Bloomberg Government subscribers get the stories like this first. Act now and gain unlimited access to everything you need to grow your opportunities. Learn more.
Delaware’s new consumer privacy law adds to state-level compliance requirements for companies, with a broad definition of sensitive data that includes transgender status and heightened protections for users under the age of 18.
The Delaware Personal Data Privacy Act, which was enacted last week, takes effect Jan. 1, 2025. It joins a rapidly evolving patchwork of state laws that provide residents the right to know what data a business collects, and limit certain uses.
“It definitely is not a one size fits all,” said Robert Braun, partner at Jeffer Mangels Butler & Mitchell LLP, about the various state laws.
The Delaware law applies to entities that do business in the state or target its residents, and control or process the personal data of at least 35,000 consumers per year. That threshold drops to 10,000 consumers if the sale of personal data makes up more than 20% of gross revenue.
Individuals have more control over their data under the Delaware law than under laws in some other states, according to Consumer Reports. That includes a broader definition of sensitive data—which companies must obtain consent to process.
Like a law enacted earlier in Oregon, Delaware’s definition of sensitive data includes transgender or nonbinary status. It also includes health conditions such as pregnancy.
Most nonprofits are covered under the law, as they are under laws enacted earlier in Oregon and Colorado. Other state privacy laws exempt them.
“We do work with quite a few nonprofits who had previously not been as concerned and focused on compliance with these data privacy laws, but it seems like that is not going to be continuing, at least if they’re doing business in Colorado, Oregon, and Delaware,” said Sarah Rugnetta, partner at Constangy, Brooks, Smith & Prophete, LLP.
Delaware consumers will have the right to access, correct, and delete the personal data collected on them as well as opt out of having their data sold or used for targeted advertising. Entities must obtain consent to sell personal data or process it for targeted advertising if they know or willfully disregard that a consumer is between 13 and 18 years old.
“It’s something that will probably cause businesses to sort of step back and take a closer look at whether that particular company should expect that there might be children visiting their site,” Rugnetta said about the requirements.
Unlike other states, Delaware’s law also allows consumers to get a list of the categories of third parties to which their data has been disclosed.
The law’s exemptions include most state entities, financial institutions, and data that’s protected health information under federal health privacy law, which covers entities such as health insurance companies, doctors, and hospitals.
Differences in definitions among the various state laws can create compliance challenges for companies, Braun said.
“Do we decide that we’ll adopt the Delaware definition of sensitive data or do we simply have a separate category for Delaware?” Braun said.
Delaware has also joined several other states in requiring companies to recognize browser privacy signals that allow consumers to reflect their privacy choices across multiple websites.
The Delaware Department of Justice will enforce the law. The law will initially give businesses 60 days to fix violations without penalty, though that provision sunsets at the end of 2025.
Seven other states enacted similar consumer privacy laws this year, beyond existing laws in California, Colorado, Connecticut, Utah, and Virginia. California goes further than other states in covering employee and business-to-business data in addition to consumers, but each state law has its own nuances.
For companies trying to navigate numerous laws, the first step is determining which laws apply to them, Rugnetta said. In some cases, a state-by-state approach to compliance makes sense, though larger organizations tend toward more comprehensive privacy programs, she said.
“I’ve found that most companies are taking that approach where they are developing a program that might be based largely on California but takes into account each of those nuances and additional criteria,” Rugnetta said.
A federal judge issued a preliminary injunction Sept. 18 to block California’s first-in-the-nation law that aims to protect youth online in a tech industry lawsuit alleging First Amendment violations.
To contact the reporter on this story: Brenna Goth in Phoenix at firstname.lastname@example.org
To contact the editors responsible for this story: Keith Perine at email@example.com; Bill Swindell at firstname.lastname@example.org