The march of new state privacy legislation continues as Delaware has now passed the country’s 13th comprehensive privacy law.

While many of these laws share similar features, no two of them are exactly alike, making compliance an increasingly complicated endeavor. The Delaware Personal Data Privacy Act continues the overall trend of taking inspiration from Oregon’s privacy laws also apply to nonprofits.

What Rights Do Consumers Have Under the DPDPA?

Delaware’s privacy law gives consumers the following rights.

• Right to Know - Consumers have the right to confirm whether a business is processing their personal data and, if so, to access that data.

• Right to Correct - Consumers can request that a business correct any inaccurate personal information it holds about a consumer.

• Right to Delete - Upon request, businesses must delete personal data provided by or obtained about the consumer.

• Right to Portability - Upon request, businesses must provide a copy of the consumer’s personal data in a readily portable format so that it can be transmitted to another controller, if that data is processed by automated means.

• Right to Opt Out - Consumers can opt out of:

• The sale of their personal data
• Targeted advertising
• Profiling in furtherance of automated decisions that produce legal or similarly significant effects

The DPDPA also gives consumers the right to “obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data.” However, this information already must be included in an organization’s privacy notices, so it’s not clear that this actually gives rise to a new type of privacy request.

What Is “Personal Data”?

The DPDPA defines “personal data” in a way that more or less identical to other state privacy laws, i.e. any information “that is linked or reasonably linkable to an identified or identifiable individual.” Deidentified data or publicly available information is excluded from this definition.

Personal data is more than just names and email addresses, though, and can cover anything from IP addresses to internet cookies to shopping habits.

Are Data Protection Assessments Required?

The Delaware Personal Data Privacy Act requires organizations to perform data protection assessments for certain types of processing activities, but only if that organization processes the personal data of at least 100,000 Delaware residents. In those cases, a data protection assessment is required for:

• Targeted advertising
• Sale of personal data
• Profiling of consumers, where it presents a foreseeable risk of harm
• Processing of sensitive personal data
• Any other processing activity presents a heightened risk of harm to consumers

How Much Do Violations Cost?

The DPDPA itself does not identify a specific dollar amount for fines. Instead, it states that a violation shall be considered an unlawful practice under Delaware’s consumer protection laws, which are punishable by penalties of up to $10,000 per willful violation.

Can Businesses Be Sued by Consumers?

The Delaware Personal Data Privacy Act Act does not grant a private right of action to consumers, meaning they cannot sue an organization over alleged violations.

‍