Delaware follows Oregon as the latest privacy law to be signed into law. Read all about what your business needs to do to comply with the Delaware Personal Data Privacy act (DPDPA), and how Ethyca can help automate privacy compliance.
Delaware is the thirteenth U.S. state to sign a comprehensive consumer data privacy bill into law. The Delaware Personal Data Privacy Act (DPDPA) was signed into law on September 11, 2023, and will go into effect on January 1, 2025.
Also known as HB 154, DPDPA will give residents more control over their personal data and set parameters for businesses collecting and processing Delawareans’ personal data. The Department of Justice will also launch a six-month public outreach period on July 1, 2024 to notify consumers of their rights and businesses of their obligations
This blog post will give you a head start on learning what privacy rights Delaware consumers have and what other regulatory requirements businesses need to fulfill. Learn everything you need to know and do to comply with consumer privacy in The First State here.
Businesses are subject to Delaware’s privacy law if they operate in Delaware or target products or services to Delaware consumers, and either:
One of the unique differences in Delaware’s privacy law is its standards for applicability. Of all U.S. consumer privacy laws, Delaware has the lowest applicability thresholds.
In most state privacy laws, businesses can collect the personal data of up to 100,000 consumers before being subject to the consumer privacy law. DPDPA significantly lowers this number, which is why it’s considered the most consumer-friendly privacy law to date.
To determine whether your business is subject to Delaware’s privacy law, confirm whether or not it satisfies the applicability standards above.
Once you’ve confirmed that your business is subject to Delaware’s privacy law, you’ll need to know what privacy rights and consent rights Delawareans can exercise. It’s also important to understand how DPDPA is enforced so you can protect your business against regulatory risks.
This section will cover all of these topics in more detail.
The Delaware Personal Data Privacy Act grants Delaware consumers data subject rights, or the ability to control how companies can collect, process, and disclose their personal data.
Consumers can submit what are called data subject requests (DSRs) or privacy requests to exercise their data privacy rights. These rights include:
Delaware consumers also have the additional right to obtain a list of the categories of third-parties a business has shared their personal data with. However, like with most U.S. privacy laws, Delawareans do not have a private right of action, meaning they cannot directly sue a company over privacy violations.
Delaware residents also have specific opt-out and opt-in consent rights that businesses must allow consumers to choose from.
Consumers in Delaware have the right to opt out of the processing of personal data for:
DPDPA also requires companies to recognize Universal Opt-Out Signals to process users’ consent preferences. Luckily, Ethyca can enable your website to easily start detecting universal Opt-Out Signals, including Global Privacy Control (GPC).
For opt-in consent, Delaware consumers have the right to opt into the processing of their sensitive data, which is defined as personal data that includes:
Businesses must also enable consumers to revoke consent on their websites in a way that is as easy as giving consent. Be sure to explain how users can exercise their opt-out and opt-in rights on your website’s Privacy Notice.
Companies must respond to consumers’ privacy requests within 45 days and may also extend for an additional 45 days to process if necessary. The Department of Justice (DOJ) has the authority to enforce DPDPA over businesses subject to the law, and can initiate an investigation or prosecute violations.
If sent a notice of violation, businesses have a 60-day cure period to correct infractions. The law does not specify a civil penalty amount. However, once the cure period sunsets on December 31, 2025, the DOJ will determine whether or not businesses will have an opportunity to correct alleged violations.
Now that you know what consumer rights and consent rights Delawareans have, as well as the consequences of privacy violations, Let’s go over the additional business obligations required under DPDPA.
Delaware’s privacy law states that businesses must only collect consumers’ personal data that is “adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed.” That means, businesses are not allowed to collect data for purposes that are not specified in their online Privacy Notice.
This practice is called data minimization. Data minimization is not simply collecting less data. Rather, it forces businesses to be more intentional about the data they collect. By collecting only the necessary data your organization needs, it will reduce the risk of potential data misuse.
DPDPA also says that businesses may not process personal data for “purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed.” That means businesses also may not process consumers’ personal data in a way that is not specified in the Privacy Notice, without prior consent. This is called purpose limitation and serves a similar function as data minimization.
To comply with DPDPA, be sure to identify what data your business needs to collect and process, for what necessary business purpose, and make sure it’s stated clearly on your website’s Privacy Notice.
Delaware’s privacy law also mandates that businesses must publish a “reasonably accessible, clear, and meaningful” Privacy Notice on their websites. Privacy Notices must include:
Work with your legal team to ensure that all of the necessary information required under DPDPA is included in your business’ Privacy Notice.
DPDPA requires businesses to enter into data processing contracts between processors, or entities that “process personal data on behalf of a controller.”
