US - Delaware becomes the 12th State to enact a comprehensive privacy law
The Delaware Governor recently signed the Delaware Personal Data Privacy Act (DPDPA) into law, bringing to an even dozen the number of U.S. states that have enacted general privacy laws.
The DPDPA is modeled on the Virginia/Colorado/Connecticut general privacy law framework and also has substantial similarities with the recently passed Oregon Consumer Privacy Act (OCPA). However, Delaware’s law incorporates its own unique elements that go beyond the existing state privacy laws, such as a broader definition of sensitive personal data (which means having to get opt-in consent for more processing activities), recognition of opt-out preference signals, and tighter restrictions around sales and targeted advertising for older teenagers. These Delaware nuances further add to the complexity of navigating the ever-expanding patchwork of U.S. state general privacy laws and will require companies to augment their existing compliance programs.
Scope of Applicability
The DPDPA applies to businesses that (i) conduct business in the state of Delaware or produce products or services targeted to residents of the state, and (ii) either (a) process or control the personal data of at least 35,000 Delaware residents or (b)(x) process or control the personal data of at least 10,000 Delaware residents and (y) derive more than 20% of their gross revenue from the sale of personal data. Unlike the CCPA (California), there is no separate threshold under the DPDPA that could be triggered based solely on annual revenue.
Also unlike the CCPA, the Delaware law excludes from the definition of “consumer” individuals acting in a commercial or employment context, leaving California as the only state whose general privacy law covers personal data in the HR/employment and B2B contexts.
Unlike most other state privacy laws, the DPDPA even applies to nonprofit organizations, except for a narrow slice of nonprofits whose mission is to combat insurance crime. As such, Delaware will join Colorado and Oregon as the only three states (thus far) to extend their general privacy laws to nonprofits.
Notably, unlike some state laws, the DPDPA does not contain an entity-level exemption for HIPAA “covered entities” or “business associates”; rather, the DPDPA more narrowly provides exemptions in that area at the data level, including with respect to “protected health information under HIPAA”.
The DPDPA provides consumers with the same core rights as the other state laws, upon authentication, with respect to their personal data. Namely, these are the right to access, right to delete, right to data portability, and the right to correct.
The DPDPA, like the CCPA, also gives consumers the right to request information about the categories of third parties to whom their personal data was disclosed; this distinguishes Delaware and California from the other states and means a slightly higher compliance burden here.
Like the other state laws, the DPDPA also provides consumers with the rights to opt out of targeted advertising, the sale of their personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. Under the DPDPA, such opt-out requests do not need to be authenticated, although a controller can deny such a request under either if it believes, reasonably and in good faith, that the request is fraudulent.
Significantly, the DPDPA requires controllers to comply with opt-out preference signals (sent by a platform, technology, or mechanism) indicating a consumer’s intent to opt out of the sale of personal data and/or the processing of personal data for targeted advertising. Such obligation goes into effect on January 1, 2026, one year after the effective date of the law. This means that roughly half of the state laws will require businesses to respond to global privacy controls and similar browser-based signals.
Broader Definition of Sensitive Data Following the Virginia/Colorado/Connecticut model, the DPDPA requires affirmative opt-in consent for the processing of sensitive data. The definition of “sensitive data” includes any of the following:
(a) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or non-binary, citizenship status, or immigration status;
(b) genetic or biometric data;
(c) personal data of a known child; or
(d) precise geolocation data.
Notably, the DPDPA is slightly broader in its definition of sensitive data. Similar to Oregon, Delaware’s law explicitly includes status as transgender or nonbinary as a sensitive data category. Moreover, the DPDPA is unique in explicitly listing pregnancy as an enumerated physical health condition.
Tighter Restrictions Around Teenagers
The DPDPA prohibits the processing of a consumer’s personal data for targeted advertising or the selling of a consumer’s personal data without the consumer’s consent, if the controller has actual knowledge or willfully disregards that the consumer is at least 13 years of age but younger than 18 years of age.
This prohibition under the DPDPA follows the structural model of Connecticut’s, California’s, and Montana’s laws, but Delaware goes further by extending the prohibition to 16- and 17-year-olds (while such other laws apply their prohibitions only up to 16 years of age).
The DPDPA provides that an agreement obtained through the use of “dark patterns” does not constitute valid consent. Under the DPDPA, the definition of a “dark pattern” includes not only the relatively customary formulation of “a user interface designed or manipulated with the substantial effect of subverting or impairing a consumer’s autonomy, decision-making, or choice”, but also any other practice that the U.S. Federal Trade Commission refers to as a dark pattern.
Data Protection Risk Assessments
The DPDPA requires certain controllers – those that control or process the personal data of 100,000 or more consumers (excluding data controlled or processed solely for the purpose of completing a payment transaction) – to conduct and document a data protection assessment for each of their processing activities that presents a heightened risk of harm to a consumer. Under the DPDPA, such “heightened risk of harm” processing activities include, without limitation, targeted advertising, sale of personal data, profiling that presents any one of several enumerated reasonably foreseeable risks to consumers, and processing of sensitive data. Notably, the threshold number of consumers represents approximately 10% of Delaware’s population.
Cure Periods, Enforcement, and Damages
The DPDPA provides a 60-day cure period to correct violations following receipt of notice of the violation from the state attorney general’s office; such cure period sunsets on December 31, 2025, although the DPDPA provides that, beginning on January 1, 2026, the state regulators will have the discretion whether to provide the opportunity to cure an alleged violation. The DPDPA does not include a private right of action. This means that California still remains the only general state privacy law with a private right of action (albeit a limited one, at that). The DPDPA will go into effect on January 1, 2025.
The recent passage of the DPDPA marks the twelfth state general privacy law, with over half of these laws emerging within the past six months. This rapid proliferation has significantly amplified the complexity of an already intricate legal and regulatory tapestry. Whether you need insights into your specific obligations under these laws or assistance in constructing a robust compliance program, the Linklaters team has substantial experience and is available to assist your organization.