In the absence of comprehensive federal privacy legislation, state law makers throughout the nation are enacting privacy laws, and Delaware is the latest to join the race. Following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, and Oregon,[A1] Delaware’s new privacy law adds another piece (and additional enforcement resources) to the United States privacy law puzzle. These 12 laws do not include Washington’s My Health My Data Act [A2] which, while focused solely on health data, can have a significant impact on businesses.
Gov. Carney signed the Delaware Personal Data Privacy Act (DPDPA) into law on September 11, 2023 and the law takes effect on January 1, 2025. By that point all of the laws in the states listed above will be in effect, except for Indiana which does not take effect until 2026. The DPDPA will be enforced by the Delaware Department of Justice (DOJ), and expressly does not include a private right of action for individuals (and therefore class action lawyers) to sue for violations. Delaware DOJ’s Director of the Consumer Protection Unit stated that it will hire two more attorneys, a paralegal and a technologist to inform consumers and businesses and enforce the law.
Key Distinguishing Features
Lower Applicability Threshold
Unlike many other state privacy laws, the DPDPA does not have a revenue threshold. Instead, the law applies to businesses that do business in Delaware or target products or services to Delaware consumers, and either:
- control or process personal data of 35,000 or more Delaware consumers (except data controlled or processed solely to complete a payment); or
- control or process the personal data of 10,000 or more Delaware consumers and derive more than 20% of gross revenue from its sale.
The DPDPA’s thresholds are lower than other state privacy laws, so more businesses will fall within its scope.
Raising Sale Restriction Age to 18
The DPDPA prohibits selling personal data without consent where the data controller has knowledge (or willfully disregards) that the consumer is under 18. Where the consumer is above 13, the consumer can consent to the sale of his or her personal data. With this prohibition on the sale of personal data of minors under 18, Delaware has the highest age for privacy protections for the sale of personal data of minors 18 and under.
Discretionary Cure Period
The law provides for a discretionary cure period, under which the DOJ can determine whether a cure is possible. In those circumstances, the DOJ will issue a notice of violation, after which the controller will have 60 days to cure. If the controller fails to cure, the DOJ may bring an enforcement proceeding. In determining whether to allow a cure period, the DOJ may consider
- the number of violations;
- the size and complexity of the controller or processor;
- the nature and extent of the processing activities;
- the substantial likelihood of injury to the public;
- the safety of persons or property;
- whether the alleged violation was likely caused by human or technical error; and
- the extent to which the accused entity has violated the DPDPA or similar laws in the past.
This is the most unique approach to date regarding cure periods. Some states, notably California, have no cure period at all while others have periods of 30 or 60 days to rectify any violations of their laws before potential liability attaches.
The Bottom Line
- While Delaware does not have as many users as bigger states, the disconnects between the various state laws continue.
- There are now 12 states with comprehensive privacy laws, with more on the way.
- Without federal legislation, this patchwork of state privacy laws is quickly becoming the standard in the United States.