Keypoint: Delaware is the twelfth state to pass consumer data privacy legislation with a bill that closely resembles the Connecticut law but with some notable differences.
On June 30, 2023, the Delaware legislature passed the Delaware Personal Data Privacy Act (HB 154). Subject to the procedural formalities in the legislature, the bill will move to Delaware Governor John Carney for consideration.
Assuming the bill becomes law, Delaware will become the twelfth state – and seventh this year – to pass a consumer data privacy law. The other states that have passed bills this year are Indiana, Iowa, Montana, Oregon, Tennessee, and Texas.
The Delaware bill closely resembles last year’s Connecticut Data Privacy Act (CTDPA) with some notable differences discussed in the below article.
As with prior bills passed this year, we have added the Delaware bill to our chart providing a detailed comparison of the laws enacted to date.
As discussed, the Delaware bill largely tracks the CTDPA as that law was passed last year prior to the Connecticut legislature amending it through this year’s Senate Bill 3. As such, the Delaware bill is one of the more consumer-friendly state consumer data privacy bills passed to date and fits into the same tier as Colorado, Connecticut, Oregon, and Montana (not including California, which is based on a different model). Some also argue that the Texas law passed earlier this year belongs in this group.
Of the seven bills passed this year, Delaware is only the second Democrat-controlled legislature to pass a bill.
The Delaware bill follows the applicability standard that has become common with the Washington Privacy Act variants, i.e., the applicability is based on the number of consumers whose data the entity collects. However, the Delaware bill makes two adjustments.
First, Delaware lowers the 100,000-consumer threshold to 35,000 consumers. This adjustment presumably was to account for Delaware’s lower population of approximately 1.02 million residents. The 35,000 threshold represents approximately 3.43% of the state’s population. For reference, the 100,000-threshold used in Colorado, Connecticut, and Oregon is approximately 1.72%, 2.78%, and 2.35% of each state’s population, respectively.
Delaware is the second state to lower the threshold for applicability to adjust for a smaller state population. Earlier this year, Montana lowered the threshold to 50,000 consumers (approximately 4.45% of the state’s population). One state – Tennessee – increased the threshold to 175,000 consumers (approximately 2.48% of the state’s population).
Second, Delaware adjusts the second applicability threshold such that the bill applies to persons that, in the preceding calendar year, “controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data.” For reference, Connecticut sets these limits at 25,000 consumers and 25% of gross revenue.
Another notable way in which the Delaware bill differs from the CTDPA is that it does not exempt non-profits with two exceptions. The bill exempts nonprofit organizations that are “dedicated exclusively to preventing and addressing insurance crime.” The bill also exempts personal data “of a victim of or witness to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking that is collected, processed, or maintained by a nonprofit organization that provides services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking.”
Delaware joins Colorado and Oregon as the only states that do not exempt nonprofits.
The Delaware bill exempts state governmental entities; however, it states that the exemption excludes “any institution of higher education.”
The bill does not contain an entity-level exemption for HIPAA covered entities and business associates. The bill does contain several data-level exemptions for health data, but these are not the same as in the Connecticut law.
The bill contains both entity-level and data-level exemptions for GLBA financial institutions and information subject to the GLBA.
Delaware largely tracks the rights provided by Connecticut, including requiring controllers to recognize universal opt out mechanisms – by January 1, 2026 for Delaware. The bill also does not require opt outs to be authenticated.
Delaware adds one additional right, which is that consumers have the right to obtain “a list of the categories of third parties to which the controller has disclosed the consumer’s personal data.” This is somewhat similar to the Oregon bill although Oregon states that the right is to obtain a list of “specific third parties.”
With respect to authorized agents, it appears that there may be cross-referencing errors in sections 12D-104(b) and 12D-105(a) of the bill. For example, section 12D-105(a) states that a consumer can designate an authorized agent “to act on the consumer’s behalf to opt out of the processing of such consumer’s personal data for one or more of the purposes specific in paragraph (a)(5) of § 12D-104 of this chapter.” However, paragraph (a)(5) refers to the list of categories of third parties. The following subpart – (a)(6) – refers to the opt out rights.
Delaware also states that the Attorney General’s Office may publish or reference a list on its website of authorized agents. It appears this may be a reference to the Colorado Privacy Act Rules in which the Colorado Attorney General’s Office states it will publish such a list.
The Delaware bill also narrows the data broker exemption found in other state laws, stating that: “A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer’s request to delete such data pursuant to paragraph (3) of subsection (a) of this section if the controller retains a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the controller’s records and does not use such retained data for any other purpose.” Other laws state that controllers can, in the alternative, opt the consumer out of the processing of such personal data for any purpose except for those exempted by the law.
Children’s Privacy Rights
Delaware states that a controller cannot process the personal data of a consumer for the purposes of targeted advertising or sell the consumer’s personal data without the consumer’s consent where a controller has actual knowledge or willfully disregards that the consumer is at least 13 years of age but younger than 18 years of age. In doing so, Delaware raises the age limit found in the Connecticut law from under 16 to under 18. However, it should be noted that this year’s Connecticut Senate Bill 3 reaches this same result through its additional children’s privacy protections.
Delaware defines sensitive data to include “status as transgender or nonbinary.” This addition to the definition of sensitive data also was made in the Oregon bill passed last week.
As with other laws passed to date, Delaware includes genetic or biometric data in its definition of sensitive data. However, the bill does not state that the data must be used for the purpose of uniquely identifying an individual. This change tracks modifications made in the Oregon bill as we discussed here. However, with respect to biometric data, the absence of this qualifying language may not have significance because the definition of biometric data requires the data to be “used to identify a specific individual.”
The Delaware bill also contains a definition of genetic data, which does not appear in other laws. It is defined as “any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained, and concerns genetic material. For purposes of this paragraph, “genetic material” includes deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from analysis of the biological sample or other source, and any information extrapolated, derived, or inferred therefrom.”
Delaware adds “demographic characteristics” to the list of topics covered by profiling.
Data Protection Assessments
The language regarding data protection assessments tracks the Connecticut language with the exception that Delaware states that the requirements shall apply to processing activities created or generated on or after six months after the law’s effective date. In Connecticut, the assessment requirements apply as of the effective date.
The bill does not authorize Attorney General rulemaking.
The bill will be enforced by the Delaware Attorney General’s Office. It does not contain a private right of action. The bill contains a sixty-day right to cure that sunsets December 31, 2025.
The bill will go into effect January 1, 2025 (subject to the bill being enacted prior to January 1, 2024).
It is worth flagging that Delaware already has an existing online privacy law – the Delaware Online Privacy and Protection Act (DelOPPA). Although the requirements in DelOPPA are far less stringent than this new bill, entities should consider both laws when driving compliance.