The Delaware Personal Data Privacy Act (DPDPA) incorporates exemptions for specific purposes of processing as a factor in determining the law's applicability. This factor limits the scope of the law's application based on certain processing purposes.

Text of Relevant Provisions

Delaware PDPA Para.12D-103(a)(1) and Para.12D-103(c)(11)(b) state:

"(1) Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction."

"b. As the emergency contact information of an individual, used for emergency contact purposes."

Analysis of Provisions

The DPDPA includes specific exemptions for certain processing purposes, effectively limiting its scope of application:

1. Payment Transactions: The law explicitly excludes "personal data controlled or processed solely for the purpose of completing a payment transaction" from the consumer count threshold. This means that if a company processes data for 35,000 consumers, but some of this data is used solely for payment transactions, those consumers are not counted towards the 35,000 threshold.
2. Emergency Contact Information: The law exempts data processed "as the emergency contact information of an individual, used for emergency contact purposes". This provision recognizes the necessity of maintaining emergency contact information without subjecting it to the full range of data protection requirements.

These exemptions reflect a pragmatic approach to data protection, acknowledging that certain types of data processing are either necessary for basic business operations (payment processing) or serve important safety purposes (emergency contacts).

Implications

1. Payment Processing: Companies that process large volumes of consumer data solely for payment transactions may fall outside the law's scope, even if they handle data for more than 35,000 consumers. This exemption is particularly relevant for payment processors, e-commerce platforms, and businesses with high transaction volumes.
2. Emergency Contacts: Organizations can maintain emergency contact information without being subject to the full requirements of the DPDPA for this specific data. This is particularly relevant for employers, schools, and other organizations that routinely collect emergency contact information.
3. Threshold Calculations: When determining whether they meet the 35,000 consumer threshold for DPDPA applicability, businesses must carefully assess which consumer data falls under these exemptions. This may require detailed data mapping and categorization processes.
4. Partial Applicability: It's important to note that these exemptions are purpose-specific. If a company processes data for multiple purposes, including but not limited to those exempted, the law may still apply to the non-exempt processing activities.
5. Data Minimization: While certain processing purposes are exempt, businesses should still consider applying data minimization principles to these categories to align with best practices in data protection.