On 30 June 2023, the Delaware legislature passed the Delaware Personal Data Privacy Act (HB154), marking Delaware as the 12^th state (and the 7^th since the beginning of 2023) to enact a comprehensive consumer data privacy legislation. The bill joins the Delaware Online Privacy and Protection Act, which has been in effect since 2016.

Once approved by the governor, the act will go into effect on 1 January 2025.

Scope of Application

The act has lowered the consumer threshold from the common 100,000 to 35,000 consumers, which is approximately 3.43% of the state’s 1.02 million population. The bill would also apply to companies that control or process the personal data of at least 10,000 consumers and derive more than 20% of their gross revenue from the sale of personal data.

Nonprofits

Delaware’s privacy act, similarly to the laws in Colorado and Oregon, also applies to nonprofits. The only exceptions are for nonprofit organizations that are “dedicated exclusively to preventing and addressing insurance crime” and for personal data related to victims or witnesses of certain crimes collected by nonprofits that provide services to these individuals.

Consumer Rights

The act would align with the previous 11 US state privacy laws, granting consumers rights such as the right to confirm and access their personal data, correct inaccuracies, delete their data, obtain a portable copy of their data, receive a list of the categories of third parties to which the controller has disclosed the consumer’s personal data, and opt out of targeted advertising, data sales, and profiling for automated decisions. The bill also requires controllers to recognize universal opt-out mechanisms, allowing consumers to express their preference to opt out of certain data processing activities across multiple platforms, websites, or online services.

For your convenience, we have published a comparative guide, addressing the key data subject rights in the first 10 states to enact comprehensive privacy laws, which will be soon updated with those of Oregon and Delaware as well.

Children’s Rights

The new act stipulates that a controller may process the personal data of a consumer for targeted advertising or sell the consumer’s personal data without the consumer’s consent if the controller knows or willfully disregards that the consumer is between 13 and 18 years of age. This expands the typical age range for requiring consent, which is usually 13-15 years old, as seen in similar laws in other states like California, Connecticut, Montana, and Oregon.

Enforcement

The Delaware Attorney General’s Office will enforce the bill and it does not contain a private right of action. The bill includes a 60-day right to cure that expires on 31 December 2025.

Companies providing services to consumers in the United States should evaluate their exposure to this additional data protection regulatory regime in Delaware and the rest of the relevant US states. Please feel free to contact us if you have any questions regarding this new act and its practical implications.