Not-So-First State: Delaware Becomes Twelfth State to Enact Data Privacy Legislation
On September 12, 2023, Delaware governor John Carney signed the Delaware Personal Data Privacy Act (the “DPDPA” or the “Act”) into law. The DPDPA protects the privacy rights of consumers in Delaware and regulates the collection, use, and disclosure of personal data by businesses that conduct business in or target Delaware. The DPDPA follows the model of the Virginia Consumer Data Protection Act, which also influenced other major state data privacy laws, like the Texas Data Privacy and Security Act.
To comply with the DPDPA, covered businesses will need to update and expand their privacy policies, inventory data that they collect, conduct a data protection assessment before processing certain data, and implement data processing agreements with vendors. These steps may be time intensive and require coordination between different business units.
The Act takes effect on January 1, 2025.
The DPDPA applies to businesses that (i) conduct business in Delaware or produce products or services targeted to Delaware residents and (ii) meet one or more of the following thresholds:
- Control or process the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- Control or process the personal data of not less than 10,000 consumers and derive more than 20% of their gross revenue from the sale of personal data.
Like the Virginia and Texas laws, the DPDPA excludes individuals acting in a commercial or employment context from the definition of “consumer.” Additionally, the DPDPA also exempts information protected by other federal data legislation, including the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act.
Data Controllers and Processors
The Act imposes different obligations on “controllers” and “processors.” A “controller” is a person that determines the purpose and means of processing personal data, while a “processor” is a person that processes personal data on behalf of a controller.
A controller must limit the collection and use of personal data to what is necessary and compatible with the disclosed purposes, obtain consent for processing sensitive data or selling personal data, provide a privacy notice and a mechanism for consumers to exercise their rights, and not discriminate against consumers who exercise their rights. A processor must adhere to the instructions of a controller and assist the controller in meeting its obligations, as well as ensure the confidentiality and security of personal data.
The Act requires that controllers enter into contracts with processors that govern the processing of personal data. The contracts must clearly state the instructions, nature, purpose, type, duration, and rights and obligations of both parties with respect to the processing of personal data. The contracts must also require the processor to comply with certain conditions, such as deleting or returning personal data at the controller’s direction, providing information to demonstrate compliance, giving the controller opportunity to object before engaging subcontractors, and allowing assessments by the controller or an independent assessor.
The Act also addresses the use of dark patterns, which are user interfaces or practices that manipulate or impair user autonomy, decision-making, or choice. The Act prohibits the use of dark patterns to obtain consent for processing personal data and defines consent as a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement. The Act also requires that any platform, technology, or mechanism that functions as an agent for consumers to opt out of the processing of their personal data for certain purposes — e.g., targeted advertising or sale of personal data — must not unfairly disadvantage other controllers, make use of a default setting, or be difficult to use by the average consumer.
Personal Data Rights
The Act grants consumers several rights with respect to their personal data, including the right to:
- Confirm whether a controller is processing their personal data and access such data, unless it would reveal a trade secret.
- Correct inaccuracies in their personal data.
- Delete personal data provided by or obtained about them.
- Obtain a copy of their personal data in a portable and usable format.
- Obtain a list of the categories of third parties to which the controller has disclosed their personal data.
- Opt out of the processing of their personal data for targeted advertising, sale of personal data, or profiling that produces legal or significant effects.
Consumers may exercise their rights by a secure and reliable means established by the controller, or by designating an authorized agent, such as a platform, technology, or mechanism, to opt out of certain processing on their behalf. Controllers must respond to consumer requests without undue delay and may charge a reasonable fee or decline to act on requests that are manifestly unfounded, excessive, or repetitive. Controllers must also provide a process for consumers to appeal their decisions and contact the Delaware Department of Justice to submit a complaint.
The Act defines sensitive data as personal data that includes any of the following:
- Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status.
- Genetic or biometric data.
- Personal data of a known child.
- Precise geolocation data.
The Act requires controllers to obtain consent for processing sensitive data or, in the case of a known child, consent from the child’s parent or legal guardian. The Act also requires controllers to comply with the Children’s Online Privacy Protection Act of 1998 and the Delaware Online Privacy and Protection Act with respect to the processing of personal data of children.
In contrast to other state data privacy acts, the Act also specifically protects children below the age of 18. A controller may not sell or use for targeted advertising the personal data of an individual that it knows or willfully disregards is at least 13 years of age but younger than 18 without the consumer’s consent, nor may it do the same for the data of children younger than 13 without parental consent.
Data Protection Assessments
The Act requires controllers that process the data of not less than 100,000 consumers, excluding data processed solely for completing a payment transaction, to conduct and document data protection assessments for each of their processing activities that present a heightened risk of harm to consumers. Such activities include:
- processing personal data for targeted advertising,
- sale of personal data,
- profiling that produces legal or significant effects, or
- processing sensitive data.
Data protection assessments must identify and weigh the benefits and risks of the processing, as well as the safeguards that can be employed to reduce the risks, taking into account the use of de-identified data, the reasonable expectations of consumers, and the context and relationship of the processing. The Attorney General may require a controller to disclose a data protection assessment that is relevant to an investigation and may evaluate the assessment for compliance with the Act.
Sale of Personal Data
The Act regulates the sale of personal data by requiring controllers to obtain consent from consumers before selling their personal data, and to disclose such processing in a clear and conspicuous manner, as well as provide a way for consumers to opt out of sale of their personal data. The Act defines the sale of personal data as the “exchange of personal data for monetary or other valuable consideration by the controller to a third party,” excluding certain disclosures that are necessary or consistent with the provision of a product or service requested by the consumer, the relationship between the controller and the consumer, or the transfer of personal data as part of a merger, acquisition, bankruptcy, or similar transaction. The Act also prohibits controllers from selling personal data without parental consent if the consumer is less than 13, or without consumer consent if they have actual knowledge or willfully disregard that the consumer is at least 13 but younger than 18 years of age.
The DPDPA is enforced by the Delaware Department of Justice, which has the authority to investigate and prosecute violations of the Act in accordance with its consumer protection duties. If the Department of Justice determines that a violation occurred but may be cured, it must issue a notice of violation to the controller and give the controller an opportunity to cure the violation within 60 days, before initiating an enforcement action. The 60-day cure period is no longer mandatory for curable violations after December 31, 2025. After that date, the Delaware Department of Justice may consider various factors, such as the number and nature of violations, the size and complexity of the controller, and the likelihood and extent of harm to consumers, in determining whether to grant a cure period to the controller. The Act does not provide a private right of action for consumers or any other person. Instead, a violation of the Act is deemed an “unlawful practice” under Delaware’s consumer fraud legislation, enforceable by the Delaware Department of Justice.
V&E assists clients in identifying, managing, and mitigating data privacy and cybersecurity risks, from early planning and assessment to managing incident response and resulting litigation.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.