On June 30, 2023, the Delaware general assembly made a significant move in the field of data privacy by passing the Delaware Personal Data Privacy Act (DPDPA), H.B. 154.
This bill, if signed into law, will bring Delaware into the fold of states with comprehensive privacy statutes, joining the ranks of California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Florida, and potentially Oregon.
The DPDPA is similar to the privacy statutes in Connecticut, Montana, and the recently passed bill in Oregon, but it does have some notable distinctions.
The DPDPA has a wide scope and applies to any individual or entity conducting business or offering products or services to Delaware residents.
Specifically, it covers those who control or process personal data of either 35,000 or more consumers (excluding data processed solely for payment transactions) or 10,000 or more consumers if they derive over 20% of their annual revenue from the sale of data.
However, certain types of information, such as employee data, are exempt from the DPDPA.
One significant aspect of the DPDPA is its provisions regarding sensitive data. It mandates obtaining consent prior to processing such data.
Sensitive data, as defined by the act, includes information revealing race, religious beliefs, mental or physical health conditions or diagnoses, sex life, sexual orientation, transgender or nonbinary status, citizenship status, precise geolocation, and other categories that align with other state privacy statutes.
The DPDPA also includes a definition for "genetic data," encompassing any information resulting from the analysis of biological samples or other sources that provide equivalent genetic information.
The DPDPA provides consumers with several rights. They have the right to confirm whether their personal data is being processed by a controller and to access that data.
They can also request corrections to inaccuracies in their personal data, deletion of personal data provided by or obtained about them, and a portable copy of their personal data.
Additionally, consumers have the right to obtain a list of the categories of third parties to which their personal data has been disclosed.
They can choose to opt-out of processing for targeted advertising, the sale of personal data, or profiling for solely automated decisions with significant legal effects.
The act also necessitates that controllers implement opt-out preference signals.
Regarding consent, the DPDPA establishes that unless a controller obtains a consumer's consent, processing personal data for targeted advertising or selling personal data is prohibited if the controller has "actual knowledge that, or willfully disregards whether, the consumer is at least thirteen years of age but younger than 18 years of age."
Enforcement of the DPDPA falls under the exclusive authority of the Attorney General, and there is no provision for a private right of action.
If enacted by January 1, 2024, the DPDPA will go into effect on January 1, 2025. The act includes a 60-day right to cure, which will expire on December 31, 2025.
If enacted after January 1, 2024, the DPDPA will come into effect on January 1, 2026.
In conclusion, the passage of the Delaware Personal Data Privacy Act (DPDPA) by the Delaware general assembly marks a significant step toward enhancing data privacy rights for Delaware residents.
If signed into law, the DPDPA will bring Delaware in line with other states that have implemented comprehensive privacy statutes.
With provisions covering a broad range of areas, such as scope and exemptions, sensitive data, consumer rights, opt-in consent, and enforcement, the DPDPA aims to protect the personal data of Delaware residents and provide them with more control over how their information is collected, processed, and shared.