Delaware Makes a Dozen
On September 11th, 2023, Governor John Carney signed into law the Delaware Personal Data Privacy Act (DPDPA), making Delaware the twelfth state with a comprehensive data privacy law. The DPDPA will go into effect on January 1st, 2025. The DPDPA will impose obligations upon entities that control or process the personal data of (1) at least 35,000 Delaware residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or (2) at least 10,000 Delaware residents if the entity derives more than 20% of its gross revenue from the sale of personal data.
Like many other state comprehensive data privacy laws, the DPDPA provides Delaware residents with rights to know/access, correct, delete, obtain a portable copy of their personal data, and to opt-out of certain personal data processing. The DPDPA also gives Delaware residents the right to obtain a list of categories of third parties to which an entity has disclosed the consumer’s personal data. Unlike many other state comprehensive data privacy laws, the DPDPA does not contain an entity level exemption for specified types of nonprofits or for HIPAA covered entities and business associates. The DPDPA also affords certain privacy protections to the data of minors up to the age of 18, rather than 13 or 16, the age of protection for many other state comprehensive data privacy laws.
To read about other state comprehensive data privacy laws and what your organization can do to begin its compliance journey, check out our blog available here.
Maddie Level, Associate Attorney