How Your Business Can Comply With the Delaware Personal Data Privacy Act (DPDPA)
Introduction
Delaware is the thirteenth U.S. state to sign a comprehensive consumer data privacy bill into law. The Delaware Personal Data Privacy Act (DPDPA) was signed into law on September 11, 2023, and will go into effect on January 1, 2025.
Also known as HB 154, DPDPA will give residents more control over their personal data and set parameters for businesses collecting and processing Delawareans’ personal data. The Department of Justice will also launch a six-month public outreach period on July 1, 2024 to notify consumers of their rights and businesses of their obligations
This blog post will give you a head start on learning what privacy rights Delaware consumers have and what other regulatory requirements businesses need to fulfill. Learn everything you need to know and do to comply with consumer privacy in The First State here.
Who is subject to the Delaware Personal Data Privacy Act?
Businesses are subject to Delaware’s privacy law if they operate in Delaware or target products or services to Delaware consumers, and either:
- Control or process the personal data of no less than 35,000 consumers, excluding for the purpose of completing a payment transaction.
- Control or process the personal data of no less than 10,000 consumers and derive more than 20% of their gross revenue from the sale of personal data.
One of the unique differences in Delaware’s privacy law is its standards for applicability. Of all U.S. consumer privacy laws, Delaware has the lowest applicability thresholds.
In most state privacy laws, businesses can collect the personal data of up to 100,000 consumers before being subject to the consumer privacy law. DPDPA significantly lowers this number, which is why it’s considered the most consumer-friendly privacy law to date.
To determine whether your business is subject to Delaware’s privacy law, confirm whether or not it satisfies the applicability standards above.
Delaware consumer privacy rights and consent requirements
Once you’ve confirmed that your business is subject to Delaware’s privacy law, you’ll need to know what privacy rights and consent rights Delawareans can exercise. It’s also important to understand how DPDPA is enforced so you can protect your business against regulatory risks.
This section will cover all of these topics in more detail.
Consumer rights in Delaware
The Delaware Personal Data Privacy Act grants Delaware consumers data subject rights, or the ability to control how companies can collect, process, and disclose their personal data.
Consumers can submit what are called data subject requests (DSRs) or privacy requests to exercise their data privacy rights. These rights include:
- Right to know
- Right to access
- Right to correction
- Right to deletion
- Right to data portability
- Right to appeal
Delaware consumers also have the additional right to obtain a list of the categories of third-parties a business has shared their personal data with. However, like with most U.S. privacy laws, Delawareans do not have a private right of action, meaning they cannot directly sue a company over privacy violations.
Consent requirements in Delaware
Delaware residents also have specific opt-out and opt-in consent rights that businesses must allow consumers to choose from.
Consumers in Delaware have the right to opt out of the processing of personal data for:
- Targeted advertising.
- The sale of personal data.
- Profiling through automated decision making (ADM)
DPDPA also requires companies to recognize Universal Opt-Out Signals to process users’ consent preferences. Luckily, Ethyca can enable your website to easily start detecting universal Opt-Out Signals, including Global Privacy Control (GPC).
For opt-in consent, Delaware consumers have the right to opt into the processing of their sensitive data, which is defined as personal data that includes:
- Racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status;
- Genetic or biometric data;
- Personal data of a known child (under 13 years old);
- Precise geolocation data.
Businesses must also enable consumers to revoke consent on their websites in a way that is as easy as giving consent. Be sure to explain how users can exercise their opt-out and opt-in rights on your website’s Privacy Notice.
Violations and enforcement
Companies must respond to consumers’ privacy requests within 45 days and may also extend for an additional 45 days to process if necessary. The Department of Justice (DOJ) has the authority to enforce DPDPA over businesses subject to the law, and can initiate an investigation or prosecute violations.
If sent a notice of violation, businesses have a 60-day cure period to correct infractions. The law does not specify a civil penalty amount. However, once the cure period sunsets on December 31, 2025, the DOJ will determine whether or not businesses will have an opportunity to correct alleged violations.
Now that you know what consumer rights and consent rights Delawareans have, as well as the consequences of privacy violations, Let’s go over the additional business obligations required under DPDPA.
Business obligations in the Delaware Personal Data Privacy Act
Practice data minimization and purpose limitation
Delaware’s privacy law states that businesses must only collect consumers’ personal data that is “adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed.” That means, businesses are not allowed to collect data for purposes that are not specified in their online Privacy Notice.
This practice is called data minimization. Data minimization is not simply collecting less data. Rather, it forces businesses to be more intentional about the data they collect. By collecting only the necessary data your organization needs, it will reduce the risk of potential data misuse.
DPDPA also says that businesses may not process personal data for “purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed.” That means businesses also may not process consumers’ personal data in a way that is not specified in the Privacy Notice, without prior consent. This is called purpose limitation and serves a similar function as data minimization.
To comply with DPDPA, be sure to identify what data your business needs to collect and process, for what necessary business purpose, and make sure it’s stated clearly on your website’s Privacy Notice.
Publish a clear and accessible Privacy Notice
Delaware’s privacy law also mandates that businesses must publish a “reasonably accessible, clear, and meaningful” Privacy Notice on their websites. Privacy Notices must include:
- The categories of personal data processed by the controller.
