Background Brief: Delaware Personal Data Privacy Act

The “Diamond State” has passed the Delaware Personal Data Privacy Act, a modern consumer privacy law that gives its residents some of the important data protection rights found in other states’ privacy regulations. Citizens are covered by the Act as individuals, but not in an employment or commercial context.

Delaware Governor John Carney signed the Act into law on September 11, 2023, and it will become effective on January 1, 2025. An additional rule requiring controllers to recognize and act on universal opt-out signals goes into force on January 1, 2026.

Delaware Personal Data Privacy Act: Key dates

• May 12, 2023 – Following lobbying by consumer and privacy groups, and the growing trend across the U.S. to give consumers more protections in an increasingly data-driven business landscape, House Bill 154 is introduced by Rep. Krista Griffith with backing from several senators and representatives.
• May 15, 2023 – in a media release announcing the Delaware Personal Data Privacy Act Rep. Griffiths says: “The Delaware Personal Data Privacy Act is a critical step in safeguarding the privacy rights of Delawareans in our digital age. With the increasing collection and use of our sensitive personal data, it’s so important that we establish comprehensive rights for consumers and ensure that they have avenues to take control over their personal information. This legislation will give them that control and provide much-needed transparency and accountability in the use of personal data by companies.”
• June 8, 2023 – following two days of meetings to review amendments to the HB 154 the House votes 33-5 in favor.
• June 27, 2023 – amendments to the bill are tabled with the Banking, Insurance and Technology Committee in Delaware’s Senate, with exclusions for registered securities brokers and dealers alongside financial organizations covered under the Gramm-Leach-Bliley Act.
• June 29, 2023 – the Delaware Senate unanimously passes the amendments, then passes the bill with a 15-4 vote in favor.
• June 30, 2023 – the Delaware House votes 37-3 in favor of passing HB 154 to create the Delaware Personal Data Privacy Act.
• July 20, 2023 – Rep. Griffith tells the Delaware Business Times the compromises in Delaware’s data privacy law were to ‘get it over the line’, adding: “Banks and financial firms are subject to the [Gramm-Leach-Bliley Act] guidelines, so there wasn’t so much heartburn in that. And shortly after the bill passed the House, FINRA [Financial Industry Regulatory Authority] reached out to us to ask to be included in the exemptions. I’m pleased that it passed. I know this bill caught a lot of attention from several industries for its implications. But in practice, we wanted to give power back to our consumers on how their data is used.”
• September 11, 2023 – Delaware Governor John Carney signs the Delaware Personal Data Privacy Act into law.
• January 1, 2025 – Delaware’s privacy law goes into effect.
• January 1, 2026 – an additional requirement for controllers to honor universal opt-out signals goes into effect.

New data privacy rights for Delaware consumers

Delawareans gain new protections under the state’s data privacy law as consumers, but not as employees.

The Act defines a ‘consumer’ as “an individual who is a resident of this State. ‘Consumer’ does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit organization, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or government agency.”

The definition for ‘personal data’ is very similar to that found in other states’ data privacy laws: “‘Personal data’ means any information that is linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data or publicly available information”.

Under the Delaware Personal Data Privacy Act Delawareans (as individual consumers) have gained the following data privacy rights:

• Right to confirm – consumers have a right to know whether a controller is processing their personal data, including the categories of data processed and the purposes for processing.
• Right to access and right to data portability – a consumer can request records of their personal data held by a controller “unless such confirmation or access would require the controller to reveal a trade secret”. Consumers also have the right to access a list of the categories of third parties to which the controller has disclosed their personal data. If this information isn’t available in a format specific to the consumer the controller can provide a list of specific third parties it has shared data with instead.
• Right to correct – consumers in Delaware can request a controller correct inaccuracies in records of their personal data, “taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data”.
• Right to delete – a consumer can ask a controller to delete personal data provided by or obtained about them.
• Right to opt-out – a consumer can tell a controller their personal data cannot be sold (see below for exceptions) or used for targeted advertising or profiling (when that profiling is “in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer”).
• Right to non-discrimination – Delawarean consumers exercising personal data privacy rights have a right not to be discriminated against, examples of discrimination listed in the Act include: “denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer”.
• Right not to have sensitive personal information processed – controllers must obtain consent from consumers first, through a clear and easy-to-understand consent form. Sensitive data is defined as personal information that could reveal a consumer’s:
  • racial or ethnic origin
  • religious beliefs
  • mental or physical health condition or diagnosis (including pregnancy)
  • sex life and sexual orientation
  • status as transgender or nonbinary
  • citizenship or immigration status
  • genetic or biometric information; or
  • precise geolocation.

