Delaware’s Consumer Privacy Act Takes Effect January 2025
As privacy laws continue to evolve across the U.S., Delaware has joined the growing list of states passing robust consumer data protection legislation. Effective January 1, 2025, the Delaware Personal Data Privacy Act (“DPDPA”) will require businesses to rethink their data privacy practices, especially those that process large amounts of personal information from Delaware residents. If your business falls under the law’s scope, now is the time to ensure compliance to avoid potential penalties and preserve consumer trust.
The DPDPA is similar in structure to existing state-level privacy laws, like California’s CCPA, but it brings its own unique set of requirements that businesses must meet. It applies to businesses that control or process the personal data of at least 35,000 Delaware residents in the prior calendar year or those that control or process the data of at least 10,000 Delaware residents and generate more than 20% of their revenue from the sale of personal data. The law does not apply to data processed for commercial or employment purposes, so businesses focused solely on those activities won’t be affected.
Privacy Notices.
One of the first areas that businesses must address under the DPDPA is transparency. Companies must provide clear, easily accessible privacy notices to Delaware consumers. These notices should cover the categories of personal data collected, the purposes for processing that data, and how consumers can exercise their rights, including opting out of data sales or targeted advertising. Additionally, if your business uses personal data for profiling or sells it to third parties, the privacy notice must explicitly disclose this.
Sensitive Data.
The DPDPA also places significant emphasis on sensitive data, including personal details such as health information, racial or ethnic origin, and precise geolocation data. If your business collects such sensitive data, you’ll need to obtain explicit consumer consent before using it for targeted advertising or selling it to third parties. The law also gives Delaware consumers the right to opt out of profiling activities, which could affect automated decisions based on personal data. Businesses must be prepared to handle these requests swiftly and efficiently.
Data Security.
Data security is another key component of the DPDPA. Businesses must implement reasonable administrative, technical, and physical safeguards to protect the personal data they process. This includes ensuring that data security practices are up to date and capable of addressing emerging threats. Regular risk assessments are a good practice to help identify and mitigate potential vulnerabilities.
Data Protection Assessments.
For those businesses that handle large volumes of personal data, the DPDPA requires periodic data protection assessments. These assessments must be conducted for processing activities that begin after the law’s effective date in January 2025. The purpose of these assessments is to evaluate the risks associated with data processing and ensure that those risks are managed appropriately.
Universal Opt-Out Mechanism.
The DPDPA also addresses the growing trend of universal opt-out mechanisms. By January 1, 2026, businesses will be required to honor universal opt-out signals, which will allow consumers to opt out of the sale of their data or targeted advertising on a broader scale. While this provision won’t be mandatory until 2026, it’s wise to begin considering how to integrate universal opt-out capabilities into your systems now.
Enforcement and Compliance.
Enforcement of the DPDPA will be handled by the Delaware Attorney General, who has the authority to issue civil penalties of up to $10,000 per violation. However, businesses will have a 60-day cure period to fix any violations after being notified. This grace period ends on December 31, 2025, after which the Attorney General may choose to allow businesses to address violations on a case-by-case basis. It’s important to take full advantage of this cure period to address any compliance issues before facing penalties.
Compliance Recommendation.
To finalize preparations for the DPDPA and ensure that your business is fully compliant when the law takes effect, consider taking these steps now:
-
Ensure Privacy Policies are Updated. Ensure that your privacy notices are clear, comprehensive, and up to date with the requirements set forth by the DPDPA. Include details on data collection, processing purposes, third-party data sharing, consumer rights, and opt-out options.
-
Confirm Consent Mechanisms are Working. Ensure that the processes to obtain and manage consent for sensitive data processing, particularly for targeted advertising and data sales are properly working. Make sure that opt-out options for profiling and other data uses are easily accessible.
-
Enhance Data Security Practices. Strengthen your data security measures to safeguard personal information. This includes updating systems, conducting risk assessments, and ensuring that all data handling processes are in compliance with Delaware’s requirements.
-
Prepare for Consumer Rights Requests. Be ready to handle consumer requests for access, correction, deletion, data portability, and opt-out preferences. Implement systems to manage these requests in a timely manner.
-
Track Compliance Progress. Given that new privacy laws are being introduced regularly, it’s crucial to stay informed and track any updates or enforcement trends that may affect your business operations.
While many of the requirements align with existing privacy laws, the specific provisions of the DPDPA, including consent requirements for sensitive data and the upcoming universal opt-out mechanism, require businesses to take proactive steps now to ensure compliance. By preparing early and implementing a comprehensive privacy program, your business can mitigate risks, avoid penalties, and build stronger trust with consumers.
Explore our comprehensive CLIClaw’s Privacy Compliance Library for essential resources and step-by-step guidance to ensure your business is fully compliant.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.