And Delaware Makes 13: Delaware’s New Online Privacy and Protection Act
On September 11, 2023, Delaware Governor John Carney signed House Bill No. 154 into law Delaware’s new state consumer privacy law (the “Delaware Act”), which will become effective January 1, 2025. Delaware now joins California, Utah, Colorado, Connecticut, Virginia, Iowa, Indiana, Tennessee, Montana, Florida, Texas and Oregon as states that have passed comprehensive consumer data privacy laws. The Delaware Act is substantially similar to laws in Connecticut and Virginia, which is a continuing sign that those state laws are serving as the model for other states. However, there are nuances in the Delaware Act that must be considered, namely the lack of general exclusions for nonprofits and institutions of higher learning, as businesses add the Delaware requirements to their compliance programs.
To be subject to the Delaware Act, a business must do business in Delaware or target Delaware customers with its products or services, and either:
- control or process personal data of 35,000 or more Delaware consumers (excluding data controlled or processed solely for the purpose of completing a payment transaction); or
- control or process personal data of 10,000 or more Delaware consumers and derive more than 20% of gross revenue from the sale of that data.
While these thresholds are lower than other states with consumer privacy laws, they are in line with other states with similar populations (e.g., the Montana Consumer Data Privacy Act applies to companies that control or process the personal data of 50,000 or more Montana residents or control or process personal data of 25,000 or more Montana residents and derive more than 25% of gross revenue from the sale of that data). The lower thresholds, however, may end up subjecting more companies to the Delaware Act.
The Delaware Act, like the laws in Colorado and Oregon, does not include a broad exemption for nonprofit organizations. There are only two narrow exceptions for nonprofits – one for nonprofit organizations “dedicated exclusively to preventing and addressing insurance crime,” and one for personal data collected by nonprofits related to victims or witnesses of certain crimes, including domestic violence and stalking. The Delaware Act also does not provide entity-level exceptions for covered entities or business associates regulated under HIPAA (but does contain an information-level exception for protected health information under HIPAA). However, the Act does contain both information-level and entity-level exceptions for financial institutions and information subject to the Gramm-Leach-Bliley Act.
Under the Delaware Act, a consumer has the right to:
- Confirm whether a controller is processing their personal data and access such personal data;
- Correct inaccuracies in the consumer’s personal data;
- Delete personal data provided by or obtained about the consumer;
- Obtain a copy of their personal data processed by the controller in a format that allows the consumer to transmit that data to another controller;
- Obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data; and
- Opt out of the processing of the personal data for the following purposes: (a) targeted advertising; (b) the sale of personal data; and (c) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
The Delaware Act can only be enforced by the Delaware Department of Justice and goes into effect on January 1, 2025. Until December 31, 2025, the Delaware Department of Justice must issue a notice of violation and allow controllers 60 days to cure the violation, if it determines that such violation could be cured. Beginning January 1, 2026, the Delaware Department of Justice may choose, but is not required, to provide an opportunity to cure an alleged violation.