Any personal data of a known child is also covered as sensitive personal data in the Act. Parents or legal guardians can exercise consumer rights on behalf of their child/ren aged under 13.

Until January 1, 2026, when the rule about universal opt-out signals applies, consumers (or parents/guardians acting on behalf of a child) will need to contact each controller and lodge requests to exercise any of these rights.

 From January 1, 2026: Universal Opt-Out Signals apply in Delaware

Section 12D-105 of the Delaware Personal Data Privacy Act gives consumers in the state the option of designating an authorized agent to exercise their rights on their behalf, including through universal opt-out mechanisms. This rule is effective from January 1, 2026.

This rule notes platforms, technologies, browser settings/extensions (e.g. Global Privacy Control), global device settings or mechanisms “may function as the agent for purposes of conveying the consumer’s decision to opt-out”.

Part (b) of the text in this section explaining controllers’ obligations is mostly identical to similar U.S. states’ data privacy laws:

“A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent’s authority to act on such consumer’s behalf.”

Does the Delaware Data Privacy Law apply to your organization?

Delaware’s privacy law is mostly like other states’ equivalent data privacy regulations enacted so far in that it applies to:

• Persons that conduct business in the state; or
• Produce products or services targeted to residents of the state.

And during the preceding calendar year did any of the following:

• Controlled or processed the personal data of not less than 35,000 consumers – excluding personal data controlled or processed solely for the purpose of completing a payment transaction. (This is the lowest threshold so far in any U.S. state privacy act); or
• Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data.

Note: The Delaware Personal Data Privacy Act applies to any institute of higher education. It generally also applies to nonprofit organizations if they meet the above thresholds (so far the only other state privacy acts to also not exempt nonprofits are the Colorado Privacy Act and the Oregon Consumer Privacy Act).

Organizations exempt from Delaware’s Data Privacy Law

• Delaware state bodies (regulatory, administrative, advisory, executive, appointive, legislative or judicial) and state political subdivisions, including agencies, boards, bureaus and commissions of the state or its political subdivisions; and
• Financial institutions and their affiliates to the extent these organizations are subject to the Gramm-Leach-Bliley Act.

Personal data exempt from Delaware’s Data Privacy Law

• Personal information related to employment and business relationships (though only when used in context of that role).
• Emergency contact information when used for emergency contact purposes.
• Protected health information is defined under HIPAA (Health Insurance Portability and Accountability Act).
• Consumer credit reporting data under the Fair Credit Reporting Act, (note: this exemption covers nonprofits exclusively focused on identifying and preventing insurance crime).
• Personal data collected, processed or maintained by a nonprofit organization that provides services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony or stalking.
• Patient-identifying information covered by U.S. Code 42 Section 290dd-2 (Public health and welfare – Confidentiality of records).
• Identifiable private information when used under federal regulations for the protection of human subjects in medical and scientific research (45 CFR 46, 21 CFR 50, and 21 CFR 56).
• Patient safety work product created and used to improve patient safety under the Patient Safety and Improvement Act.
• Personal data used in compliance with the Driver’s Privacy Protection Act, Farm Credit Act, Family Educational and Privacy Rights or Airline Deregulation Act.

Additionally, controllers and processors that comply with the verifiable parental consent requirements of Children’s Online Privacy Protection Act (COPPA) will be deemed compliant with obligations under Delaware privacy law to obtain parental consent concerning a consumer who is a child.

