Intro
Recently, we published an article in Ukrainian, “USA: privacy laws - 2023”, in which we looked at what laws, norms, and rules govern the field of data protection in different states of America.
Today we will take a closer look at the state of Delaware. This state entered a new era of data protection as Governor John Carney signed into law the Delaware Personal Data Privacy Act (“DPDPA”). This move officially makes Delaware the 13th state in the US to enact comprehensive consumer privacy legislation.
Does state privacy law apply to my business? What responsibilities does the new law impose on me as the data controller? What rights are granted to the consumer? What does the law say about data protection measures, consent for data processing, and data protection assessment? And, most importantly, what steps should I take in order to act within the framework of the new law?
You will find answers to these and other questions in this article.
Key points to talk about:
Does the DPDPA Apply to your Business?
This law affects businesses operating in Delaware state or those targeting products or services for its residents. If, in the last year, your business handled personal data from at least 35,000 consumers or 10,000 consumers with over 20% of revenue from selling personal data, this law applies to you.
DPDPA Consumer Rights and Requests
The DPDPA gives consumers in Delaware more control over their personal data, aligning with other state laws. Individuals have the right to:
- confirm if a business is using their data;
- access their data (unless it’s a trade secret);
- correct inaccuracies there;
- delete provided or obtained data;
- receive a copy of their data in a portable format;
- opt out of data processing for advertising, sales, or profiling;
- designate a “browser setting, browser extension, or global device setting” to indicate opting out of certain types of processing.
Similar to other laws, the DPDPA ensures a 45-day response time for businesses, with a possible 45-day extension in complex cases.
Controller Duties Under Delaware’s Privacy Act
- Collection Limits. Controllers should only gather personal data that is adequate, relevant, and reasonably necessary for the disclosed purpose.
- Data Protection Measures. Controllers are obligated to establish safety measures to safeguard consumers’ personal data.
- Anti-Discrimination Provision. Processing data that could lead to discrimination is prohibited, and companies cannot discriminate against individuals who exercise their rights.
- Opt-In Consent. For sensitive data or minor’s data, controllers must obtain opt-in consent.
- Privacy Notice Requirement. Controllers must furnish consumers with a privacy notice, explaining the data collected, its purpose, how it's used and shared, how to exercise rights, and options to opt out of data sale and targeted advertising.
- Processor Responsibilities. Processors must assist controllers in meeting their obligations and operate under a contractual agreement governing data processing procedures.
- Data Protection Assessment. If controlling or processing data of at least 100,000 consumers, the law mandates a data protection assessment for activities presenting a heightened risk of harm to consumers, including:
- Targeted advertising;
- Sale of personal data;
- Profiling with a risk of unfair or deceptive treatment, financial/physical/reputational injury, intrusion upon solitude, or processing sensitive data.
The DPDPA Enforcement and Penalties
The Delaware Department of Justice is in charge of enforcing the DPDPA, making sure businesses follow the rules. If a business violates the law, it gets a 60-day notice to fix it. If it doesn’t, businesses could face fines of up to $10,000 per violation, the highest in the US. Starting in 2026, there’s no grace period, and immediate penalties can be imposed.
What Should Businesses Do?
- Update Privacy Notice. Businesses can get ready for the Delaware Personal Data Privacy Act by revising their privacy notice to align with the new law's requirements.
- Review Cookie Policy. If your company uses cookies and performs any processing activities such as targeted advertising, selling personal data, or profiling, update your cookie policy. Clearly describe these activities to customers and provide an easy opt-out mechanism.
- Provide Consumer Request Policy. Covered entities should offer various methods for consumers to exercise their data privacy rights, such as incorporating a consent banner and including a Consumer Request Policy on their website or app.
- Conduct Data Protection Assessments. If your organization handles data from over 100,000 consumers, plan to conduct data protection assessments.
- Review Contracts with Third-Party Processors or Controllers. Ensure that any contracts with third-party processors or controllers adhere to the specifications outlined in the DPDPA.
- Compliance with Global Privacy Controls. Certain parts of the law require covered entities’ websites to implement universal opt-out mechanisms. Prepare your platform to meet these obligations as well.
Starting January 1, 2025, the DPDPA will be in action. It gives businesses an extra year to adopt universal systems as required by the law. So we are here to help you meet DPDPA compliance!
Subscribe to our channels on social networks:
LinkedIn
Instagram
Facebook
Telegram
Contact us:
business@avitar.legal