USA - Delaware: Sectoral Exceptions Regulated by Other Laws

Delaware: Sectoral Exceptions Regulated by Other Laws

Sectoral exceptions in the Delaware Personal Data Privacy Act (PDPA) are designed to avoid duplicative regulation by exempting entities and data types already subject to stringent data protection standards under other federal or sectoral laws. This ensures that industries such as healthcare, finance, and research are not overburdened with overlapping compliance requirements.

Text of Relevant Provisions

Delaware PDPA Para.12D-103(c)(9):

"(c) This chapter does not apply to the following information and data: (9) Personal data regulated by the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, et seq., as amended."

Delaware PDPA Para.12D-103(c)(15):

"(c) This chapter does not apply to the following information and data: (d) Controllers and processors that comply with the verifiable parental consent requirements of COPPA shall be deemed compliant with any obligation to obtain parental consent set forth in this chapter with respect to a consumer who is a child."

Delaware PDPA Para.12D-103(c)(8):

"(c) This chapter does not apply to the following information and data: (8) Personal data collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721, et seq., as amended."

Delaware PDPA Para.12D-103(c)(12):

"(c) This chapter does not apply to the following information and data: (12) Personal data collected, processed, sold, or disclosed in relation to price, route, or service, as such terms are used in the Airline Deregulation Act, 49 U.S.C. § 40101, et seq., as amended, by an air carrier subject to said act, to the extent any part of this chapter is preempted by the Airline Deregulation Act, 49 U.S.C. § 41713, as amended."

Delaware PDPA Para.12D-103(b)(4):

"(b) This chapter does not apply to any of the following entities: (4) A national securities association registered pursuant to § 15A of the Securities Exchange Act of 1934 (15 U.S.C. § 78a, et seq.) and the rules and implementing regulations promulgated thereunder, or a registered futures association so designated pursuant to § 17 of the Commodity Exchange Act (7 U.S.C. § 1, et seq.), as amended, and the rules and implementing regulations promulgated thereunder."

Delaware PDPA Para.12D-103(c)(14):

"(c) This chapter does not apply to the following information and data: (14) Data subject to Title V of the Gramm Leach Bliley Act (15 U.S.C. § 6801, et. seq.) and the rules and implementing regulations promulgated thereunder."

Delaware PDPA Para.12D-103(b)(2):

"(b) This chapter does not apply to any of the following entities: (2) Any financial institution or affiliate of a financial institution, all as defined in 15 U.S.C. 6809, to the extent that the financial institution or affiliate is subject to Title V of the Gramm Leach Bliley Act (15 U.S.C. § 6801, et seq.), as amended, and the rules and implementing regulations promulgated thereunder."

Delaware PDPA Para.12D-103(c)(7):

"(c) This chapter does not apply to the following information and data: (7) The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681, et seq.)."

Delaware PDPA Para.12D-103(c)(10):

"(c) This chapter does not apply to the following information and data: (10) Personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act, 12 U.S.C. § 2001, et seq., as amended."

Delaware PDPA Para.12D-103(c)(6):

"(c) This chapter does not apply to the following information and data: (6) Information to the extent it is used for public health, community health, or population health activities and purposes, as authorized by HIPAA, when provided by or to a Covered Entity or when provided by or to a Business Associate pursuant to a Business Associate Agreement with a Covered Entity."

Delaware PDPA Para.12D-103(c)(5):

"(c) This chapter does not apply to the following information and data: (5) Patient safety work product, as defined in 42 CFR 3.20, that is created and used for purposes of patient safety improvement pursuant to 42 C.F.R. 3, established pursuant to 42 U.S.C. §§ 299b–21 to 299b–26."

Delaware PDPA Para.12D-103(c)(4):

"(c) This chapter does not apply to the following information and data: (4) Identifiable private information to the extent it is collected and used as part of human subjects research pursuant to the ICH E6 Good Clinical Practice Guideline issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or the protection of human subjects under 21 CFR 50 and 56."

Delaware PDPA Para.12D-103(c)(3):

"(c) This chapter does not apply to the following information and data: (3) Identifiable private information, as defined in 45 CFR § 46.102, to the extent that it is used for purposes of the federal policy for the protection of human subjects pursuant to 45 C.F.R. 46."

Delaware PDPA Para.12D-103(c)(2):

"(c) This chapter does not apply to the following information and data: (2) Patient-identifying information for purposes of 42 U.S.C. § 290dd-2."

Delaware PDPA Para.12D-103(c)(1):

"(c) This chapter does not apply to the following information and data: (1) Protected health information under HIPAA."

Analysis of Provisions

The Delaware Personal Data Privacy Act (PDPA) contains various provisions that create sectoral exceptions to avoid duplicative regulation and ensure that industries already adhering to rigorous federal privacy standards are not subject to overlapping state-level regulations. Here, we analyze these key provisions.

Family Educational Rights and Privacy Act:

Delaware PDPA Para.12D-103(c)(9) exempts personal data regulated by FERPA:

"Personal data regulated by the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, et seq., as amended."

This exemption recognizes the strict privacy protections FERPA provides for educational records.

Children's Online Privacy Protection Act (COPPA):

Delaware PDPA Para.12D-103(c)(15) aligns with COPPA's verifiable parental consent requirements:

"Controllers and processors that comply with the verifiable parental consent requirements of COPPA shall be deemed compliant with any obligation to obtain parental consent set forth in this chapter..."

This provision ensures consistency with COPPA’s established standards for protecting children’s online privacy.

Driver’s Privacy Protection Act:

Delaware PDPA Para.12D-103(c)(8) exempts data under the Driver’s Privacy Protection Act:

"Personal data collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721, et seq., as amended."

This recognizes the federal protections in place for motor vehicle records.

Airline Deregulation Act:

Delaware PDPA Para.12D-103(c)(12) exempts data related to airline services:

"Personal data collected, processed, sold, or disclosed in relation to price, route, or service, as such terms are used in the Airline Deregulation Act, 49 U.S.C. § 40101, et seq., as amended, by an air carrier subject to said act..."

This ensures compliance with federal regulations governing the airline industry.

Securities Exchange Act and Commodity Exchange Act:

Delaware PDPA Para.12D-103(b)(4) exempts national securities associations and futures associations:

"A national securities association registered pursuant to § 15A of the Securities Exchange Act of 1934 (15 U.S.C. § 78a, et seq.) ... or a registered futures association so designated pursuant to § 17 of the Commodity Exchange Act (7 U.S.C. § 1, et seq.)."

This aligns with federal regulation of securities and commodities markets.

Gramm-Leach-Bliley Act:

Delaware PDPA Para.12D-103(c)(14) and Para.12D-103(b)(2) exempt financial institutions:

"Data subject to Title V of the Gramm Leach Bliley Act (15 U.S.C. § 6801, et. seq.) and the rules and implementing regulations promulgated thereunder."*

"Any financial institution or affiliate of a financial institution ... subject to Title V of the Gramm Leach Bliley Act (15 U.S.C. § 6801, et seq.)."

These exemptions recognize the rigorous privacy and data security requirements already imposed on financial institutions under GLBA.

Fair Credit Reporting Act:

Delaware PDPA Para.12D-103(c)(7) exempts data governed by the Fair Credit Reporting Act:

"The collection, maintenance, disclosure, sale, communication, or use of any personal information ... by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report ... regulated by and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681, et seq.)."

This acknowledges the comprehensive federal framework governing credit reporting.

Farm Credit Act:

Delaware PDPA Para.12D-103(c)(10) exempts data under the Farm Credit Act:

*"Personal data collected, processed, sold, or disclosed in compliance with the *Farm Credit Act, 12 U.S.C. § 2001, et seq., as amended."

This provision aligns with federal protections for agricultural credit data.

Health-Related Data:

Multiple provisions exempt health-related data regulated by federal laws such as HIPAA and others:

Delaware PDPA Para.12D-103(c)(1) exempts protected health information under HIPAA.
Delaware PDPA Para.12D-103(c)(2) exempts patient-identifying information under 42 U.S.C. § 290dd-2.
Delaware PDPA Para.12D-103(c)(5) exempts patient safety work product.
Delaware PDPA Para.12D-103(c)(6) exempts information for public health activities authorized by HIPAA.
Delaware PDPA Para.12D-103(c)(3) and Para.12D-103(c)(4) exempt identifiable private information used in human subjects research.

These exemptions acknowledge the stringent federal standards governing health information and research data.

Implications

For businesses operating in Delaware, these sectoral exceptions imply:

Educational Institutions: Compliance with FERPA is sufficient for personal data management, avoiding additional state-level requirements.
Children's Online Services: Adhering to COPPA's parental consent requirements ensures compliance with state data protection laws.
Automotive and Aviation: Businesses in these sectors need only comply with federal privacy regulations, not additional state laws.
Financial and Securities Industries: Exemptions for data governed by GLBA and the Securities Exchange Act reduce regulatory overlap.
Healthcare Providers and Researchers: Extensive exemptions for health-related data allow entities to focus on federal privacy standards like HIPAA.
Credit Reporting Agencies: Activities regulated by the Fair Credit Reporting Act are exempt, ensuring data is managed according to existing federal laws.

These provisions streamline compliance, ensuring businesses are not subject to redundant regulations, allowing them to adhere to specific federal standards relevant to their industry.

Jurisdiction Overview

USA - Delaware

🏛️ Government and Public Agency Exemption 🎯 Exemption for Specific Purposes of Processing 🏡 Personal and Domestic Use Exemption 💼 Doing Business in Jurisdiction ⛑️ Nonprofit Organization Exemption 👷🏿 Employment and Agency Relationship Exemption 💵 Revenue-Based Applicability 👴🏿 Benefit administration data 🧮 Number of Data Subjects ⚖️ Sectoral Exceptions Regulated by Other Laws