Business
The Delaware Personal Data Privacy Act protects Delawareans' personal data privacy.
Passed and signed into law in 2023, the Delaware Personal Data Privacy Act requires businesses to follow several important personal data privacy principles to help protect Delawareans’ personal data. The law will be enforced by the Delaware Department of Justice beginning January 1, 2025.
Review the site below for more information to help businesses prepare and check back for updates as we approach January 2025.
Does My Business Need to Comply with the Delaware Personal Data Privacy Act?
The Delaware Personal Data Privacy Act requires many businesses that collect Delawareans’ personal data to comply with important privacy practices to help protect Delawareans personal data. The law applies to both for- and non-profit businesses.
Some exemptions apply to businesses with financial and health care data. If you believe an exemption might apply to your business, you should consult your legal counsel.
And even if your business does not qualify now because of your size, the Delaware Personal Data Privacy Act can still be a good guide to help your business develop best practices to protect the personal data of your customers.
What is personal data?
All data that is linked or linkable to an individual including by:
Name or Nickname
Address
Email Address
Device IDs for your computer, phone, or car
Precise location data
Unique identifier
What is sensitive personal data?
Any personal data that reveals:
Racial or ethnic origin
Religious beliefs
Health information
Sex life and orientation
Transgender or nonbinary
Citizenship and immigration status
What do businesses need to do to protect personal data?
Delaware’s Personal Data Privacy Act gives businesses the freedom to use personal data necessary to run their businesses while giving Delawareans more information about how their information is used and tools to better protect it.
The requirements on business are proportionate and follow the best practices for personal data privacy across America and around the globe.
Key Personal Data Privacy Principles
Transparency
Data Minimization
Security
Accountability
To assess your obligations, businesses must first determine whether they are a Controller or Processor. If your business decides how to collect or to use an individual’s personal information, you’re most likely a Controller. But if you only store information at the direction of another person or business, you’re probably a Processor. Check the FAQ page to learn more about the distinction between controllers and processors.
View Frequently Asked Questions
I am a…
Controllers decide what personal information is collected and how it is used. Accordingly, Controllers have the most extensive obligations to help protect individuals’ personal data. These obligations can be divided into four broad categories.
Transparency
Business must provide a reasonably accessible, clear, and meaningful Privacy Policy
The Privacy Policy must include:
-
- Categories of personal data collected and processed
- Purpose for collecting personal data
- Information how consumers can access their rights
- Categories of data shared with third parties
- Categories of third parties information is provided to
- If and what types of personal data sold to third parties
- Contact information
Policies must also:
- Conspicuously disclose the sale of personal information or use for targeted advertising
- Disclose and get consent for the collection of sensitive personal information
- Tell consumers how to opt out of:
- Sale of personal information
- Target advertising
- Profiling using automated decision making
Data Minimization
Delaware’s Personal Data Privacy Protection Act provides businesses the flexibility to identify business purposes to collect personal data. Those purposes must be identified in a Privacy Policy and businesses are limited to processing personal data for those purposes.
Additionally, once a purpose is identified, personal data may only be processed when it is reasonably necessary, proportionate, and relevant to the purpose.
In practical terms, businesses should inventory the personal data they collect, identify where it should be located, decide who has access to the information, and document how it may be used. This includes information business control located with third party processors like cloud storage providers. For more information about documenting the relationship between ‘controllers’ and ‘processors’.
The Delaware Personal Data Privacy Protection Act provides specific exceptions where businesses may also use personal data and in many cases these data minimization principles continue to apply.
Security
Businesses must ensure reasonable data security measures are in place to prevent external and unauthorized internal individuals from accessing the information.
Accountability
- Businesses must provide a clear and easy means of contact.
- Businesses must follow an individual’s request to access, correct, or delete their personal data when required.
- Businesses must honor individual’s requests to opt out of the sale of personal data, targeted advertising, or profiling using automated decision making.
- Businesses must request consent to collect and process sensitive data and must allow individuals to just as easily revoke consent.
- When a Delaware resident contacts you about personal data, businesses must respond promptly and in no case later than 45 days after the request.
- Businesses must have an appropriate appeal process in place.
- Businesses must inform Delawareans they can contact privacy@delaware.gov with any complaints or fill out this questionnaire.
Controller – Determines how to collect and use personal data
Processor – Processes or stores personal data on behalf of a Controller
Requirements for Controllers and Processors
- The processor must strictly follow the directions by the controller entity
- Processor cannot use personal data for its own reasons
- Relationship between controller and processor must be documented in a Data Processing Agreement
- Processor must have adequate data protection systems
- Processor must maintain confidentiality of personal data
- Processor must permit controller to assess their systems
- Delete or return data when the relationship terminates
Frequently Asked Questions
View Frequently Asked Questions
This site is intended for informational purposes only. You should contact your own attorney for legal advice. General questions and concerns may be directed by email to privacy@delaware.gov. We may not respond to every request.
Helpful Resources