On June 30, 2023, the Delaware general assembly passed the Delaware Personal Data Privacy Act (“DPDPA”), H.B. 154. This bill resembles the comprehensive privacy statutes in Connecticut, Montana, and the recently passed bill in Oregon, though there are some notable distinctions. If signed into law, Delaware will be the latest state to implement a comprehensive privacy statute, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Florida, and, if signed into law by the governor, Oregon.
- Scope and Exemptions: The DPDPA would apply to any person that conducts business or provides products or services to Delaware residents and during a calendar year, controls or processes (1) personal data of 35,000 or more consumers (except for personal data controlled or processed solely for the purpose of completing a payment transaction) or (2) personal data of 10,000 or more consumers if the person derives more than 20% of their annual revenue from the sale of data. The DPDPA exempts employee information, among other exceptions.
- Sensitive Data: DPDPA requires consent prior to the processing of sensitive data. The definition of sensitive data includes data revealing race or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, status as transgender or nonbinary, citizenship status, precise geolocation, and a number of other categories that are consistent with many other comprehensive state privacy statutes. However, the DPDPA contains a definition for “genetic data,” which includes “any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained, and concerns genetic material.”
- Consumer Rights: Consumers have rights to: (1) confirm whether a controller is processing their personal data and access such personal data; (2) correct inaccuracies in the consumer ’s personal data; (3) delete personal data provided by or obtained about the consumer; (4) obtain a portable copy of the consumer’s personal data; (5) obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data; and (6) opt-out of processing for purposes of (a) targeted advertising (defined as displaying advertisements that are selected based on the consumer’s activities over time and across nonaffiliated websites), (b) the sale of personal data; or (c) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. The DPDPA also requires controllers to implement opt-out preference signals.
- Opt-In Consent: Unless the controller obtains a consumer’s consent, the DPDPA would prohibit a controller from processing personal data for targeted advertising, or selling personal data, if the controller has “actual knowledge that, or willfully disregards whether, the consumer is at least thirteen years of age but younger than 18 years of age.”
- Enforcement: The Attorney General has exclusive authority to enforce the DPDPA, and there is no private right of action. The DPDPA will enter into effect January 1, 2025 if the bill is enacted by January 1, 2024. The DPDPA has a 60-day right to cure that sunsets on December 31, 2025. If the bill is enacted after January 1, 2024, the Act will take effect on January 1, 2026.