- The purpose for processing personal data.
- How consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request.
- The categories of personal data that the controller shares with third parties, if any.
- The categories of third-parties with which the controller shares personal data, if any.
- An active electronic mail address or other online mechanism that the consumer may use to contact the controller.
Work with your legal team to ensure that all of the necessary information required under DPDPA is included in your business’ Privacy Notice.
Enter Into data processing contracts
DPDPA requires businesses to enter into data processing contracts between processors, or entities that “process personal data on behalf of a controller.”
This contract should legally obligate the processor to follow the instructions of the controller and meet their business obligations. These obligations include helping the controller fulfill consumers’ privacy requests and perform data protection assessments,
Data processing contracts should also govern the processors’ data processing practices, including the nature and purpose of processing, the type of data subject to processing, and the duration of processing.
If your business works with processors, be sure to enter into a legally binding data processing contract with each of them, and ensure it meets DPDPA’s requirements.
Perform data protection assessments (DPAs)
Under Delaware’s privacy law, only businesses that process the personal data of more than 100,000 consumers, excluding for purposes of completing a transaction, must perform a data protection assessment. This is different from other privacy laws, which require data protection assessments from any business that is subject to the law.
Businesses must assess the data processing activities that could present an increased risk of harm to consumers, including:
- The processing of personal data for the purposes of targeted advertising.
- The sale of personal data.
- The processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk
- The processing of sensitive data.
- The use of de-identified data
DPAs are meant to help businesses carefully weigh the benefits and risks of all of their processing activities on the consumer, the business itself, and other stakeholders. That way, they can determine which safeguards are necessary to protect against these potential harms
The Attorney General has the authority to request a DPA at any time to assess a company’s compliance with DPDPA. To make sure your business is ready for Delaware regulators, work with your legal team to conduct and record DPAs appropriately.
Process de-Identified data compliantly
DPDPA states that businesses processing de-identified and pseudonymous data must not try to re-identify such data. Delaware’s privacy law specifies that businesses also do not have to process data subject requests that involve de-identified data.
Ultimately, it’s up to the businesses to “exercise reasonable oversight” to ensure it does not misuse de-identified and pseudonymous data. If this applies to your business, make sure to take appropriate measures to monitor compliance by January 1, 2025.
How to comply with the Delaware Personal Data Privacy Act with Ethyca
Making sure your business complies with so many different privacy laws can feel overwhelming. Luckily, Ethyca’s data privacy compliance solution makes it easy. With the Fides privacy intelligence platform, your business will be able to automate privacy compliance with all U.S. privacy laws.
Read on to learn more.
Easy consent management
With the Fides privacy intelligence platform, your business can easily manage users’ consent preferences for any privacy law.
Different state privacy laws have different consent requirements businesses must fulfill. Fides will help your business comply with all the various requirements by enabling you to set multiple opt-out links on your website footer, customize a Privacy Center on your website for easy consent intake, and set single or multiple opt-in or opt-out consent preferences for each state privacy law.
Users can easily submit their consent preferences through a Privacy Center powered by Fides on your website. With a simple and intuitive Admin UI. you’ll be able to quickly process and record users’ consent preferences for fast and easy compliance.
Automated privacy requests fulfillment
Although privacy regulations require businesses to fulfill privacy requests like access and erasure, this process is often costly, labor-intensive, and causes a lot of pain between legal, compliance, and engineering teams.
The Fides privacy intelligence platform streamlines this process. Your business will be able to automate DSR processing end-to-end.
First, users can submit their requests through the same Privacy Center powered by Fides on your website. Once submitted, they’ll be able to verify their identity via a code sent through SMS or email.
After the user’s identity has been verified, you can approve or deny the request in an easy-to-use Admin UI. Users will then receive an email containing a file with all their requested data in a machine-readable format, or a confirmation that their data has been deleted.
Fides will also maintain a log of the requests your business has received and processed. With this built-in paper trail of reports, you can prove to regulators that your business’ privacy practices are compliant at any time.
Real-time data mapping and system inventorying
What makes the Fides privacy intelligence platform so powerful is its ability to connect to all internal and third-party databases and systems. Once connected, Fides will be able to produce a real-time data map, or visual, of all the data in your organization.
Unlike manual spreadsheets that are immediately out of date, Fides’ automated data map will give you an accurate inventory of all the data in your systems, i.e. what the data is and where it is stored.
In fact, connecting to all of your systems is how Fides can automate consent management and privacy requests in the first place. The Fides privacy intelligence platform will integrate privacy and compliance across your entire business. That’s the true power of Fides’ privacy intelligence.
Conclusion
Although Delaware shares many similarities with the other state privacy laws that have either gone into effect this year or will go into effect in the future, DPDPA has its own unique provisions businesses need to account for to be compliant.
But, with more and more U.S. privacy laws on the way, your business will need to keep tabs on all of the new privacy laws emerging at the state level.
Thankfully, you don’t have to do it alone. Ethyca is here to help your business comply with all U.S. state consumer privacy laws. If you have any questions about new or existing privacy laws, schedule a free 15-minute call to get a privacy consultation today.