On June 16, 2026, the Delaware General Assembly passed HB 380, which would amend the Delaware Personal Data Privacy Act (DPDPA). The bill is currently awaiting the Delaware governor’s signature, and if signed, the amendments would take effect on January 1, 2027. The amendment would impose the following:
- Third-Party Risk Management: The amendment requires controllers to conduct “reasonable due diligence” on third parties to whom the controller discloses information. In addition, the amendment requires new contract agreements when personal data is disclosed to third parties, such as when personal data is sold or disclosed to a third party for targeted advertising. The required contract language echoes certain requirements under the California Consumer Privacy Act. Further, the bill would give consumers the right to obtain a list of third parties to which the controller has disclosed the consumer’s personal data unless certain exceptions apply. At present, consumers are only entitled to a list of the categories of third parties to which personal data is disclosed.
- New Profiling Requirements: The amendment imposes new, prescriptive requirements for data protection impact assessments when a controller engages in profiling in furtherance of automated decisions that produce legal or similarly significant effects for a consumer. It also potentially expands the scope of profiling activities for which consumers have rights to opt out (removing references to “solely” automated decisions). The amendment also prohibits profiling that violates federal or state laws that prohibit unlawful discrimination, noting that evidence or the lack of evidence of anti-bias testing is relevant to such claims.
- Further, the amendment also imposes new obligations in the event a controller discloses personal data to a third party for use in connection with a decision that produces legal or similarly significant effects. The controller would need to put in place a contract with any such third party, requiring certain disclosures to consumers about the use of their personal data and notice to consumers of any adverse action based on their data. The controller would also be required to provide consumers, upon request, with additional information and the ability to correct relevant personal data. Although the DPDPA generally exempts data processed in the course of an individual applying to, employed by, or acting as an agent or independent contractor, the amendment would limit that application of that exemption for purposes of the above new obligations.
- Sensitive Data: The amendment would expand the definition of sensitive data to include neural data, government-issued identification numbers, and consumer financial numbers and similar information that would allow access to a consumer’s financial account, among other additions. In addition, the amendment would prohibit the sale of sensitive data unless certain conditions are met, including both the consent of the consumer at that the disclosure is strictly necessary to provide or maintain a product or service requested by the consumer.
- Additional Requirements: The amendment also makes several other changes and clarifications. New language suggests the required privacy notice that controllers must provide consumers should be “reasonably particular to the product or service offered to the consumer” and identify the controller. The provisions addressing contracts between data controllers and processors invoke language from the CCPA regulations that requires processor agreements to identify “each limited and specific purpose” for which the processor may process personal data without describing such purposes “in generic terms.”
- Applicability: The amendment would lower the DPDPA’s applicability thresholds to encompass entities that control or process personal data of not less than 10,000 consumers or that derive more than 20% of revenue from the sale of personal data of not less than 5,000 consumers. HB 380 also narrows statutory exemptions, such as limiting the financial institution entity-level exemption to banks and insurers and their respective affiliates. The amendment also would impose certain obligations directly on third parties that receive personal data from a controller or processor.
Recent Comments