On June 30, 2023, the Delaware Personal Data Privacy Act (DPDPA) was passed by the House and Senate and subsequently sent to the Governor of Delaware for signature. The DPDPA becomes the seventh comprehensive privacy act passed this year and follows on from Oregon which recently passed its own privacy law.
The DPDPA holds similar requirements to several US privacy laws meaning that businesses that are covered by the DPDPA will likely have encountered the provisions in their existing privacy programs, including privacy notices, data protection assessments, and consent requirements. Let’s take a closer look at the DPDPA’s provisions.
Scope of application
The scope of the DPDPA is similar in many respects to that found under other US privacy laws however its application thresholds are lower than those found in comparable laws.
The DPDPA will apply to entities that conduct business in Delaware or that produce products or services that are targeted to residents of Delaware and meet one of the following criteria during the preceding calendar year:
Controlled or processed the personal data of more than 35,000 consumers (excluding payment transactions)
OR
Controlled or processed the personal data of more than 10,000 consumers and derived more than 20% of gross revenue from the sale of personal data
Unlike Oregon’s scope of application, the DPDPA does include an entity-level exemption for businesses covered by the Gramm-Leach-Bliley Act (GLBA). As for the Health Insurance Portability and Accountability Act (HIPAA), there is only a data-level exemption for protected health information. Additionally, there is not a blanket non-profit exemption, however, there are two scenarios whereby non-profit organizations are exempt. These are:
- Non-profit organizations that are dedicated exclusively to preventing and addressing insurance crime
- Non-profit organizations that provide services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking
Key requirements
For businesses that are covered by the DPDPA, there are several key requirements that they will need to meet for compliance. However, these requirements – which include data protection assessments, transparency requirements, and consumer rights – are all now commonplace across the US state privacy landscape.
Sensitive data
“Sensitive data” is specifically defined under the DPDPA and includes the following types of information that reveal:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health condition or diagnosis (including pregnancy)
- Sex life
- Sexual orientation
- Status as transgender or nonbinary
- Citizenship or immigration status
- Genetic or biometric data
- Children’s data
- Precise geolocation data
Businesses will be prohibited from processing sensitive data without first obtaining valid consent from the individual or a parent/guardian in the case of a child.
Valid consent
Ensuring valid consent is collected from consumers will be crucial for businesses looking to comply with the DPDPA. Under the law, valid consent is defined as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer.”
Consent must be given as an unambiguous affirmative action and cannot be considered valid if it has been obtained through the use of dark patterns defined as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice” or interfaces that fall under the FTC definition of a dark pattern. Additionally, consent cannot be considered valid if it has been collected within a broader set of terms and conditions, or via hovering over, muting, pausing, or closing a given piece of content.
Consumer rights
Consumer rights under the DPDPA align closely with those found across US state privacy laws. Consumers will have the following rights:
- Right to confirm processing
- Right to access personal data
- Right to correction
- Right to deletion
- Right to data portability
- Right to obtain a list of the categories of third parties to which personal data has been disclosed
- Opt out of the processing of personal data for purposes of any of the following activities:
- Targeted advertising
- Sale of personal data
- Profiling
Businesses will be required to provide a clear and conspicuous link opt-out link on websites and other web properties allowing consumers to exercise their rights. The DPDPA will also require businesses to honor universal opt-out signals such as the Global Privacy Control (GPC).
Businesses will have 45 days to respond to consumer rights requests with the possibility of a 45-day extension.
Privacy notice
Businesses will need to present consumers with a reasonably accessible, clear, and meaningful privacy notice to comply with transparency obligations under the DPDPA.
A privacy notice in Delaware should include:
- Categories of personal data processed
- Purposes of processing
- How consumers can exercise their rights
- Categories of personal data shared with third parties
- Categories of third parties with which personal data is shared
- Contact details of the controller
Data protection assessments
There are data protection assessment requirements under the DPDPA for businesses that control or process the personal data of more than 100,000 consumers. Businesses will be required to document data protection assessment for each of the processing activities that present a heightened risk of harm. This includes processing personal data for targeted advertising, the sale of personal data, processing personal data for profiling, and processing sensitive data.
Within a data protection assessment, businesses must identify and weigh the benefits of the processing activity against the risk of harm it presents to the consumer. The DPDPA also allows a single data protection assessment for comparable sets of processing operations, and data protection assessments completed in line with other similar privacy laws can be considered valid in Delaware.
Enforcement
The Delaware Department of Justice will be the authority charged with implementing and enforcing the DPDPA and will investigate and prosecute violations of the law.
The DPDPA includes a 60-day cure period for businesses found to have violated the law. This cure period provision will sunset on December 31, 2025, and from January 1, 2026, the cure period in Delaware will be discretionary.
Violations of the DPDPA will be considered as an unfair trade practice under Delaware Title 29 Chapter 25 Subchapter II, meaning a maximum of $10,000 can be issued per violation.
How OneTrust help you prepare for the DPDPA
The OneTrust Privacy and Data Governance Cloud offers several solutions to help you prepare for the DPDPA and other US state privacy laws. Data Mapping Automation can help you to find, classify, and map personal data and how it flows through your organization. Your data map can be used to help inform other crucial elements of your DPDPA compliance program, such as fulfilling consumer rights requests through the Privacy Rights Request Automation solution or data protection assessments in the PIA & DPIA Automation solution. The Privacy & Data Governance Cloud also includes Privacy Notice Management to help you ensure that you are presenting consumers with the correct information depending on the jurisdiction that they are in.
Request a demo and speak to an expert to see how the OneTrust Privacy & Data Governance Cloud can help you prepare for the DPDPA and the entire US privacy landscape.
