Delaware Becomes 12th State to Enact a Comprehensive Data Privacy Law
Delaware is the latest state to enact a comprehensive data privacy law, which creates unique compliance challenges and risks for companies.
On September 11, 2023, Delaware Governor John Carney signed House Bill No. 154, referred to as the Delaware Personal Data Privacy Act ("DPDPA"), making Delaware the 12th state to enact a comprehensive data privacy law along with California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, and Oregon. The law becomes effective on January 1, 2025.
Notable provisions include:
- The DPDPA will apply to entities that conduct business in Delaware or target products or services to Delaware consumers, and either: (i) control or process personal data of at least 35,000 Delaware consumers; or (ii) control or process the personal data of at least 10,000 Delaware consumers and derive more than 20% of gross revenue from its sale.
- Delaware defines personal data as "any information that is linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data or publicly available information." It also joins Oregon in including transgender or non-binary status in its definition of "sensitive data."
- The term "consumer" is narrowly defined to mean an individual residing in Delaware but does not apply to individuals who act in a commercial or employment context.
- Like Colorado and Oregon, the DPDPA generally applies to nonprofit organizations, with two exemptions: (i) those serving individuals who are victims of or witnesses to child abuse, sexual assault, stalking, domestic violence, or human trafficking; and (ii) those that aim to prevent or address insurance crime.
- The DPDPA provides both entity-level and data-level exemptions for financial institutions and information subject to the Gramm-Leach-Bliley Act ("GLBA"). In other words, if GLBA applies, then the entire company and the data it maintains is outside the scope of the DPDPA.
- In contrast, the DPDPA provides only data-level exemptions to organizations regulated by the Health Insurance Portability and Accountability Act, Fair Credit Reporting Act, Farm Credit Act, and Driver's Privacy Protection Act.
- The Delaware Department of Justice is exclusively responsible for enforcing the DPDPA. The law is silent regarding the penalties for violating the DPDPA, but it refers to Subchapter II of Chapter 25 of Title 29, which provides civil penalties of up to $10,000 for each "willful" violation of that section.
- Like Oregon and Colorado, the DPDPA also includes a 60-day cure period for violations of the DPDPA, which expires on December 31, 2025.
- There is no private right of action for individuals to sue for violations.
Companies should continue to evaluate their current data collection and privacy practices in light of the new data privacy law and other state privacy law regimes.