Delaware Governor John Carney on Sept. 11 signed into law House Bill 154, the Delaware Personal Data Privacy Act. This makes Delaware the 12th state to enact a comprehensive consumer data privacy law, following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, and Oregon.
The new Delaware law will go into effect Jan. 1, 2025.
For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.
Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data.
Any financial institution or affiliate of a financial institution, all as defined in 15 U.S.C. 6809, to the extent that the financial institution or affiliate is subject to Title V of the Gramm Leach Bliley Act and the rules and implementing regulations promulgated thereunder;
Data subject to the Gramm Leach Bliley Act and the rules and implementing regulations promulgated thereunder;
Protected health information under HIPAA;
Activities regulated by the Fair Credit Reporting Act.
Confirm processing of their personal data and access such data;
Correct inaccuracies, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data;
Delete personal data provided by, or obtained about, the consumer;
Obtain a copy of the consumer's personal data processed by the controller;
Obtain a list of the categories of third parties to which the controller has disclosed the consumer's personal data;
Opt out of processing if for the purpose of targeted advertising, sale, or profiling.
SENSITIVE PERSONAL INFORMATION
Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status.
Genetic or biometric data.
Personal data of a known child.
Precise geolocation data.
Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.
At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.
Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in this chapter.
After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data.
Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor.
DATA PROTECTION ASSESSMENTS
Processing for the purpose of targeted advertising;
Processing for the purpose of selling personal data;
Processing for the purpose of certain profiling; and
Processing sensitive data.
Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 6th Floor
Chicago, Illinois 60602
Direct: (312) 551-9320
Fax: (312) 284-4751
Mobile: (312) 493-0874
Admitted to practice law in Illinois
Alabama | California | Florida | Illinois | Massachusetts | New Jersey | New York | Ohio | Pennsylvania | Tennessee | Texas | Washington, DC
NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.
Our updates and webinar presentations are available on the internet, in searchable format, at: