Update Applicable to:
All entities that conduct business in Delaware or produce products or services that are targeted to Delaware residents.
What happened?
The Act will take effect January 1, 2025, and comprehends obligations applicable to both data controllers and data processors as well as consumer rights.
What do employers need to do?
Employers should review all policies and contracts to adjust them according to the law. If applicable, employers should seek legal counsel from their trusted employment attorney to properly comply with consumers’ or institutions’ request.
What are the details?
The Act applies to entities that conduct business in Delaware or that produce products or services that are targeted to Delaware residents and that during the preceding calendar year did any of the following:
- Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or
- Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data.
Nonprofits: law exempts organizations that are dedicated to preventing and addressing insurance crime and to organization(s) that provides services to individuals who are victims of, or witnesses to, child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking. All other nonprofit organizations must comply with the Act.
Right to obtain a list of the categories of third parties: in addition to the usual set of consumer privacy rights, the law gives consumers the right to obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data.
Opt-out preference signal requirement: will go into effect no later than January 1, 2026. The law may allow consumers to use preference signals to opt out of profiling as well.
The Act provides guidance for compliance with consumer rights, outlining that controllers must respond to consumers without undue delay, but not later than 45 days after receipt of the request. Controllers may extend the response period by 45 additional days, when necessary, provided the consumer is informed of such extension within the initial 45-day response period and of the reason for the extension.
The information provided in response to a consumer request must be provided free of charge, once per consumer during any 12-month period. Where requests are manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. Controllers bear the burden of demonstrating the maliciousness of the request.
The Department of Justice has exclusive authority to enforce the Act’s provisions.
Certain types of information are exempt under the Act including:
- Protected health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Any personal information bearing on a consumer but only to the extent that the activity is regulated by, and authorized under, the Fair Credit Reporting Act of 1970 (FCRA).
- Personal data regulated by the Family Educational Rights and Privacy Act (FERPA).
For additional information review the complete Delaware Privacy Act and the resources provided below.
For more information, please see the links below:
Law Firm Articles: Article 1, Article 2, Article 3
Need help understanding how changes to employment laws will affect your business?
Learn more about how Vensure's Delaware PEO services can help you navigate complex employment laws and keep your business compliant.
This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.