Applicability of Data Protection Law in Delaware to Organizations Doing Business in the Jurisdiction

The factor of "doing business in the jurisdiction" is used in the Delaware Personal Data Privacy Act (PDPA) to define the scope of applicability. This factor ensures that organizations with a commercial presence or targeting products and services to residents in Delaware are subject to the state's data protection regulations.

Text of Relevant Provisions

Delaware PDPA Para.12D-103(a):

"This chapter applies to persons that conduct business in the State or persons that produce products or services that are targeted to residents of the State and that during the preceding calendar year did any of the following:(1) Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.(2) Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data."

Analysis of Provisions

The Delaware PDPA extends its applicability to entities based on their commercial activities within the state. Para.12D-103(a) explicitly sets forth conditions under which the law applies:

• Commercial Presence: The PDPA applies to any person or entity "that conducts business in the State" or "produces products or services that are targeted to residents of the State." This broad definition ensures that any entity with significant commercial activities in Delaware falls within the scope of the law.
• Thresholds for Applicability:
  • Data Volume: Entities that controlled or processed the personal data of at least 35,000 consumers in the preceding calendar year, excluding data processed solely for payment transactions.
  • Revenue from Data: Entities that controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data.

These thresholds are intended to focus the law's applicability on entities with significant data processing activities, ensuring that smaller entities are not unduly burdened while still protecting a substantial number of consumers.

The inclusion of this factor reflects a legislative intent to safeguard the privacy of Delaware residents by regulating entities that either have a significant operational presence in the state or actively target Delaware residents with their products or services. This ensures that consumer data is protected regardless of whether the data processing occurs within or outside state boundaries.

Implications

For Businesses and Data Processors:

• Extended Compliance: Entities operating or targeting residents in Delaware must comply with the PDPA if they meet the specified thresholds. This includes adhering to data protection standards and implementing appropriate measures for consumer data protection.
• Regulatory Oversight: The Delaware Attorney General's office is responsible for enforcing compliance with the PDPA, ensuring that businesses adhere to the stipulated data protection requirements.
• Case Examples:
  • A national retailer with a significant number of customers in Delaware must comply with the PDPA if it meets the data volume or revenue thresholds.
  • An online service provider targeting Delaware residents and deriving substantial revenue from selling their data must comply with the PDPA.
• Compliance Challenges: Businesses must navigate the complexities of the PDPA, including updating privacy policies, implementing data subject rights, and ensuring data security measures are in place.

By defining "persons that conduct business in the State" and targeting products or services to residents, the Delaware PDPA ensures robust consumer privacy protections for residents, extending its reach to both local and out-of-state entities that engage significantly with Delaware consumers.