On September 11, Delaware’s governor signed into law the Delaware Personal Data Privacy Act (the “DPDPA” or “Act”),[1] establishing Delaware as the 12th state in the U.S. to enact its own comprehensive data protection law and contributing to the patchwork of U.S. data protection regimes that continue to proliferate in the absence of federal regulation.
The Act, which will take effect on January 1, 2025, largely tracks previously enacted data protection laws such as those passed in Colorado, Connecticut, Oregon and Virginia; however, the DPDPA diverges from these laws in certain key respects. For example, likely reflecting the relatively smaller population of Delaware, the DPDPA has a much lower processing threshold as compared to other states, applying to organizations that control or process the personal data of (i) 35,000 or more Delaware residents in a given year (excluding (a) individuals acting in an employment or commercial context and (b) personal data processed for the purpose of completing a payment transaction), or (ii) 10,000 or more state residents and derive more than 20% of gross revenue from the “sale” of personal data for monetary or other valuable consideration. Also in a departure from the majority approach, though similar to the laws in Colorado and Oregon, the DPDPA does not categorically exempt nonprofits.[2] That said, like other state regimes, the Act provides consumers with a similar suite of privacy rights, e.g., rights to access,[3] correct, delete, data portability and to opt-out, including through universal opt-out mechanisms, of personal data sales and certain other uses. The Act also imposes transparency, data minimization, purpose limitation, data security, data protection impact assessment, and other commonly seen data protection obligations on covered entities.
Please click here to continue reading on the Cybersecurity and Privacy Watch blog.