The Delaware Personal Data Privacy Act (DPDPA): 5 things you should know about this new privacy law

On January 1, 2025, Delaware’s new “comprehensive privacy law”, the Delaware Personal Data Privacy Act (DPDPA), takes effect. This new law will impact many Delaware businesses – and even nonprofits. Here are five things you need to know about the DPDPA.

1 – How the DPDPA applies

A company is a “controller” and covered by the DPDPA if it conducts business in Delaware, or provides products or services to consumers in Delaware, and in the past calendar year, controlled or processed the personal data of:  

• At least 35,000 Delaware consumers (except personal data controlled or processed solely to complete a payment transaction).
• At least 10,000 Delaware consumers, if deriving at least 20% of gross revenue from the sale of personal data

This is a relatively low application threshold compared to most comprehensive state privacy laws. But like other such laws, the DPDPA provides many exemptions. For example:

• State and federal government bodies
• Financial institutions subject to the Gramm-Leach-Bliley Act (GBLA)

The law also exempts data processed subject to certain other laws, including:

• The Health Insurance Portability and Accountability Act (HIPAA)
• The Driver’s Privacy Protection Act (DPPA)
• Various health research-related laws

The DPDPA also does not apply to a company in respect of its employees or business contacts.

Notably, Delaware opted not to exempt nonprofits from the DPDPA, except for nonprofits providing services to “victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking.”

2 – The DPDPA’s consumer privacy rights

The DPDPA provides Delaware consumers with new rights over their personal data, including the right to:

• Confirm whether a controller is processing their personal data
• Access their personal data (unless access would reveal a trade secret)
• Obtain a list of third parties to which personal data was disclosed
• Correct inaccuracies in their personal data
• Delete their personal data
• Obtain a portable and “readily useable” copy of their personal data
• Opt-out of:
  • The sale of personal data
  • Targeted advertising
  • Certain forms of profiling

The DPDPA will require controllers to recognize “universal opt-out mechanisms” – device or browser-level technology allowing consumers to opt out of certain uses of their personal data on every website or app.

Controllers must respond to a consumer privacy request “without undue delay” and within 45 days, with a 45-day extension available when reasonably necessary.

Consumers can make a request once every 12 months, and controllers must not charge a fee to comply with the request unless it is manifestly unfounded, technically infeasible, excessive, or repetitive.

Controllers must make “commercially reasonable efforts” to verify a consumer’s identity.

The consumer may appeal a controller’s response to their request within a reasonable time. The controller must respond to the appeal within 45 days, providing a reason for the decision. Following this internal appeal process, the consumer may file a complaint with the Delaware Attorney General.

3 – How the DPDPA defines ‘Sensitive data’

The DPDPA prohibits controllers from processing “sensitive data” without opt-in consent. The law defines “sensitive data” as follows:

• Personal data revealing a consumer’s:
  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical condition or diagnosis (including pregnancy)
  • Sex life
  • Sexual orientation
  • Status as transgender or nonbinary,
  • National origin
  • Citizenship status
  • Immigration status
  • Genetic or biometric data
  • Personal data of a known child
  • Precise geolocation data

4 – What to include in a DPDPA privacy notice

Controllers must maintain a “reasonably accessible, clear, and meaningful privacy notice“ that discloses:

• The categories of personal data and sensitive data processed by the controller.
• The purpose for processing personal data.
• An explanation of the consumer rights and appeal process.
• The categories of personal data and sensitive data the controller shares with third parties, if any.
• The categories of third parties with which the controller shares personal data
• An active email address or another online mechanism by which the consumer may contact the controller.
• If the controller sells personal data or engages in targeted advertising, a disclosure that the controller engages in these activities and a description of how to opt out.
• The methods designated for consumers to exercise their consumer rights.

5 – When to conduct a data protection assessment

Like other state privacy laws, the DPDPA requires controllers to undertake a “data protection assessment” before carrying out certain data-related activities. However, this obligation only applies to controllers who process personal data about at least 100,000 Delaware consumers.

A controller must undertake and document a data protection assessment before carrying out the following activities

• Targeted advertising
• Selling personal data
• Profiling that presents a reasonably foreseeable risk of:
• Unfair or deceptive treatment or unlawful disparate impact
• Financial, physical, or reputational injury
• A reasonably offensive intrusion on solitude or seclusion or private affairs or concerns
• Other substantial injury to consumers
• Processing sensitive data

A data protection assessment must identify and weigh:

• The benefits that arise for the controller, the consumer, other stakeholders, and the public, against
• The potential risks to the rights of the consumer, taking possible safeguards and mitigations into account

The Delaware Attorney General can demand a copy of a controller’s data protection assessment.