We value your privacy

We use cookies to enhance your browsing experience, serve personalised ads or content, and analyse our traffic. By clicking "Accept All", you consent to our use of cookies.

Customise Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorised as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyse the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.

No cookies to display.

telephone icon 800.747.9354
CONTACT USarrow icon
Name*
* indicates required fields
Consent*

insights

RETURN TO insights

A New Year and the New Delaware Personal Data Privacy Act

December 31, 2024 |  By: Dunlap Bennett & Ludwig

 

As we welcome in a New Year, Delaware is poised to join a dozen other states by enacting and implementing a new comprehensive data privacy law designed to give consumers stronger rights over their personal data. This new act, effective January 1, 2025, is known as the Delaware Personal Data Privacy Act (or “DPDPA”).

 

What is the the Delaware Personal Data Privacy Act?

 

The DPDPA will impact the many businesses that are incorporated and do business in Delaware, or those businesses that offer products or professional services targeted at Delaware residents.  More specifically, entities that control or process the personal data of at least 35,000 residents, or entities that control or process the personal data of more than 10,000 Delaware residents and derive more than 20% of their gross revenue from the sale of personal data will need to comply with the requirements of the DPDPA.

 

What distinguishes the DPDPA from other states’ data privacy laws is that “data controllers” are not only for-profit entities, but also include not-for-profit organizations and higher education institutions. 6 Del. C. § 12D-102.

 

The DPDPA establishes a new set of consumer personal data rights that includes (1) the right to confirm whether a controller is processing personal data and the right to access the personal data; (2) rights to correct inaccuracies in the consumer’s personal data; (3) the right to request deletion of the personal data; (4) the right to obtain a copy of the consumer’s personal data that is in possession of the controller;  (5) the right to obtain a list of the categories of third parties which the personal data has been shared with; and (6) the right to opt out of the processing of personal data for purposes of targeted advertising, sale of personal data, and profiling in furtherance of automated decisions that produce legal or other significant effects concerning the consumer. Id at a) (1-6).

 

Consumer rights must be implemented by controllers in terms of a written privacy policy that must be made available to consumers.  The written terms of the policy must limit the collection of personal data to what is adequate and necessary for its disclosed purpose.  It will be unlawful for a data controller to use or manipulate the consumer’s personal data in a way that is inconsistent with the disclosed purpose unless the consumer provides consent. Controllers must set up reasonable administrative, technical, and physical data security practices with the aim of protecting consumer personal data.

 

The statute also requires that a data protection assessment must be conducted if the controller is processing the personal data of more than 100,000 consumers.  There is an ongoing assessment obligation for data processing activities that create a heightened risk of harm for consumers.

 

DPDPA defines data processing activities with a “heightened risk of harm” to include targeted advertising, selling personal data, processing of personal data for the purpose of profiling, where there is a reasonably foreseeable risk of unfair or deceptive impact on the consumer, or it could result in financial or reputational injury to the consumer, or there is a physical or privacy intrusion to the consumer, or the activity involves a risk of substantial injury. Id. at § 12D-108(a).

 

As a data controller operating under the new DPDPA, there needs to be a mechanism for ensuring that the appropriate contracts are in place with any third parties or other affiliates that may have access to or receive the consumers’ personal data from the controller. Luckily, data controllers will not be liable or in violation of the DPDPA for the independent misconduct of third parties if they had no knowledge that the receiving processor violated or would violate the law.  Id. at § 12D-110.

 

On a final note, Delaware has decided that a private civil cause of action is not available to consumers under the DPDPA.  All enforcement of Delaware’s new data privacy law will be enforced by the Delaware Department of Justice with civil penalties of up to $10,000.00 per violation.

 

Delaware is just one of five states with new consumer data privacy laws taking effect on January 1, 2025. This new year is a great time to contact a data privacy attorney in Delaware to ensure that your company has an updated privacy policy and is compliant with the latest privacy practices.

 

Dunlap Bennett & Ludwig’s data security and compliance lawyers advise clients on regulations such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), and state cybersecurity laws like the Delaware Personal Data Privacy Act.

 

To learn more about Dunlap Bennett & Ludwig and how we can help you, call us at 800-747-9354 or email us at clientservices@dbllawyers.com.

RECENT INSIGHTS

RELATED ARTICLES

Cloud and Mobile Device Security is Possible, If You Want It

02/05/25

Navigating AI and Cybersecurity: An Attorney’s Perspective

08/01/25

Foster a Cyber Mindset for Effective Cyber Policy Implementation

08/01/25
See more >