Applicability of Delaware PDPA Based on Number of Data Subjects

The factor "Number of Data Subjects" is explicitly used in the Delaware Personal Data Privacy Act (PDPA) to determine the applicability of the law. This factor sets a threshold for the number of consumers whose personal data is controlled or processed, influencing whether a business is subject to the regulations of the PDPA.

Text of Relevant Provisions

Referenced Provision(s):

"12D-103(a) This chapter applies to persons that conduct business in the State or persons that produce products or services that are targeted to residents of the State and that during the preceding calendar year did any of the following: (1) Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction."

Analysis of Provisions

The provision 12D-103(a)(1) of the Delaware PDPA states that the chapter applies to any business or entity that conducts business within Delaware or targets its products or services to Delaware residents. Specifically, the law applies if, during the preceding calendar year, the business has controlled or processed the personal data of at least 35,000 consumers. This provision explicitly excludes personal data processed solely for completing payment transactions from this count.

This factor establishes a clear numerical threshold that determines whether the PDPA's regulations apply to a business. If a business controls or processes the personal data of fewer than 35,000 consumers, it is not subject to the PDPA under this specific criterion.

Breakdown and Explanation:

• "Controlled or processed the personal data of not less than 35,000 consumers": This clause sets a numerical threshold, implying that businesses must meet this minimum number of data subjects to fall under the PDPA’s jurisdiction.
• "Excluding personal data controlled or processed solely for the purpose of completing a payment transaction": This exclusion ensures that transactions purely for payment purposes do not count towards the 35,000-consumer threshold.

Implications

The inclusion of this numerical threshold impacts businesses in several ways:

• Scope Limitation: Small and medium-sized enterprises (SMEs) that do not reach the 35,000-consumer threshold are not subject to the PDPA. This reduces the regulatory burden on smaller businesses that may not have the resources to comply with extensive data protection requirements.
• Targeted Applicability: By setting a clear threshold, the law targets larger businesses or those with significant data processing activities, ensuring that entities with substantial consumer data processing activities are held to higher data protection standards.
• Compliance Strategy: Businesses approaching the 35,000-consumer threshold must be vigilant and prepare to comply with the PDPA requirements. This might involve investing in data protection infrastructure and practices to ensure compliance once the threshold is met.
• Exclusion of Payment Data: The exclusion of payment transaction data from the threshold count allows businesses focused on transactional services to avoid being subject to the PDPA based on these activities alone. This nuance ensures that the law focuses more on broader data processing activities rather than routine transactions.

In conclusion, the "Number of Data Subjects" factor in Delaware's PDPA effectively delineates the scope of the law, balancing regulatory oversight with practical thresholds that consider the capacity and impact of businesses operating within the state.