On June 30, 2023, the Delaware legislature passed the Delaware Personal Data Privacy Act (HB154) ("DPDPA"). Once Governor John Carney signs DPDPA, which he's expected to do, Delaware will become the twelfth state (and seventh in 2023 alone) to enact a comprehensive consumer data privacy law. If DPDPA is enacted on or before January 1, 2024, its requirements will take effect on January 1, 2025. While DPDPA closely resembles last year's Connecticut Data Privacy Act (CTDPA), there are some notable differences stakeholders should be aware of before 2025.
(1) Low Applicability Threshold
Like Connecticut, Virginia, Iowa, and other states, DPDPA applies based on the number of consumers whose data a business collects. However, DPDPA lowers the typical 100,000 consumer threshold to only 35,000 consumers. Delaware has the smallest state population of any state that has yet to enact a consumer data privacy law, so this lower threshold likely reflects Delaware's smaller population.
(2) 60-Day Cure Period
Typically states allow a 30-day cure period, but DPDPA extends the cure period to 60 days. While this longer period may benefit businesses adapting to DPDPA, the cure provision will sunset on December 31, 2025.
(3) Nonprofits Likely Not Exempt
Like Oregon's Consumer Privacy Bill (SB 619), not all nonprofits are exempt from DPDPA. The bill exempts nonprofits in two narrow ways; (1) nonprofit organizations that are "dedicated exclusively to preventing and addressing insurance crime;" and (2) personal data "of a victim of or witness to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking that is collected, processed, or maintained by a nonprofit organization that provides services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking that is collected, processed, or maintained by a nonprofit."
(4) Institutions of Higher Education Not Exempt
DPDPA takes another note from Oregon by not automatically exempting "any institution of higher education." This means that, unlike higher education institutions in most other states with comprehensive privacy laws, higher education institutions in Delaware that meet the act's other applicability thresholds will have to comply with DPDPA.
(5) New Consumer Right: List of the Categories of Third Parties
DPDPA contains the typical consumer rights (confirm, correct, delete, data portability, and opt-out of sale) but notably adds a right to obtain "a list of the categories of third parties to which the controller has disclosed the consumer's personal data." Businesses meeting the applicability threshold should prepare to provide this information upon request.
(6) Age Limit Raised from 16 to 18
In contrast to California, Connecticut, and Montana, which all require opt-in consent to process the personal data of adolescents aged 13-15 for targeted advertising, DPDPA moves the threshold to age 18. Therefore, a business cannot process a consumer's personal data over the age of 13 and under 18 without the consumer's consent.
(7) Definition of "Sensitive Data" Specifically Includes Data Regarding One's Status as Transgender or Nonbinary & a Person's Pregnancy Status
DPDPA defines sensitive data to include "mental or physical health condition or diagnosis (including pregnancy)" and "status as transgender or nonbinary." While the inclusion of a person's status as transgender or nonbinary is also in the Oregon bill, Delaware is the first state to categorize pregnancy as sensitive data. While other states' sensitive data definitions include the phrase "physical health condition" and could be interpreted to include pregnancy, Delaware leaves nothing to chance. The inclusion of pregnancy is likely in response to Roe v. Wade being overturned, and the concern that information regarding one's pregnancy should be subject to heightened protections.
Takeaways
While the DPDPA likely will not go into effect until 2025, companies doing business in Delaware or whose products or services are consumed by Delaware residents should consider the following as a part of their continuing privacy compliance efforts:
- Consider the Data You are Processing. If you are a business that processes personal data of adolescents aged 13-17, data relating to pregnancy, or data about status as transgender or nonbinary, understand the heightened obligations regarding the collection and handling of this sensitive data, and if required, make changes to internal policies, including the collection of appropriate consents where necessary.
- Nonprofits and Institutions of Higher Education, Prepare to Comply. Unless your organization is one of the narrow categories of exempt nonprofits described above, it is likely subject to the DPDPA. Likewise, institutions of higher education should prepare to comply. And given that such organizations will probably collect personal data from applicants that are minors, particular attention should be paid to obtaining appropriate consents.
- Be Able to Produce a List of Third Party Recipients of Personal Data. Companies that disclose personal data to third parties must be prepared to provide consumers a list of such third party categories upon request.
This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.
