Delaware became the 12th state overall to pass privacy legislation and the 7th just this year. Joining Indiana, Iowa, Montana, Oregon, Tennessee, and Texas on the growing list of states with new legislation in 2023, this law mirrors the Connecticut Data Privacy Act with some unique requirements. The Delaware Personal Data Privacy Act will go into effect, pending governor approval, on January 1, 2025.
Let’s look at why Delaware’s privacy law stands out amongst the other states that have passed this year. Most apparent is the threshold for applicability which defines a controller as an organization that derives only 20% of its revenue from selling data, lower than other laws have scoped. The law also lowers the threshold for applicability to take into account the smaller state population.
However, Delaware’s privacy law does have some similarities. Like the Oregon Consumer Privacy Act, the DPDPA does not provide traditional exemptions to non-profits outside of those that “address insurance crime” and the data of victims and witnesses of defined crimes. Furthermore, there is not an exemption for HIPAA-covered organizations but rather an outline for specific health data exemptions. Let’s dive into the most important items in this latest law.
Key Elements of the Delaware Personal Data Privacy Act:
- Scope: This applies to businesses that control or process personal data on more than 35,000 consumers or derive 20% of revenue from selling the data of more than 10,000 consumers.
- Exemptions: State government organizations excluding higher education institutions, specific health data exemptions, GLBA financial institution exemptions at the entity and data levels.
- Consumer Rights: Right to opt out via universal opt-out mechanisms, right to obtain a “list of the categories of third parties to which the controller has disclosed the consumer’s personal data,” does not include a private right of action.
- Authorized Agents: The Delaware Attorney General may publish a list of authorized agents.
- Children’s Rights: Requires consent to process data from consumers ages 13-18.
- Sensitive Data: Inclusive of genetic and biometric data, including gender identity.
- Opt-Out: Requires controllers to recognize universal opt-out mechanisms by January 1, 2026, but does not require those opt-outs to be authenticated.
- Privacy Assessments: Assessments are required for “processing activities created or generated on or after six months after the law’s effective date.”
- Cure Period: Contains a 60-day cure provision that sunsets December 31, 2025.
- Enforcement: The Delaware Attorney General will enforce, but no private right of action is incorporated.
If you have any questions about how Truyo can help you in preparing for the onslaught of new laws, please reach out to hello@truyo.com or click here to schedule a demo of the full suite of Truyo privacy products.
About Ale Johnson
Ale Johnson is the Marketing Manager at Truyo.