Senior Content Marketing Manager II
July 23, 2024•4 min read
Delaware's privacy law applies to businesses conducting operations in Delaware or targeting their products or services to Delaware residents. In addition, a business must also:
While the approach to applicability is common in the US state privacy law landscape, the DPDPA distinguishes itself with significantly lower applicability thresholds compared to other states. This ensures that a broad spectrum of businesses, ranging from local startups to large corporations, will be subject to the law's requirements.
Delaware's privacy law imposes rigorous obligations on businesses aimed at protecting consumer data and enhancing transparency in data handling practices. Key compliance requirements include:
Under the DPDPA, Delaware consumers have the right to access, confirm, correct, delete, or transfer their data. Businesses under the law must establish mechanisms that enable consumers to exercise these rights effectively. Additionally, businesses must give consumers a way to opt out of targeted advertising, data sales, and profiling.
For children aged 13 to 17, Delaware’s privacy law mandates additional data protections. In alignment with the Children's Online Privacy Protection Act (COPPA), businesses must get parental consent before processing personal data for minors in this age range for targeted advertising or data sales.
Delaware businesses must also obtain verifiable parental consent before processing personal data for children under 13 years old for any purpose.
The DPDPA requires that businesses under its purview provide consumers with a clear and accessible method to opt out of targeted advertising, data sales, and profiling.
To that end, starting January 1, 2026, businesses must recognize and respect universal opt-out signals, like the Global Privacy Control (GPC).
Businesses under Delaware's privacy law must conduct data protection impact assessments (DPIA) before engaging in data processing activities that may present a heightened risk to the consumer. These risky data processing activities include processing sensitive data, targeted advertising, selling personal data, and profiling.
DPIAs evaluate the necessity, proportionality, and mitigation measures associated with the processing activities—helping businesses to preemptively identify and address potential privacy risks.
The Delaware Personal Data Privacy Act (DPDPA) shares similarities with other state privacy laws, but does have a few unique characteristics.
Begin with a thorough review of your company's data practices to determine if you fall under the scope of Delaware’s privacy law. Assess whether you meet the thresholds outlined in the legislation. If you do, start working through the other items.
One of the most foundational pieces of compliance is creating a comprehensive inventory of the personal data your business collects, processes, and stores. Be sure to identify the types of data involved, processing activities, and the legal basis for each. With this inventory in hand, you can then conduct a gap analysis to assess your potential compliance risk.
Develop processes to fulfill consumers' requests for data access, correction, deletion, and transfer. Ensure these processes include verification of consumer identity and prompt response times. Using a next-gen privacy solution like Transcend DSR Automation may be able to help.
Deploy a consent management system across all digital interfaces, including websites, web apps, mobile apps, and backend data stores. A full-stack solution like Transcend Consent Management will ensure consistent enforcement of consumer consent preferences, covering browser-based signals like GPC, LDU, and Do Not Sell requests across all domains and regions.
Conduct assessments before engaging in high-risk processing activities, such as selling personal data or targeted advertising. Be sure to document assessment outcomes, including risk analysis and mitigation strategies.
With a tool like Transcend Assessments, you can use attribute-based auto-suggestions to manage Data Protection Impact Assessments (DPIAs), Transfer Impact Assessments (TIAs), and AI Risk Assessments with ease.
Develop clear and concise privacy notices that inform consumers about your data practices. Include details on the purposes of data collection, categories of data processed, and consumer rights under Delaware’s privacy law.
Prepare your systems and processes to acknowledge and respect universal opt-out signals for targeted advertising, data sales, and profiling activities. Update procedures to seamlessly integrate opt-out preferences, ensuring compliance with Delaware’s regulatory deadlines.
By following this comprehensive checklist, businesses can effectively navigate Delaware’s privacy law landscape, ensuring robust compliance that safeguards consumer data and upholds regulatory standards.
Transcend is a next-generation platform privacy and data governance. Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facing—including getting you ready for new legislation like Delaware's data privacy law.
From Consent Management, to automated DSR Automation, to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.
Senior Content Marketing Manager II