On July 1, the Delaware Department of Justice’s Consumer Protection Unit launched a new personal data privacy portal, privacy.delaware.gov. This tool aims to assist parents, consumers, and businesses in handling Delawareans’ personal data as they prepare for the implementation of the Delaware Personal Data Privacy Act (DPDPA), effective January 2025.
The DPDPA sets clear guidelines for businesses managing personal data and grants Delaware residents more control over their data usage starting in 2025. The law applies to businesses, including non-profits, with personal data on over 35,000 Delaware residents, with some exceptions.
Under the new legislation, businesses must provide transparency regarding their data practices and obtain consent from Delawareans when collecting and using sensitive personal information such as race and ethnic origin, religious beliefs, sexual orientation, gender identity, and health information.
“Delawareans deserve to have their private data protected and to have a say in how it is shared. Thanks to the upcoming implementation of the Delaware Personal Data Privacy Act, we will be able to do just that,” said Attorney General Kathy Jennings. “I am confident Delaware businesses will take their new personal data privacy obligations seriously, and our Consumer Protection Unit is working hard to help them prepare as this new law approaches in 2025.”
The website privacy.delaware.gov provides essential information for businesses to comply fully with the law by January 2025. It will continue to be updated with new materials and information. The DOJ advises that businesses should start preparing now to ensure readiness by the enforcement date.
Key features of the new law include:
- **Transparency**: Businesses must provide consumers with an accessible privacy policy detailing collected personal data and its usage.
- **Data Minimization**: Only necessary personal information should be collected for provided goods or services. An inventory of collected data must be maintained.
- **Security**: Reasonable security measures proportionate to the sensitivity of stored personal data must be employed.
- **Accountability**: Clear contact means for those responsible for data privacy and security must be identified.
- **Documentation**: Binding agreements between data controllers and processors are required where third-party processing occurs.
Starting January 1, 2025, businesses must address consumer requests concerning their new personal data rights:
- Obtain consent for using sensitive information.
- Allow consumers to opt-out of selling their information or targeted advertising.
- Provide access to collected personal data upon request.
- Prohibit discrimination based on consumer's use of these rights.
- Permit deletion of collected personal data under certain conditions.
For full details on rights and requirements effective January 1 under the DPDPA, visit privacy.delaware.gov. The Department of Justice Consumer Protection Unit is engaging stakeholders across Delaware about compliance with DPDPA. They will continue developing materials based on business community feedback; inquiries can be directed to privacy@delaware.gov.