Press "Enter" to skip to content
Delaware Personal Data Privacy Act

Delaware Enacts Personal Data Privacy Act

Published September 13, 2023 by Eric Rosenkoetter

Delaware Personal Data Privacy ActDelaware Gov. John Carney on Sept. 11 signed into law House Bill 154, the Delaware Personal Data Privacy Act.  This makes Delaware the 12th state to enact a comprehensive consumer data privacy law, following California, Virginia, Colorado, Utah, ConnecticutIowa, Indiana, Tennessee, Montana, Texas, and Oregon. The Act will go into effect Jan. 1, 2025.

APPLICABILITY

The Act applies to persons that conduct business in Delaware or persons that produce products or services that are targeted to residents of Delaware and that during the preceding calendar year did any of the following:

  1. Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
  2. Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data.
EXEMPTIONS

Exemptions include, but are not limited to:

  1. Any financial institution or affiliate of a financial institution, all as defined in 15 U.S.C. 6809, to the extent that the financial institution or affiliate is subject to Title V of the Gramm Leach Bliley Act and the rules and implementing regulations promulgated thereunder;
  2. Data subject to the Gramm Leach Bliley Act and the rules and implementing regulations promulgated thereunder;
  3. Protected health information under HIPAA;
  4. Activities regulated by the Fair Credit Reporting Act.
CONSUMER RIGHTS

Consumers have the right to:

  1. Confirm processing of their personal data and access such data;
  2. Correct inaccuracies, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data;
  3. Delete personal data provided by, or obtained about, the consumer;
  4. Obtain a copy of the consumer’s personal data processed by the controller;
  5. Obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data;
  6. Opt out of processing if for the purpose of targeted advertising, sale, or profiling.
SENSITIVE PERSONAL INFORMATION

Sensitive personal data may not be processed without the consumer’s consent or, in the case of a known child, without first obtaining consent from the child’s parent or lawful guardian and otherwise complying with the Delaware Online Privacy and Protection Act, specifically Del. Code Ann. tit. 6, § 1204C.

Sensitive Data means personal data that includes any of the following:

  1. Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status.
  2. Genetic or biometric data.
  3. Personal data of a known child.
  4. Precise geolocation data.
CONTRACT REQUIREMENTS

A contract between a controller and processor must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties and:

  1. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.
  2. At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.
  3. Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in this chapter.
  4. After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data.
  5. Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor.
DATA PROTECTION ASSESSMENTS

A controller that controls or processes the data of not less than 100,000 consumers must conduct and document on a “regular basis” a data protection assessment for processing activities that presents a heightened risk of harm to a consumer, including:

  1. Processing for the purpose of targeted advertising;
  2. Processing for the purpose of selling personal data;
  3. Processing for the purpose of certain profiling; and
  4. Processing sensitive data.

The “100,000 consumers” threshold excludes data controlled or processed solely for the purpose of completing a payment transaction.

ENFORCEMENT

The Act does not create a private right of action. A violation is an unlawful practice under Del. Code Ann. tit. 6, § 2513 and can be enforced solely by the Attorney General pursuant to Del. Code Ann. tit. 6, § 2522. Provided a person cannot cure a violation within 60 days, the Attorney General may seek injunctive relief and a civil penalty of not more than $10,000 for each willful violation. The opportunity to cure provision expires Dec. 31, 2025.

For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.

 

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Published in Data Privacy and Security and State & Local Regulation

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.