leverage their pre-existing privacy compliance programs to account for many of Delaware’s requirements, the addition of a new law and a new regulator increases the risk associated with non-compliance. Proper privacy compliance, therefore, should be a top priority for businesses.
In this post, we highlight the key takeaways from the Act. We are happy to answer any questions you might have about this bill and how it could affect your company’s privacy compliance programs. To stay up-to-date on other privacy and cybersecurity news, you can subscribe to our blog.
- Broad Definition of Sensitive Data. The Act defines sensitive data to include data revealing racial or ethnic origin, religious beliefs, mental or physical health condition, sex life, sexual orientation, status as transgender or nonbinary, citizenship status, and immigration status. Sensitive data also includes genetic or biometric data, personal data of a known child, and precise geolocation data. The inclusion of transgender or nonbinary status was also included in Oregon’s law and reflects a shift towards broader definitions of sensitive data in state privacy laws. The Act also contains a definition of genetic data, which has not been included in many other state laws, as well as explicitly includes pregnancy status as part of its definition of sensitive data.
- More Narrow Exemptions. The Act, like the laws in Colorado and Oregon, applies to nonprofits. There are only two narrow exceptions for nonprofits: one for nonprofit organizations “dedicated exclusively to preventing and addressing insurance crime,” and one for personal data collected by nonprofits related to victims or witnesses of certain crimes, including domestic violence and stalking. The Act also does not provide entity-level exceptions for covered entities or business associates regulated under HIPAA (but does contain an information-level exception for protected health information under HIPAA). However, the Act does contain both information-level and entity-level exceptions for financial institutions and information subject to the Gramm-Leach-Bliley Act.
- Lower Consumer Threshold. The Act will apply to corporations that operate in Delaware and control or process the personal data of more than 35,000 consumers or more than 10,000 consumers if they make more than 20% of their gross revenue by selling personal data. Larger states like Connecticut, Colorado, and Oregon have a 100,000 consumer-threshold, but this lower 35,000 figure likely reflects Delaware’s lower population. The 20% of gross revenue requirement is also lower than that of other states; for instance, Connecticut and Oregon have a parallel threshold of 25,000 consumers and 25% of gross revenue.
- Heightened Protections for Children’s Data. The Act prohibits a controller from processing the personal data of a consumer for the purposes of targeted advertising or from selling personal data without the consumer’s consent where a controller has actual knowledge or willfully disregards that the consumer is between the ages of 13 and 18.
- Consumer Personal Data Rights. Under the Act, a consumer has the right to:
1. Confirm whether a controller is processing her personal data and access such personal data;
2. Correct inaccuracies in the consumer’s personal data;
3. Delete personal data provided by or obtained about the consumer;
4. Obtain a copy of her personal data processed by the controller in a format that allows the consumer to transmit that data to another controller;
5. Obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data; and
6. Opt out of the processing of the personal data for the following purposes:
a. Targeted advertising
b. The sale of personal data
c. Profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
- Duties of Controllers. The Act outlines numerous duties for controllers:
1. Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed;
2. Not process personal data for purposes not reasonably necessary to or compatible with the disclosed purposes for which the personal data is processed;
3. Establish, implement, and maintain reasonable security practices to protect the confidentiality, integrity, and accessibility of personal data;
4. Not process sensitive data concerning a consumer without obtaining consumer consent;
5. Not process personal data in violation of Delaware state or federal laws that prohibit unlawful discrimination;
6. Provide an effective mechanism for a consumer to revoke the consumer’s consent and cease to process the data within 15 days after receipt of such revocation request;
7. Not process the personal data of a consumer for targeted advertising or sell the consumer’s personal data without consumer consent where the consumer is between ages 13-18;
8. Not discriminate against a consumer for exercising any of her consumer rights.
- Mandated Privacy Notice. A controller must also provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the categories of personal data processed by the controller, the purpose for processing personal data, how consumers may exercise their consumer rights, the categories of personal data that the controller shares with third parties, the categories of third parties with which the controller shares personal data, and an email address or other online means by which consumers may contact the controller.
- Opt-Out Preference Signals. Like California, Colorado, and many of the other state privacy laws that have recently passed, the Act requires controllers that sell a consumer’s personal information or use it for targeted advertising purposes to allow a consumer to opt out of such processing through an opt-out preference signal. This is increasingly becoming a staple of new privacy laws.
- Data Protection Assessments. Under the Act, a controller that controls or processes the data of at least 100,000 consumers shall conduct and document a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer. Heightened risk of harm includes the processing of personal data for the purposes of targeted advertising; the sale of personal data; and the processing of sensitive data. Notably, heightened risk of harm also includes the processing of personal data for the purposes of profiling where such profiling presents a reasonably foreseeable risk of:
a. Unfair or deceptive treatment of, or unlawful disparate impact on consumers;
b. Financial, physical, or reputational injury to consumers;
c. A physical or other intrusion upon the private affairs of consumers; or
d. Other substantial injury to consumers.
- Enforcement. The Bill can only be enforced by the Delaware Department of Justice and goes into effect on January 1, 2025.