In an era where personal data, namely personally identifiable information and protected health information (PII/PHI), protection has become paramount, the introduction of the Delaware Personal Data Privacy Act (DPDPA) marks the latest chapter in the United States’ legislative narrative surrounding data privacy. As the seventh comprehensive state privacy act to be passed in 2023 (at this time, there is no national data privacy law in the U.S.), the DPDPA dictates certain business practices such as privacy notifications, data safeguards, and consent stipulations. This article aims to provide an in-depth examination of the DPDPA’s stipulations.
Overview of the Delaware Personal Data Privacy Act
The Delaware Personal Data Privacy Act (DPDPA) joins the growing list of state data privacy protection laws in the U.S., providing comprehensive data protection rights to consumers. The DPDPA applies to entities conducting business in Delaware, or producing goods or services aimed at Delaware’s residents. Businesses must comply if they meet either of the two following criteria:
- They have controlled or processed personal data of more than 35,000 consumers, or
- They processed personal data of over 10,000 consumers and derived more than 20% of their revenue from selling personal data.
Unlike other state data privacy laws, the DPDPA does not grant universal exemptions for entities covered under the Health Insurance Portability and Accountability Act (HIPAA), nor does it offer a broad exception for nonprofit organizations. The DPDPA does, however, provide an entity-level exemption for businesses covered by the Gramm-Leach-Bliley Act (GLBA), presumably to avoid redundancy and over-regulation.
Like the Colorado, Connecticut, and Oregon state data privacy laws, the DPDPA stipulates an opt-in process for handling sensitive data, recognizes opt-out preference signals, and mandates an opt-out provision for profiling linked to solely automated decisions capable of producing legal or similarly crucial effects on consumers.
Definition of Sensitive Data Under DPDPA
According to the DPDPA, “sensitive data” refers to specific types of information that include:
- An individual’s racial or ethnic origins
- Their religious beliefs
- Their mental or physical health conditions, including whether they are pregnant or not
- Details about their sex life
- Their sexual orientation
- Their status as transgender or nonbinary
- Citizenship or immigration status
- Any genetic or biometric data they might have
- Any data related to children
- Precise geolocation data
It’s worth noting the DPDPA requires businesses to obtain valid consent from a state resident (or a parent/guardian in the case of a child’s data) before processing any sensitive data.
This broad definition of sensitive data reflects a shift in other state privacy laws, including novel elements like data on transgender or nonbinary status, and genetic data. In addition, the DPDPA is one of the few state privacy laws that explicitly deem pregnancy status as a part of sensitive data, making its definition one of the most comprehensive ones among state laws.
Who Are Consumers, Controllers, and Processors Under the Delaware Personal Data Privacy Act?
Under the DPDPA, consumers are defined as Delaware residents. Controllers refer to businesses that determine why and how personal data is processed, and processors are entities that process personal data on behalf of a controller.
The DPDPA designates numerous essential obligations for data controllers. For example, data controllers must:
- Restrict the gathering of personal data to what is deemed pertinent, substantial, and justifiably necessitated corresponding to why the data is being processed
- Avoid using personal data for any objectives that are not reasonably necessary or compatible with the disclosed purposes for which the data is being processed
- Set up, launch, and uphold appropriate security methods to shield the confidentiality, integrity, and accessibility of personal data
- Avoid processing sensitive data related to a consumer without acquiring the consumer’s approval first
- Refrain from processing personal data in a manner that conflicts with Delaware state or federal laws that disallow unlawful discrimination
- Furnish an efficient avenue for a consumer to withdraw consent and stop processing the data within 15 days upon receipt of such revocation request
- Abstain from processing the personal data of a consumer for targeted advertising or sell the consumer’s personal data without consumer consent, particularly when the consumer is aged between 13 and 18
- Eschew showing prejudice against a consumer for exercising any of their consumer rights
Rights Defined by the Delaware Personal Data Privacy Act
The Delaware Personal Data Privacy Act provides not just a broad definition of sensitive data to protect Delaware residents’ privacy but also grants several rights to Delaware-based consumers. These rights include:
Delaware Residents Have the Right to Request Access to Their Personal Data
Under the DPDPA, Delaware residents have the right to request access to their personal data and the right to know whether a corporation is collecting and utilizing it, unless doing so would reveal the corporation’s trade secrets. This right enables individuals to retain control over their personal information. It requires corporations, if asked, to disclose the personal data they have collected, how it’s used, and whether it has been disclosed to any third parties. Corporations, however, are not obligated to provide such information if it would reveal trade secrets that would negatively impact their ability to compete in their respective marketplace. This right strikes a balance between corporate secrecy and individual privacy rights.
Delaware Residents Have the Right to Request That Any Errors or Inconsistencies in Their Personal Data Be Fixed
The DPDPA provides individuals the right to prompt correction of inaccuracies in the personal data held about them. This right is critical to ensure that the data is not used in a misleading or harmful manner. This right assumes any incorrect or misrepresentation of data can have severe consequences, and therefore this provision allows individuals to ensure their data is accurate.
Delaware Residents Have the Right to Ask That Any Personal Information the Company Has Amassed or Gathered About Them Be Deleted
Known commonly as “the right to be forgotten,” this provision addresses a Delaware resident’s personal data that is no longer necessary for the purpose for which it was collected. It empowers Delaware residents to request that any data held about them be deleted, safeguarding against potential misuse or unauthorized access.
Delaware Residents Have the Right to Get a Copy of the Personal Data the Business Has Processed in a Usable and Portable Format
This provision of the Delaware Personal Data Privacy Act ensures that individuals can receive a copy of their personal data in a structured, common, and machine-readable format. This can enable them to switch between service providers with ease and can promote competition.
Delaware Residents Have the Option, With Some Restrictions, to Refuse Some Uses of Their Personal Data, Such as Targeted Advertising and Data Sales
The DPDPA allows Delaware residents to object, in certain circumstances, to their personal data being used for purposes such as targeted advertising and data sales. This provision empowers Delaware residents to express consent or dissent in specific scenarios and aids in preventing the unwanted exploitation of personal data. This right demonstrates the DPDPA’s emphasis on consent, transparency, and individual control over personal data.
What Is the DPDPA Privacy Notice?
Under the DPDPA, businesses are required to provide consumers with a comprehensive Privacy Notice. The Privacy Notice is intended to maintain transparency and conformity with the legal obligations of the DPDPA. The Privacy Notice should be readily accessible, understandable, and meaningful in order to effectively communicate the following details:
- The types of personal data that the business processes or handles
- The specific purposes for which this personal data is processed
- Clear instructions on how consumers can assert their rights with regard to their personal data
- The categories of personal data that the business shares with third-party entities
- Information about the third-party entities with whom the business shares personal data
- Contact details for the business, including an email address or other online methods, through which consumers can initiate communication
This information streamlines the process of data handling and assures Delaware-based consumers their data is being managed in compliance with the DPDPA.
How Is the Delaware Personal Data Privacy Act Enforced?
The DPDPA, scheduled to take effect on January 1, 2025, will be enforced by the Delaware Department of Justice. The Department holds the mandate to oversee the application of the Act, investigate potential violations, and carry out prosecutions where necessary.
The DPDPA comprises a unique 60-day remedy period for businesses in violation of the privacy law and provides them a window to resolve any infringements. This provision, however, is set to expire on December 31, 2025, and the remedy period will then become discretionary.
The Delaware Department of Justice can deem infringements of the DPDPA as unfair trading practices, with each violation carrying a maximum penalty of $10,000.
Kiteworks Helps Businesses Demonstrate Compliance With the DPDPA
The Kiteworks Private Content Network helps businesses ensure compliance with the Delaware Personal Data Privacy Act. Kiteworks offers a secure platform for managing and sharing sensitive information like personal data, an essential requirement under the DPDPA. Kiteworks provides rigorous security controls to safeguard consumers’ personal information, incorporating multi-factor authentication, granular policy controls, role-based permissions, security infrastructure integrations, and end-to-end encryption.
Kiteworks consolidates third-party communication channels like email, file sharing, and file transfer onto a single platform, protected by a self-contained and preconfigured hardened virtual appliance.
Every file containing a consumer’s PII is tracked as it comes into, moves through, or leaves an organization. Tracking all file activity, namely who sent what to whom and when, allows businesses to flag anomalous behavior, conduct forensic analysis, comply with legal hold requests, and demonstrate compliance with many data privacy laws and standards.
To learn more about the Kiteworks Private Content Network and how your business can comply with the Delaware Personal Data Privacy Act, schedule a custom-tailored demo today.
Get email updates with our latest blogs news