On September 11, 2023, Governor John Carney signed into law House Bill 154, the Delaware Personal Data Privacy Act.  This makes Delaware the twelfth state to enact a comprehensive consumer data privacy law, following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, and Oregon. The Act will go into effect January 1, 2025.

Applicability

The Act applies to persons that conduct business in the Delaware or persons that produce products or services that are targeted to residents of the Delaware and that during the preceding calendar year did any of the following:

  1. Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
  2. Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data.

Exemptions

Exemptions include, but are not limited to:

  1. Any financial institution or affiliate of a financial institution, all as defined in 15 U.S.C. 6809, to the extent that the financial institution or affiliate is subject to Title V of the Gramm Leach Bliley Act (GLBA) and the rules and implementing regulations promulgated thereunder;
  2. Data subject to the GLBA and the rules and implementing regulations promulgated thereunder.
  3. Protected health information under the Health Insurance Portability and Accountability Act;
  4. Activities regulated by the Fair Credit Reporting Act.

Consumer Rights

Consumers have the right to:

  1. Confirm processing of their personal data and access such data;
  2. Correct inaccuracies, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.;
  3. Delete personal data provided by, or obtained about, the consumer;
  4. Obtain a copy of the consumer’s personal data processed by the controller;
  5. Obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data.
  6. Opt out of processing if for the purpose of targeted advertising, sale, or profiling.

Sensitive Personal Information

Sensitive personal data may not be processed without the consumer’s consent or, in the case of a known child, without first obtaining consent from the child’s parent or lawful guardian and otherwise complying with the Delaware Online Privacy and Protection Act, specifically Del. Code Ann. tit. 6, § 1204C.

Sensitive Data means personal data that includes any of the following:

  1. Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status.
  2. Genetic or biometric data.
  3. Personal data of a known child.
  4. Precise geolocation data.

Contract Requirements

A contract between a controller and processor must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. and:

  1. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.
  2. At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.
  3. Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in this chapter.
  4. After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data.
  5. Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor.

Data Protection Assessments

A controller that controls or processes the data of not less than 100,000 consumers must conduct and document on a “regular basis” a data protection assessment for processing activities that presents a heightened risk of harm to a consumer, including:

  1. Processing for the purpose of targeted advertising;
  2. Processing for the purpose of selling personal data;
  3. Processing for the purpose of certain profiling; and
  4. Processing sensitive data.

The “100,000 consumers” threshold excludes data controlled or processed solely for the purpose of completing a payment transaction.

Enforcement

The Act does not create a private right of action.  A violation is an unlawful practice under Del. Code Ann. tit. 6, § 2513 and can solely be enforced by the Attorney General pursuant to Del. Code Ann. tit. 6, § 2522.  Provided a person cannot cure a violation within 60 days, the Attorney General may seek injunctive relief and a civil penalty of not more than $10,000 for each willful violation.  The opportunity to cure provision expires December 31, 2025.

RMAI strongly recommends that its members share this Member Alert with those in their organization who are responsible for their operations, compliance, and legal matters.

RMAI recently issued Member Alerts for the following states’ comprehensive privacy laws enacted in 2023:

Texas (June 20, 2023)

Montana (May 23, 2023)

Tennessee (May 12, 2023)

Indiana (May 1, 2023)

Oregon (July 21, 2023)

This Member Alert is intended for members of the Receivables Management Association International, is for informational purposes only, and is in no way intended to provide legal advice. Members are encouraged to consult with an attorney of their choice for legal advice concerning this matter.