IDC Names Securiti a Worldwide Leader in Data Privacy

View

An Overview Delaware Personal Data Privacy Act (DPDPA) – HB 154

By Securiti Research Team
Published July 18, 2023 / Updated September 20, 2023

Listen to the content

I. Introduction

The Delaware Personal Data Privacy Act (DPDPA) – HB 154 was approved by the Delaware General Assembly on June 30, 2023, and signed into law by Governor John Carney on September 11, 2023, making Delaware the twelfth US state to have comprehensive data privacy legislation and the seventh state to pass one in 2023 only, joining Iowa, Indiana, Montana, Tennessee, Texas, and Oregon.

With some notable differences, the DPDPA closely resembles the Connecticut Data Privacy Act (CTDPA). The law shall become effective on January 1, 2025.

II. Who Needs to Comply with DPDPA

A. Material Scope

DPDPA applies to those who do business in Delaware or who produce goods or services that are targeted to Delaware citizens and who, during the preceding calendar year, did any of the following:

  • Controlled or processed the personal data of at least 35,000 customers, except those whose data was controlled or processed only to facilitate a payment transaction; and
  • Controlled or processed the personal data of at least 10,000 customers and derived more than 20% of their gross revenue from the sale of personal data.

B. Exemptions

The law exempts certain types of entities and data from its application. Following entities do not fall under the scope of the law:

  • Any government body or a political subdivision of Delaware, excluding any institution of higher education;
  • Any financial institution or affiliate of a financial institution that is subject to the Gramm Leach Bliley Act (GLBA);
  • Any nonprofit organization (NPO) dedicated exclusively to preventing and addressing insurance crime; and
  • A futures association registered under the Commodity Exchange Act or a national securities association registered under the Securities Exchange Act.

DPDPA does not apply to the following information and data:

  • Data covered under medical laws: Many forms of health information, records, data, and documents protected and covered under HIPAA or other federal or state medical/healthcare laws;
  • Personal data used for research: Identifiable private information collected, used, or shared in research conducted in accordance with applicable laws;
  • FCRA-covered data: Any personal information of consumers collected or used for consumer credit scoring and reporting to the extent the activity is authorized and regulated by the federal Fair Credit Report Act (FCRA);
  • GLBA data: Financial data subject to Title V of the federal Gramm-Leach-Bliley Act;
  • Driver data: Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994;
  • FERPA data: Personal data regulated by the federal Family Educational Rights and Privacy Act (FERPA);
  • FCA data: Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (FCA);
  • Employment data: Personal data maintained for employment records;
  • ADA data: Personal data collected, processed, sold, or disclosed in relation to price, route, or service under the Airline Deregulation Act (ADA), to the extent the provisions of DPDPA are preempted by ADA.
  • Abuse data maintained by NPOs: Personal data of a victim of or witness to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking that is collected, processed, or maintained by an NPO that provides services to such a victim or witness.

III. Definitions of Key Terms

A. Biometric Data

Any data generated by automatic measurements of an individual’s unique biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that can be used to identify a specific individual. Biometric data does not include any of the following:

  • A digital or physical photograph.
  • An audio or video recording.
  • Any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.

B. Consumer

An individual who is a resident of Delaware; however, it does not include an individual acting in a commercial or employment capacity or who holds one of the positions of owner, director, officer, or contractor for a company, partnership, sole proprietorship, nonprofit organization, or government agency and whose interactions with the controller take place solely in connection with those roles.

A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. Consent may include a written statement, including by electronic means, or any other unambiguous affirmative action; however, it does not include any of the following:

  • Acceptance of general or broad terms of use or similar document containing descriptions of personal data processing and other unrelated information.
  • Hovering over, muting, pausing, or closing a given piece of content.
  • Agreement obtained through the use of dark patterns.

D. Dark Pattern

Dark Pattern means any of the following:

  • A user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.
  • Any other practice the Federal Trade Commission refers to as a dark pattern.

E. Personal Data

Any information linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.

F. Sensitive Data

Any personal data that includes any of the following:

  • Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status.
  • Genetic or biometric data.
  • Personal data of a known child.
  • Precise geolocation data.

IV. Obligations for Organizations Under DPDPA

A. Data Minimization and Purpose Limitation

Controllers must maintain transparency in their data collection practices and only collect personal data that is adequate, relevant, and reasonably necessary for the processing purposes notified to the consumer.

Except as otherwise permitted by DPDPA, the controller must not, without the consumer’s consent, process personal data for any purposes that are neither reasonably necessary nor consistent with the initially declared purposes.