This contract should legally obligate the processor to follow the instructions of the controller and meet their business obligations. These obligations include helping the controller fulfill consumers’ privacy requests and perform data protection assessments,
Data processing contracts should also govern the processors’ data processing practices, including the nature and purpose of processing, the type of data subject to processing, and the duration of processing.
If your business works with processors, be sure to enter into a legally binding data processing contract with each of them, and ensure it meets DPDPA’s requirements.
Under Delaware’s privacy law, only businesses that process the personal data of more than 100,000 consumers, excluding for purposes of completing a transaction, must perform a data protection assessment. This is different from other privacy laws, which require data protection assessments from any business that is subject to the law.
Businesses must assess the data processing activities that could present an increased risk of harm to consumers, including:
DPAs are meant to help businesses carefully weigh the benefits and risks of all of their processing activities on the consumer, the business itself, and other stakeholders. That way, they can determine which safeguards are necessary to protect against these potential harms
The Attorney General has the authority to request a DPA at any time to assess a company’s compliance with DPDPA. To make sure your business is ready for Delaware regulators, work with your legal team to conduct and record DPAs appropriately.
DPDPA states that businesses processing de-identified and pseudonymous data must not try to re-identify such data. Delaware’s privacy law specifies that businesses also do not have to process data subject requests that involve de-identified data.
Ultimately, it’s up to the businesses to “exercise reasonable oversight” to ensure it does not misuse de-identified and pseudonymous data. If this applies to your business, make sure to take appropriate measures to monitor compliance by January 1, 2025.
Making sure your business complies with so many different privacy laws can feel overwhelming. Luckily, Ethyca’s data privacy compliance solution makes it easy. With the Fides privacy intelligence platform, your business will be able to automate privacy compliance with all U.S. privacy laws.
Read on to learn more.
With the Fides privacy intelligence platform, your business can easily manage users’ consent preferences for any privacy law.
Different state privacy laws have different consent requirements businesses must fulfill. Fides will help your business comply with all the various requirements by enabling you to set multiple opt-out links on your website footer, customize a Privacy Center on your website for easy consent intake, and set single or multiple opt-in or opt-out consent preferences for each state privacy law.
Users can easily submit their consent preferences through a Privacy Center powered by Fides on your website. With a simple and intuitive Admin UI. you’ll be able to quickly process and record users’ consent preferences for fast and easy compliance.
Although privacy regulations require businesses to fulfill privacy requests like access and erasure, this process is often costly, labor-intensive, and causes a lot of pain between legal, compliance, and engineering teams.
The Fides privacy intelligence platform streamlines this process. Your business will be able to automate DSR processing end-to-end.
First, users can submit their requests through the same Privacy Center powered by Fides on your website. Once submitted, they’ll be able to verify their identity via a code sent through SMS or email.
After the user’s identity has been verified, you can approve or deny the request in an easy-to-use Admin UI. Users will then receive an email containing a file with all their requested data in a machine-readable format, or a confirmation that their data has been deleted.
Fides will also maintain a log of the requests your business has received and processed. With this built-in paper trail of reports, you can prove to regulators that your business’ privacy practices are compliant at any time.
What makes the Fides privacy intelligence platform so powerful is its ability to connect to all internal and third-party databases and systems. Once connected, Fides will be able to produce a real-time data map, or visual, of all the data in your organization.
Unlike manual spreadsheets that are immediately out of date, Fides’ automated data map will give you an accurate inventory of all the data in your systems, i.e. what the data is and where it is stored.
In fact, connecting to all of your systems is how Fides can automate consent management and privacy requests in the first place. The Fides privacy intelligence platform will integrate privacy and compliance across your entire business. That’s the true power of Fides’ privacy intelligence.
Although Delaware shares many similarities with the other state privacy laws that have either gone into effect this year or will go into effect in the future, DPDPA has its own unique provisions businesses need to account for to be compliant.
But, with more and more U.S. privacy laws on the way, your business will need to keep tabs on all of the new privacy laws emerging at the state level.
Thankfully, you don’t have to do it alone. Ethyca is here to help your business comply with all U.S. state consumer privacy laws. If you have any questions about new or existing privacy laws, schedule a free 15-minute call to get a privacy consultation today.
Ethyca’s VP of Engineering Neville Samuell recently spoke at the University of Texas at Austin’s Texas McCombs School of Business about privacy engineering and its role in today’s digital landscape. Read a summary of the discussion by Neville himself here.
Learn more about all of the updates in the Fides 2.24 release here.
Ethyca’s Senior Software Engineer Adam Sachs goes through the thought process of creating Fideslang, the privacy engineering taxonomy that standardizes privacy compliance in software development.
Learn more about all of the updates in the Fides 2.23 release here.
Our Senior Software Engineer Dawn Pattison walks you through implementing data minimization into your business.
Learn more about all of the updates in the Fides 2.22 release here.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Request a Demo