A New Domicile for Comprehensive Privacy in Delaware
On June 30, 2023, in the final hours of the Delaware legislative session, lawmakers in Dover passed House Bill 154, the Delaware Personal Data Privacy Act (“DPDPA”). If enacted by Governor Carey, the DPDPA will take effect on January 1, 2025 and follows the general model established by the Connecticut Data Privacy Act (CTDPA), with some notable differences. Delaware will become the twelfth U.S. state to adopt a comprehensive data privacy law to govern the collection, use, and transfer of personal data.
1. Broad Scope
The DPDPA establishes the lowest primary coverage threshold of any state comprehensive privacy law passed so far, applying to organizations that control or process the data of at least 35,000 Delaware residents annually. Typically, state-level comprehensive privacy laws cover organizations that control or process the data of at least 100,000 state citizens each year. The DPDPA’s scope was likely tailored to fit Delaware’s small size and population: by land area Delaware is smaller than any other U.S. state save Rhode Island, and has one of the lowest populations in the country, estimated by U.S. Census data at 1.018 million in 2022.
The Act exempts specific data that is subject to existing laws, including Health Insurance Portability and Accountability Act (HIPAA) and Fair Credit Reporting Act (FCRA)-covered data while broadly carving out Gramm-Leach-Bliley Act (GLBA) covered entities. However, the DPDPA diverges from most other state-level comprehensive privacy laws by not broadly exempting non-profits or higher education institutions.
2. Timely Sensitive Data Categories
The DPDPA establishes a category of “sensitive” personal information that is subject to greater protections, which includes categories such as “[d]ata revealing racial or ethnic origin,” “religious beliefs,” and “[p]recise geolocation data.” However, the DPDPA expands this list beyond that seen in many other states, including “status as transgender or nonbinary,” which is also recognized as a sensitive information category in Oregon’s recently-passed comprehensive privacy law, and “mental or physical health condition or diagnosis (including pregnancy).”
Although all currently enacted comprehensive privacy laws recognize some version of “mental or physical health condition or diagnosis” as sensitive, the DPDPA is the first state-level comprehensive privacy law to explicitly include pregnancy as a category of sensitive data. The recently-passed Connecticut Senate Bill 3 (SB 3), which partially updates the Connecticut Data Privacy Act (CTDPA), also specifically classifies data related to pregnancy and reproductive health as sensitive. Both SB 3 and the DPDPA likely reflect lawmaker focus on the privacy of reproductive health and pregnancy data in the wake of the Supreme Court’s overturning of Roe v. Wade.
3. Protections for Teens
The DPDPA forbids covered entities from selling or processing for targeted advertising purposes the data of consumers that the controller knows, or willfully disregards, are between the ages of 13 and 17 without consent. This prohibition goes farther than similarly-structured prohibitions in California, Connecticut, and Montana, which place restrictions on the sale and processing of the data of consumers between the ages of 13 and 15. The DPDPA’s broader coverage of teen’s data reflects the ongoing attention to youth privacy that has permeated state legislatures this session. While this is the first time a state-level comprehensive privacy law has structured it’s protections to cover teens up to the age of 17 (although CT SB 3 creates similar protections for 13-17-year olds), child-directed privacy and online safety laws, including the California Age-Appropriate Design Code and Utah Senate Bill 152, have increasingly applied to the data and activity of teenagers up to age 17.
4. Expanded Rights to Access and Delete
In line with other comprehensive privacy laws, the DPDPA grants consumers the right to require controllers to delete their personal data. Unlike comparable laws, however, the DPDPA requires controllers to delete data obtained about a person from a third-party source (such as a data broker) except for “a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the controller’s records,” which they may not use for any other purpose. In contrast, other state privacy laws typically permit controllers to retain data obtained about a person from third-party sources so long as they opt that person out of the processing of their personal data for all non-exempt purposes. The DPDPA also creates a unique affirmative right to “obtain a list of the categories of third parties to whom the controller has disclosed the consumer’s personal data.”
5. Unique Treatment of Nonprofits
Delaware joins Colorado and Oregon in not generally carving out nonprofit organizations in its scope. Like Oregon, however, the Delaware law carves out nonprofits that combat insurance fraud. The DPDPA also creates a novel data-level exemption for the “[p]ersonal data of a victim of or witness to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking that is collected, processed, or maintained by a nonprofit organization that provides services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking.”
6. UOOM Uncertainty
The DPDPA would be the seventh comprehensive state privacy law to permit consumers to exercise certain rights on a default basis through what is commonly known as a “Universal Opt-Out Mechanism” (UOOM), joining California, Colorado, Connecticut, Montana, Texas, and Oregon. The UOOMs that are currently in use often take the form of a browser extension, which sends out an automatic signal to web pages visited by a consumer with the extension enabled, notifying it that they would like to exercise a certain consumer right.
The DPDPA establishes that consumers have the right to opt out of the processing of their personal information for: targeted advertising, data sales, and profiling for the purposes of automated decision-making with significant impact on the consumer. Drafting ambiguities make it unclear whether the DPDPA permits opting-out of profiling via device signals, which would be a first for a state comprehensive privacy law. The DPDPA does not allow for rulemaking.