Client Alert: Delaware Becomes the Latest State to Enact a Data Privacy Law
Date: September 20, 2023
Currently, other states with data privacy laws include California, Colorado, Connecticut, Utah, and Virginia.
The Delaware law largely adopts the framework of consumer data privacy laws previously enacted in other states, and generally shares key definitions, business obligations, and core consumer rights governing the collection, use, and transfer of consumer data. However, there are some notable differences, discussed below, where the Delaware law deviates from other state privacy laws.
Lower Jurisdictional Thresholds. The Delaware law applies to all “controllers” (a person or a business that, alone or jointly with others, determines the purpose and means of processing personal data) who conduct business in Delaware or produce products or services that are targeted to residents of Delaware, and who, during the preceding calendar year, either (a) controlled or processed personal data of not less than 35,000 Delaware residents, or (b) controlled or processed personal data of not less than 10,000 Delaware residents and derived more than 20% of their gross revenue from the sale of personal data.
Thus, as is the case in some other states (like Virgina and California) which have adopted a comprehensive privacy law, the new Delaware privacy law applies multiple types of jurisdictional thresholds. The first jurisdictional threshold in Delaware is based solely on the number of Delaware residents whose personal data is controlled or processed (the “Residents-Only Trigger"). The second jurisdictional threshold in Delaware is triggered on the basis of a specific combination of both a minimum number of Delaware residents and a minimum percentage of gross sales derived from the sale of personal data (the “Two-Tier Trigger").
Notably, the 35,000 Residents-Only Trigger in Delaware is materially lower than resident-only thresholds adopted in other states with comprehensive privacy laws. By way of example, the comparative Residents-Only Trigger in both Virginia and California is 100,000 consumers. Delaware’s relatively lower Residents-Only Threshold presumably reflects the fact that Delaware is a very small state with a population that is 1/40th the size of California and falls in the bottom 10% of state populations.
Likewise, the first tier of Delaware’s Two-Tier Trigger applies a materially lower threshold (10,000 Delaware residents) than other states with multiple-tier jurisdictional thresholds. But, the second tier of Delaware’s Two-Tier Trigger (i.e., 20% of gross revenue from the sale of personal data) is remarkably low when compared to the percentage of revenue thresholds in other states. By way of example, the counterpart figure in the California and Virginia laws is 50%, while the minimum financial threshold in Florida is $1 Billion USD. This means that controllers who do roughly the same amount of business in Delaware as other states, on a per-capita basis, are more likely to be compelled to comply with Delaware’s new comprehensive privacy law than the privacy laws of other states with revenue triggers.
Nonprofits and Other Notable Exemptions. We have recently surveyed how each state privacy law addresses nonprofit and political organizations within its respective framework. Joining a minority of states, namely Colorado and Oregon, Delaware does not broadly exempt nonprofit organizations.
Instead, the Delaware privacy law contains two narrow exceptions applicable to nonprofit organizations. The first is an enterprise-level exception for “nonprofit organizations dedicated exclusively to preventing and addressing insurance crime.” The other is a data-specific exception covering “[p]ersonal data of a victim of or witness to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking that is collected, processed, or maintained by a nonprofit organization that provides services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony.”
Outside of these limited exceptions, the Delaware law is applicable to any nonprofit organization that offers services in the state and otherwise meets the jurisdictional threshold requirements noted above.
Another notable deviation concerning the applicability of the Delaware law involves institutions of higher education—while government entities are generally exempt, this government exemption does not extend to public institutions of higher education.
Notably absent from the Delaware law is an entity-level exemption for the covered entities and business associates subject to the Health Insurance Portability and Accountability Act (“HIPAA”). The law does contain, however, multiple data-specific exemptions for personal health information subject to HIPAA.
On the other hand, the Delaware law does contain both enterprise-level and data-specific exceptions for financial institutions and information subject to the Gramm-Leach-Bliley Act.
Children’s Privacy Rights. The Delaware privacy law contains heightened protections for the personal data of minors, and extends these protections to all consumers between the ages of 13 and 18. Under the law, controllers cannot process the personal data of a consumer for the purposes of targeted advertising or sell the consumer’s personal data without the consumer’s consent where a controller has actual knowledge or willfully disregards that the consumer is at least 13 years of age but younger than 18 years of age.
Broader Definition of Sensitive Data. Delaware follows the lead of other state privacy laws by requiring that controllers obtain consent for the processing of sensitive personal data. The Delaware law defines sensitive data to include a consumer’s “status as transgender or nonbinary,” which is a departure from other state privacy laws. However, in this regard, Delaware tracks the recently enacted Oregon law.
The Delaware law also contains a separate definition of genetic data, otherwise included in the sensitive data definition, which does not appear in other state privacy laws. “Genetic data” is defined as “any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained and concerns genetic material." Genetic material also "includes deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from analysis of the biological sample or other source, and any information extrapolated, derived, or inferred therefrom.”
Enforcement and Rulemaking. Unlike most other state privacy laws, the Delaware law does not provide the Delaware Attorney General with any rulemaking authority, meaning that any changes or clarifications to the law must be enacted through the legislative process. However, consistent with other state privacy laws, the Delaware law will be enforced solely by the Delaware Attorney General Office, as there is no private right of action under the law. As such, California remains the only state whose privacy laws allow consumers to bring lawsuits for alleged violations.
Next Steps
The Delaware law will take effect on January 1, 2025, while potential new comprehensive privacy laws continue to simmer in a handful or other states. If you have questions about how these new laws in Delaware or elsewhere may affect your organization, please contact a member of Whiteford’s Cyber Security, Data Management & Privacy practice group.
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.