To comply with DPDPA requirements regarding acquiring parental consent with respect to a child consumer, controllers and processors must comply with the verified parental consent standards of COPPA.

Controllers and processors must not process consumers’ sensitive data without obtaining their consent or, when processing sensitive data concerning a known child, without obtaining the child's parent or legal guardian's consent.

Additionally, consumers must be provided with a method by which they can withdraw their consent in a similar manner as the method they originally used, and upon such withdrawal, the controllers stop processing the data as soon as is reasonably possible but no later than 15 days after receiving the request.

C. Privacy Notice Requirements

Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes all of the following:

  • The categories of personal data that the controller processes;
  • The reason why personal data is processed;
  • How consumers can exercise their rights as consumers, including how to appeal a controller's decision about a consumer's request;
  • The types of personal information that the controller exchanges with third parties, if any;
  • The types of third parties with whom the controller shares personal data, if any;
  • A working email address or other online contact method that the consumer may use to contact the controller.

A controller must establish and describe in the privacy notice one or more secure and reliable means for consumers to submit a request to exercise their consumer rights. These methods must consider how consumers often communicate with the controller, the requirement for secure and dependable transmission of such requests, and the controller's capacity to confirm the consumer's identification.

Controllers must provide a prominent link on the organization’s website that directs users to a page on another website where they can choose not to receive targeted advertisements or have their personal information sold.

D. Opt-out Requirements

Controllers must enable consumers to opt-out of any processing of their personal data for the purpose of targeted advertising or any sale of their personal data by sending an opt-out preference signal to the controller with their consent via a platform, technology, or mechanism indicating their desire to refuse any such processing or sale. However, this requirement shall come into force no later than one year after the DPDPA's effective date. Such a platform, technology, or mechanism must:

  • Not disadvantage another controller unfairly;
  • Refrain from using default settings and instead demand that users explicitly, freely, and unambiguously opt-out of having their personal data processed;
  • Be user-friendly and simple to use by average consumers;
  • Be as compliant with any other comparable platform, technology, or mechanism mandated by any federal or state law or regulation as is practicable;
  • Enable the controller to determine, in a reasonable amount of time, whether the consumer is a Delaware resident and has made a valid request to opt-out of any sales of their personal data or targeted advertising.

E. Security Requirements

Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.

F. Non-Discrimination Requirements

Controllers must not process personal data violating Delaware laws and federal laws prohibiting unlawful discrimination. Additionally, controllers must not discriminate against a consumer for exercising any of their rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services.

G. Targeted Advertising Requirements

In situations where a controller has actual knowledge or willfully disregards the fact that the consumer is at least thirteen years of age but younger than eighteen years of age, the controller must not process the personal data of a consumer for the purposes of targeted advertising or sell the consumer's personal data without the consumer's consent.

If a controller sells personal data to third parties or utilizes personal data for targeted advertising, it must disclose this processing to consumers clearly and noticeably, together with how they can exercise their right to object to the processing.

H. Data Protection Assessment

Data protection assessments must be conducted and documented regularly for each of the controller's processing activities that present a heightened risk of harm to a consumer. This requirement applies to controllers that control or process the data of at least 100,000 consumers, excluding data controlled or processed solely to complete a payment transaction. Processing activities that put consumers at heightened risk of harm include:

  • The processing of personal data for the purposes of targeted advertising.
  • The sale of personal data.
  • The processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of any of the following:
    • Unfair or deceptive treatment of, or unlawful disparate impact on, consumers.
    • Financial, physical, or reputational injury to consumers.
    • A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person.
    • Other substantial injury to consumers.
  • The processing of sensitive data.

Data protection assessments must determine and compare the potential risks to the consumer's rights associated with the processing, as mitigated by safeguards that the controller can use to mitigate those risks, to the benefits that may result, directly or indirectly, to the controller, the consumer, other stakeholders, and the public. Any such data protection assessment by the controller must consider the context of the processing, the relationship between the controller and the consumer whose personal data will be processed, the use of de-identified data, and consumers' reasonable expectations.

The Attorney General may require that a controller disclose any data protection assessment that is relevant to an investigation conducted by the Attorney General, and the controller must make the data protection assessment available to the Attorney General. A controller must also conduct a data protection assessment that is reasonably equivalent in scope and impact to a previous data protection assessment. Data protection assessment requirements are not retroactive and must be performed for processing activities established or generated on or after the six-month mark after the DPDPA's effective date. A data protection evaluation is private and cannot be disclosed.

