Delaware Personal Data Privacy Act
The Delaware Personal Data Privacy Act (DPDPA) marks Delaware’s entry into the evolving landscape of state privacy legislation in the United States. Effective September 11, 2023, the DPDPA establishes comprehensive guidelines for the collection, processing, and use of personal information by businesses operating in the state.
Which businesses need to comply with the DPDPA?
The DPDPA applies to companies that either do business in Delaware or offer products and services to Delaware residents. Specifically, it applies to those that handle the personal data of at least 35,000 consumers or those that handle the personal data of at least 10,000 consumers and engage in the sale of personal data as a significant part of their revenue (more than 20 percent). Notably, the Act doesn’t calculate applicability based on a company’s annual revenue, unlike some other state privacy laws.
What is the DPDPA about?
- Consumer Rights: The DPDPA empowers consumers with rights similar to those found in other state privacy laws, including the right to access, correct, and delete their personal data, and to opt out of its sale or processing for targeted advertising and profiling.
- Sensitive data: Much emphasis is placed on “sensitive data,” which includes a wide range of information, from genetic and biometric data to the personal data of children under the age of thirteen. Companies are required to obtain valid consent before processing such data.
- Data Protection Assessments: For activities that pose a heightened risk to consumer privacy, companies are required to conduct and document data protection assessments that weigh the benefits of the processing against the potential harm to consumers.
Impact on Businesses
Undeniably, the DPDPA introduces numerous challenges for organizations, particularly those dealing with vast amounts of customer data daily. Businesses must implement robust data protection measures, ensure transparency in data practices, and respect consumer rights. Failure to comply can result in severe penalties. Businesses must assess their data handling processes, update privacy policies, and train employees to comply with the requirements of the DPDPA.