On September 11th, 2023, Governor John Carney signed into law the Delaware Personal Data Privacy Act (DPDPA), making Delaware the twelfth state with a comprehensive data privacy law. The DPDPA will go into effect on January 1st, 2025.
Applicability
The DPDPA will impose obligations upon entities that control or process the personal data of:
- At least 35,000 Delaware residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or
- At least 10,000 Delaware residents if the entity derives more than 20% of its gross revenue from the sale of personal data.
Consumer Rights
Like many other state comprehensive data privacy laws, the DPDPA provides Delaware residents with rights to:
- Know and access their personal data
- Correct inaccurate personal data
- Delete personal data
- Obtain a portable copy of their personal data
- Opt-out of certain personal data processing
The DPDPA also gives Delaware residents the right to obtain a list of categories of third parties to which an entity has disclosed the consumer’s personal data.
Notable Differences from Other State Laws
Unlike many other state comprehensive data privacy laws, the DPDPA does not contain an entity-level exemption for specified types of nonprofits or for HIPAA covered entities and business associates.
The DPDPA also affords certain privacy protections to the data of minors up to the age of 18, rather than 13 or 16, the age of protection for many other state comprehensive data privacy laws.
For context on the growing patchwork of state privacy laws, see our related post, A Hot Privacy Summer: Update on State Comprehensive Privacy Law Enforcement Dates.
Need privacy guidance?
Fey LLC helps organizations navigate complex data privacy and cybersecurity challenges.
Contact Us