I. Disclosure of Pseudonymous or De-identified Data

While disclosing pseudonymous data or de-identified data, controllers must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and must take appropriate steps to address any breaches of those contractual commitments. The determination of the reasonableness of such oversight and the appropriateness of contractual enforcement must take into account whether the disclosed data includes data that would be sensitive data if it were re-identified.

V. Data Processor Responsibilities

A. Assistance to Controller

A processor must follow a controller's instructions to assist the controller in carrying out its obligations. The processor's role in supporting the controller is to:

  • Enable the controller to respond to consumer requests using techniques that, to the degree practically possible, make use of appropriate technological and organizational measures, taking into account how the processor processes personal data and the information at its disposal;
  • Implement reasonable administrative, technical, and physical security measures, considering how the processor utilizes the data and information at its disposal to protect the security and privacy of the personal data it processes;
  • Provide the controller with the necessary data to conduct and document data protection assessments.

B. Processing Under Contract

The processor and the controller must enter into a contract before the processor can process personal data on the controller's behalf. The contract must:

  • Be legitimate and enforceable against both parties;
  • Clearly specify the types of data that will be processed, how the processing will be carried out, its nature, and duration;
  • Clearly explain each party's responsibilities and rights;
  • Ensure that each stakeholder handling personal data is committed to ensuring its confidentiality;
  • Require that the processor deletes the personal data or return it to the controller upon request from the controller or completion of the services, unless the processor is required by law to keep the data;
  • Require the processor to disclose all information necessary for the controller to confirm that the processor has complied with all of its duties available to the controller upon request from the controller;
  • Require the processor to enter into a subcontract with a person they engage to assist with processing personal data on their behalf, and the subcontract must include a clause requiring the subcontractor to uphold the processor's duties under the processor's contract with the controller; and
  • Enable the assessment of the processor's policies and organizational and technical measures for complying with its obligations by the controller, the controller's designee, or a qualified and independent person the processor engages in accordance with an appropriate and accepted control standard, framework or procedure. Require the processor to cooperate with the assessment and report the assessment results to the controller upon the controller's request.

VI. Data Subject Rights

A. Right to Confirm

Consumers have the right to confirm whether a controller is processing the consumer’s personal data and the right to access such personal data unless such confirmation or access would require the controller to reveal a trade secret.

B. Right to Correct

Consumers have the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of processing the consumer’s personal data.

C. Right to Delete

Consumers have the right to delete personal data provided by, or obtained about, the consumer.

D. Right to Obtain a Copy

Consumers have the right to obtain a copy of their personal data processed by the controller in a portable and, to the extent technically possible, easily usable format that enables them to transmit the data to another controller without difficulty if the processing is carried out by automated means.

E. Right to Know

Consumers have the right to obtain a list of the categories of third parties to which the controller has disclosed their personal data.

F. Right to Opt-Out

Consumers have the right to opt-out of the processing of personal data for any of the following purposes:

  • Targeted advertising.
  • The sale of personal data.
  • Profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

How can consumers exercise their rights:

Consumers can exercise their rights through a safe and reliable method that the controller has created and made clear to the consumer in the controller's privacy notice. A consumer can designate an authorized agent to exercise their right to object to processing their personal data. If a known child's personal data is being processed, the parent or legal guardian may exercise the consumer's rights on the child's behalf. The consumer's guardian or conservator may exercise these rights on the consumer's behalf when processing personal data on a consumer who is under guardianship, conservatorship, or other protective arrangement.

A consumer may designate an authorized agent to act on the consumer’s behalf to opt-out of processing such consumer’s personal data. The consumer may designate such authorized agent by way of, among other things, a platform, technology, or mechanism, including an Internet link or a browser setting, browser extension, or global device setting, indicating such consumer’s intent to opt out of such processing. Platforms, technologies, or other mechanisms may serve as agents to communicate the consumer's decision to opt-out.

Controller’s response to data subject rights:

The controller must respond to a consumer’s request without undue delay but not later than 45 days after receiving the request. When it is deemed reasonable given the complexity and volume of the consumer's requests, the controller may extend the response period by an additional 45 days, as long as they notify the consumer of any such extension within the initial 45-day response period and explain the justification for it.

When a controller does not respond to a consumer's request, the controller is required to give the consumer notice of the reason(s) for the refusal to act as well as information on how to appeal the decision without undue delay, but no later than 45 days after receiving the request.

A controller must provide information in response to a consumer request free of charge once per consumer during any 12-month period. However, if a request from the consumer is clearly unjustified, excessive, or recurrent, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request, or the controller may choose not to act on the request. However, the controller bears the burden of proving the request's manifestly unfounded, excessive, or repetitive nature.

A controller is not required to comply with a consumer request submitted if the controller cannot authenticate the request using commercially reasonable efforts. Instead, the controller may request that the consumer provide any additional information reasonably required to authenticate the consumer and the consumer's request.

A controller is not required to authenticate an opt-out request; however, a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that such a request is fraudulent. In such a case, the controller must notify the person who made such a request, disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent, and that such controller shall not comply with such request.

Lastly, a controller must comply with an opt-out request made by an authorized agent if the controller can confirm the consumer's identity and the authorized agency's legitimacy to act on the consumer's behalf using commercially reasonable efforts.

Appeal process:

A controller must establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable period of time after the consumer’s receipt of the decision. The appeal process must be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section.

A controller must give the consumer written notice of all actions taken or not done in response to an appeal within 60 days of receiving the appeal. This notice must include a written explanation of the decisions. If the appeal is turned down, the controller must provide the consumer access to an online complaint form, if one is available, or another way to contact the Department of Justice.

VII. Limitations

The obligations imposed under DPDPA do not restrict a controller’s or a processor's ability to:

  • Comply with federal, state, or local laws, rules, or regulations;
  • Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
  • Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;
  • Investigate, establish, exercise, prepare for, or defend legal claims;
  • Provide a product/service specifically requested by a consumer, perform a contract, fulfill the terms of a written warranty, or take steps at the request of the consumer before entering into a contract;
  • Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another natural person;
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activity, or illegal activity;
  • Engage in public or peer-reviewed scientific research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board that determines:
    • whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller,
    • the expected benefits of the research outweigh the privacy risks, and
    • whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification; and
  • Assist another controller, processor, or third party with their obligations under DPDPA.

Nothing under DPDPA may restrict a controller or processor's ability to collect, use, or retain data, for internal use only, to do any of the following:

  • Conduct internal research to develop, improve, or repair products, services, or technology;
  • Effectuate a product recall;
  • Identify and repair technical errors that impair existing or intended functionality; or
  • Perform internal operations that are reasonably aligned with the consumer's expectations or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

Similarly, any obligations placed on a controller or a processor under DPDPA do not apply if compliance by the controller or processor would violate an evidentiary privilege under Delaware laws or adversely affect the rights or freedoms of a person.

VIII. Regulatory Authority

The Department of Justice (DOJ) has enforcement authority over DPDPA and may investigate and prosecute violations.

IX. Penalties for Non-Compliance

Any violation of the provisions of the law is an unlawful practice within the meanings of section 2513 of Chapter 25 of Title 6 of the Delaware Code. However, before initiating any action for a violation of DPDPA’s provisions, the DOJ shall issue a notice of violation to the controller during the period starting on the effective date of DPDPA and ending on December 31, 2025, if the DOJ determines that a cure is possible. The DOJ may bring an enforcement action if the controller doesn't correct the violation within 60 days of receiving the notice of violation.

Beginning on January 1, 2026, the DOJ may take into account all of the following when deciding whether to give a controller or processor an opportunity to correct an alleged violation of any clause:

  • The number of violations.
  • The size and complexity of the controller or processor.
  • The nature and extent of the controller’s or processor’s processing activities.
  • The substantial likelihood of injury to the public.
  • The safety of persons or property.
  • Whether such alleged violation was likely caused by human or technical error.
  • The extent to which the controller or processor has violated this or similar laws in the past.

X. How an Organization Can Operationalize DPDPA

Organizations can operationalize the HB 154 – Delaware Personal Data Privacy Act (DPDPA) by:

  • Establishing clearly defined policies and procedures for processing data in compliance with DPDPA’s provisions;
  • Developing clear and accessible understandable privacy notices that comply with DPDPA’s requirements;
  • Obtaining explicit consent from consumers before processing their sensitive personal data;
  • Developing a robust framework for receiving and processing data requests, complaints, and appeals from consumers; and
  • Train employees who handle the consumers’ data on the organization's policies and procedures, as well as the requirements of the DPDPA.

XI. How Can Securiti Help

Securiti’s Unified Data Controls framework enables organizations to comply with HB 154 – Delaware Personal Data Privacy Act (DPDPA) by securing the organization’s data and enabling organizations to maximize data value and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a demo to learn more.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Share


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.

Newsletter



Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend