Law: The Delaware Personal Data Privacy Act (DPDPA)

Regulator: Consumer Protection Unit of Delaware's Department of Justice 

Summary: On September 11, 2023 the Delaware Governor signed House Bill 154 creating the DPDPA, which will enter into force on January 1, 2025. The DPDPA introduces obligations for controllers, including data processing principles, the publication of a privacy notice, requirements to conduct a Data Protection Assessment, and contracts between controllers and processors. Additionally, the DPDPA provides for data subject rights including the right to be informed, access, correct, delete, obtain a copy of personal data, as well as the right to opt-out of certain processing activities.  Notably, the DPDPA specifies that the Department of Justice has exclusive authority to enforce its provisions.

Regarding breach notification, on August 17, 2017, the Delaware Governor signed into law an Act amending the Delaware Code as it relates to security breaches involving personal information. Specifically, the Act revised the definition of what constitutes a security breach and expanded data breach notification requirements, in addition to creating a new requirement for businesses in Delaware to implement and maintain reasonable security safeguards to protect personal information.

In addition, Delaware has enacted a number of sector-specific laws governing, among other things, student data privacy, employee privacy, health privacy, and data security in the insurance sector. For instance, the Student Data Privacy and Protection Act is modelled after California's legislation and requires Delaware's Department of Education to promulgate extensive rules to protect the privacy of student data, mandates limits on transfer of student personal identifiable information, and creates online restriction regarding personal identifiable information and child marketing.