Delaware Privacy Law compliance obligations for controllers

Delaware’s privacy law defines a ‘controller’ as “a person that, alone or jointly with others, determines the purpose and means of processing personal data” and requires a controller to:

• Limit collection of personal data to what is “adequate, relevant and reasonably necessary” to the purposes disclosed to the consumer. Any other processing of personal data, including sensitive personal information, must be consented to by the consumer first, or in the case of a known child, consent must be obtained from their parent or guardian.
• Not process for the purposes of targeted advertising or sell the personal data of a young consumer aged between 13 and under 18 years old without their consent.
• Not process personal data in violation of Delaware state laws or federal laws prohibiting unlawful discrimination.
• Protect personal data with reasonable data security practices appropriate to the volume and nature of the personal data at issue.
• Provide an effective and easy-to-use mechanism for a consumer to revoke previously given consent and stop processing the data within 15 days. The mechanism for a consumer to revoke consent must be at least as easy as the consent mechanism they used previously.
• Not discriminate against a consumer for exercising their consumer privacy rights.
• Respond to a consumer’s request to exercise their consumer privacy rights within 45 days.
  The information given to the consumer in response shall be provided free of charge to the consumer – but controllers only need to make it free once per consumer in 12 months. A controller can charge a reasonable fee to cover administrative costs for excessive, repetitive or unfounded requests – or reject such requests – but the burden of proof is on the controller. Consumers may appeal.
  A controller may also extend the response period by another 45 days “when reasonably necessary, considering the complexity and number of the consumer’s requests” only if they notify the consumer about the need for this extension within the first 45-day response period. Consumers may appeal rejected requests and in turn controllers must respond to appeals within 60 days.
• Provide a clear and conspicuous link on the controller’s website to a webpage where a consumer (or their agent) can opt out of having their personal data sold or used for targeted advertising.
  Remember: universal opt-out signals must be acted on from January 1, 2026.
• Provide a privacy notice that is reasonably accessible, clear and meaningful that includes:
  • Categories of personal data processed
  • Categories of personal data shared with third parties (if any) and the categories of third parties with which the controller shares personal data
  • Purpose for processing personal information
  • Information on how consumers may exercise their consumer privacy rights, including how they can appeal a controller’s decision about a data rights request
  • One or more secure and reliable means for consumers to submit a request to exercise their consumer privacy rights, which takes into account the ways consumers normally interact with the controller; and
  • Online mechanism or active email address consumers can use to contact the controller.

Delaware Privacy Law compliance requirements for processors

Any processor engaged by a controller to process Delawareans’ personal information is required to enter a binding written contract governing the processor’s activities on behalf of the controller. The contract must set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties.

Data Protection Assessments

If a controller controls or processes the personal data of more than 100,000 Delaware consumers – excluding data that is only controlled or processed for payment transactions – they are also obliged to conduct and document a regular data protection assessment for each processing activity considered a heightened risk of harm to the consumer.

Data protection assessments must be performed for personal data that is intended to be sold or for processing for targeted advertising or profiling. Each assessment must consider the benefits of a processing activity versus the risk of harm to the consumer.

Enforcement for violations of the Delaware Personal Data Privacy Act

The Delaware Department of Justice (DDoJ) has exclusive authority to investigate and prosecute violations of the Act.

Delawareans do not have a private right of action.

Up until December 31, 2025, if the DDoJ issues a notice of violation it must give the accused party up to 60 days to cure the violation if it determines the violation is curable. Then from January 1, 2026, the DDoJ may choose to offer a cure period at its discretion.

The DDoJ can initiate court actions to pursue orders against any controller or processor found to have wilfully violated the Delaware Personal Data Privacy Act, with civil penalties of $10,000 for each deliberate violation.

TrustArc resources for compliance with U.S. State Privacy Laws

TrustArc offers several resources to help organizations keep up to date with existing and emerging state privacy laws in the U.S, including: