November 5, 2024
How Long Can Businesses Keep Personal Data?
Some privacy laws require businesses to create data retention policies, but figuring out the maximum amount of time you can hold on to data can be complicated.
The march of new state privacy legislation continues as Delaware has now passed the country’s 13th comprehensive privacy law.
While many of these laws share similar features, no two of them are exactly alike, making compliance an increasingly complicated endeavor. The Delaware Personal Data Privacy Act continues the overall trend of taking inspiration from Oregon’s privacy laws also apply to nonprofits.
Delaware’s privacy law gives consumers the following rights.
The DPDPA also gives consumers the right to “obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data.” However, this information already must be included in an organization’s privacy notices, so it’s not clear that this actually gives rise to a new type of privacy request.
The DPDPA defines “personal data” in a way that more or less identical to other state privacy laws, i.e. any information “that is linked or reasonably linkable to an identified or identifiable individual.” Deidentified data or publicly available information is excluded from this definition.
Personal data is more than just names and email addresses, though, and can cover anything from IP addresses to internet cookies to shopping habits.
The Delaware Personal Data Privacy Act requires organizations to perform data protection assessments for certain types of processing activities, but only if that organization processes the personal data of at least 100,000 Delaware residents. In those cases, a data protection assessment is required for:
The DPDPA itself does not identify a specific dollar amount for fines. Instead, it states that a violation shall be considered an unlawful practice under Delaware’s consumer protection laws, which are punishable by penalties of up to $10,000 per willful violation.
The Delaware Personal Data Privacy Act Act does not grant a private right of action to consumers, meaning they cannot sue an organization over alleged violations.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
