IDC Names Securiti a Worldwide Leader in Data PrivacyView
The Delaware Personal Data Privacy Act (DPDPA) – HB 154 was approved by the Delaware General Assembly on June 30, 2023, and signed into law by Governor John Carney on September 11, 2023, making Delaware the twelfth US state to have comprehensive data privacy legislation and the seventh state to pass one in 2023 only, joining Iowa, Indiana, Montana, Tennessee, Texas, and Oregon.
With some notable differences, the DPDPA closely resembles the Connecticut Data Privacy Act (CTDPA). The law shall become effective on January 1, 2025.
DPDPA applies to those who do business in Delaware or who produce goods or services that are targeted to Delaware citizens and who, during the preceding calendar year, did any of the following:
The law exempts certain types of entities and data from its application. Following entities do not fall under the scope of the law:
DPDPA does not apply to the following information and data:
Any data generated by automatic measurements of an individual’s unique biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that can be used to identify a specific individual. Biometric data does not include any of the following:
An individual who is a resident of Delaware; however, it does not include an individual acting in a commercial or employment capacity or who holds one of the positions of owner, director, officer, or contractor for a company, partnership, sole proprietorship, nonprofit organization, or government agency and whose interactions with the controller take place solely in connection with those roles.
A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. Consent may include a written statement, including by electronic means, or any other unambiguous affirmative action; however, it does not include any of the following:
Dark Pattern means any of the following:
Any information linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.
Any personal data that includes any of the following:
Controllers must maintain transparency in their data collection practices and only collect personal data that is adequate, relevant, and reasonably necessary for the processing purposes notified to the consumer.
Except as otherwise permitted by DPDPA, the controller must not, without the consumer’s consent, process personal data for any purposes that are neither reasonably necessary nor consistent with the initially declared purposes.
To comply with DPDPA requirements regarding acquiring parental consent with respect to a child consumer, controllers and processors must comply with the verified parental consent standards of COPPA.
Controllers and processors must not process consumers’ sensitive data without obtaining their consent or, when processing sensitive data concerning a known child, without obtaining the child's parent or legal guardian's consent.
Additionally, consumers must be provided with a method by which they can withdraw their consent in a similar manner as the method they originally used, and upon such withdrawal, the controllers stop processing the data as soon as is reasonably possible but no later than 15 days after receiving the request.
Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes all of the following:
A controller must establish and describe in the privacy notice one or more secure and reliable means for consumers to submit a request to exercise their consumer rights. These methods must consider how consumers often communicate with the controller, the requirement for secure and dependable transmission of such requests, and the controller's capacity to confirm the consumer's identification.
Controllers must provide a prominent link on the organization’s website that directs users to a page on another website where they can choose not to receive targeted advertisements or have their personal information sold.
Controllers must enable consumers to opt-out of any processing of their personal data for the purpose of targeted advertising or any sale of their personal data by sending an opt-out preference signal to the controller with their consent via a platform, technology, or mechanism indicating their desire to refuse any such processing or sale. However, this requirement shall come into force no later than one year after the DPDPA's effective date. Such a platform, technology, or mechanism must:
Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.
Controllers must not process personal data violating Delaware laws and federal laws prohibiting unlawful discrimination. Additionally, controllers must not discriminate against a consumer for exercising any of their rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services.
In situations where a controller has actual knowledge or willfully disregards the fact that the consumer is at least thirteen years of age but younger than eighteen years of age, the controller must not process the personal data of a consumer for the purposes of targeted advertising or sell the consumer's personal data without the consumer's consent.
If a controller sells personal data to third parties or utilizes personal data for targeted advertising, it must disclose this processing to consumers clearly and noticeably, together with how they can exercise their right to object to the processing.
Data protection assessments must be conducted and documented regularly for each of the controller's processing activities that present a heightened risk of harm to a consumer. This requirement applies to controllers that control or process the data of at least 100,000 consumers, excluding data controlled or processed solely to complete a payment transaction. Processing activities that put consumers at heightened risk of harm include:
Data protection assessments must determine and compare the potential risks to the consumer's rights associated with the processing, as mitigated by safeguards that the controller can use to mitigate those risks, to the benefits that may result, directly or indirectly, to the controller, the consumer, other stakeholders, and the public. Any such data protection assessment by the controller must consider the context of the processing, the relationship between the controller and the consumer whose personal data will be processed, the use of de-identified data, and consumers' reasonable expectations.
The Attorney General may require that a controller disclose any data protection assessment that is relevant to an investigation conducted by the Attorney General, and the controller must make the data protection assessment available to the Attorney General. A controller must also conduct a data protection assessment that is reasonably equivalent in scope and impact to a previous data protection assessment. Data protection assessment requirements are not retroactive and must be performed for processing activities established or generated on or after the six-month mark after the DPDPA's effective date. A data protection evaluation is private and cannot be disclosed.
While disclosing pseudonymous data or de-identified data, controllers must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and must take appropriate steps to address any breaches of those contractual commitments. The determination of the reasonableness of such oversight and the appropriateness of contractual enforcement must take into account whether the disclosed data includes data that would be sensitive data if it were re-identified.
A processor must follow a controller's instructions to assist the controller in carrying out its obligations. The processor's role in supporting the controller is to:
The processor and the controller must enter into a contract before the processor can process personal data on the controller's behalf. The contract must:
Consumers have the right to confirm whether a controller is processing the consumer’s personal data and the right to access such personal data unless such confirmation or access would require the controller to reveal a trade secret.
Consumers have the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of processing the consumer’s personal data.
Consumers have the right to delete personal data provided by, or obtained about, the consumer.
Consumers have the right to obtain a copy of their personal data processed by the controller in a portable and, to the extent technically possible, easily usable format that enables them to transmit the data to another controller without difficulty if the processing is carried out by automated means.
Consumers have the right to obtain a list of the categories of third parties to which the controller has disclosed their personal data.
Consumers have the right to opt-out of the processing of personal data for any of the following purposes:
How can consumers exercise their rights:
Consumers can exercise their rights through a safe and reliable method that the controller has created and made clear to the consumer in the controller's privacy notice. A consumer can designate an authorized agent to exercise their right to object to processing their personal data. If a known child's personal data is being processed, the parent or legal guardian may exercise the consumer's rights on the child's behalf. The consumer's guardian or conservator may exercise these rights on the consumer's behalf when processing personal data on a consumer who is under guardianship, conservatorship, or other protective arrangement.
A consumer may designate an authorized agent to act on the consumer’s behalf to opt-out of processing such consumer’s personal data. The consumer may designate such authorized agent by way of, among other things, a platform, technology, or mechanism, including an Internet link or a browser setting, browser extension, or global device setting, indicating such consumer’s intent to opt out of such processing. Platforms, technologies, or other mechanisms may serve as agents to communicate the consumer's decision to opt-out.
Controller’s response to data subject rights:
The controller must respond to a consumer’s request without undue delay but not later than 45 days after receiving the request. When it is deemed reasonable given the complexity and volume of the consumer's requests, the controller may extend the response period by an additional 45 days, as long as they notify the consumer of any such extension within the initial 45-day response period and explain the justification for it.
When a controller does not respond to a consumer's request, the controller is required to give the consumer notice of the reason(s) for the refusal to act as well as information on how to appeal the decision without undue delay, but no later than 45 days after receiving the request.
A controller must provide information in response to a consumer request free of charge once per consumer during any 12-month period. However, if a request from the consumer is clearly unjustified, excessive, or recurrent, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request, or the controller may choose not to act on the request. However, the controller bears the burden of proving the request's manifestly unfounded, excessive, or repetitive nature.
A controller is not required to comply with a consumer request submitted if the controller cannot authenticate the request using commercially reasonable efforts. Instead, the controller may request that the consumer provide any additional information reasonably required to authenticate the consumer and the consumer's request.
A controller is not required to authenticate an opt-out request; however, a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that such a request is fraudulent. In such a case, the controller must notify the person who made such a request, disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent, and that such controller shall not comply with such request.
Lastly, a controller must comply with an opt-out request made by an authorized agent if the controller can confirm the consumer's identity and the authorized agency's legitimacy to act on the consumer's behalf using commercially reasonable efforts.
A controller must establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable period of time after the consumer’s receipt of the decision. The appeal process must be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section.
A controller must give the consumer written notice of all actions taken or not done in response to an appeal within 60 days of receiving the appeal. This notice must include a written explanation of the decisions. If the appeal is turned down, the controller must provide the consumer access to an online complaint form, if one is available, or another way to contact the Department of Justice.
The obligations imposed under DPDPA do not restrict a controller’s or a processor's ability to:
Nothing under DPDPA may restrict a controller or processor's ability to collect, use, or retain data, for internal use only, to do any of the following:
Similarly, any obligations placed on a controller or a processor under DPDPA do not apply if compliance by the controller or processor would violate an evidentiary privilege under Delaware laws or adversely affect the rights or freedoms of a person.
The Department of Justice (DOJ) has enforcement authority over DPDPA and may investigate and prosecute violations.
Any violation of the provisions of the law is an unlawful practice within the meanings of section 2513 of Chapter 25 of Title 6 of the Delaware Code. However, before initiating any action for a violation of DPDPA’s provisions, the DOJ shall issue a notice of violation to the controller during the period starting on the effective date of DPDPA and ending on December 31, 2025, if the DOJ determines that a cure is possible. The DOJ may bring an enforcement action if the controller doesn't correct the violation within 60 days of receiving the notice of violation.
Beginning on January 1, 2026, the DOJ may take into account all of the following when deciding whether to give a controller or processor an opportunity to correct an alleged violation of any clause:
Organizations can operationalize the HB 154 – Delaware Personal Data Privacy Act (DPDPA) by:
Securiti’s Unified Data Controls framework enables organizations to comply with HB 154 – Delaware Personal Data Privacy Act (DPDPA) by securing the organization’s data and enabling organizations to maximize data value and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.
Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.
Request a demo to learn more.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.