Last week, Delaware became the 12th state with comprehensive legislation and has been touted in the state as one of the ‘strongest’ privacy laws to exist. While it does have some unique parameters and definitions, it generally aligns with many existing US privacy laws and mirrors elements of other regulations. The Delaware Personal Data Privacy Act (DPDPA) looks like Connecticut for the most part, appears very consumer-friendly, and due to the state’s size has a lower threshold for applicability.
So how does it align with or differ from other laws? The Delaware Privacy Act does not exempt non-profits like Colorado, seems to enable Authorized Agents like California, requires assessments like Connecticut, and is consistent with CPRA in requiring opt-in for sensitive data and minors.
Truyo President Dan Clarke says, “I am not sure I can say the Delaware bill is the ‘strongest,’ but is certainly rigorous and borrows some regulatory elements from other laws without new exemptions, and broad definitions.”
Following its passage on June 30th, Delaware Governor John Carney signed the DPDPA with an effective date of January 1, 2025 with an “outreach” to inform consumers in July 2024. Let’s dive into the Delaware Personal Data Privacy Act elements.
Delaware’s applicability threshold is based on the number of consumers whose data an entity collects. Delaware lowers the threshold to 35,000 consumers, considering the state’s smaller population.
Delaware’s bill introduces rights for consumers, including the right to obtain a list of third parties to which their data has been disclosed. In alignment with the Connecticut Data Privacy Act, the DPDPA will recognize universal opt-out mechanisms to be implemented by January 1, 2026.
While the DPDPA does not provide blanket exemptions for non-profits, the bill contains exemptions for state governmental entities but excludes institutions of higher education. There is no entity-level exemption for HIPAA-covered organizations and business associates but provides data-level exemptions for health data. It also addresses GLBA financial institutions and information subject to the GLBA.
The DPDPA is one of the few state privacy laws that explicitly deem pregnancy status and transgender identification as a part of sensitive data, making its definition one of the most comprehensive ones among state laws. Included in sensitive data are genetic and biometric data with a detailed explanation of genetic data in the bill.
Enforcement of the DPDPA will fall under the Delaware Attorney General’s Office, with no private right of action. There is a sixty-day right to cure that sunsets on December 31, 2025.
With Delaware becoming the 12th state to pass comprehensive privacy legislation, organizations will have to navigate a myriad of similar, yet unique laws that will go into effect at various times over the next few years. If you have questions about compliance or how Truyo is helping our enterprise clients navigate these new privacy laws, reach out to hello@truyo.com.
We will keep you apprised of any updates on the Delaware Personal Data Privacy Act as they become available.