by PC Shea, UD Privacy Officer
The Delaware Personal Data Privacy Protection Act (“DPDPA”) went into effect in January. Passed in 2023 with much fanfare, the DPDPA requires those using personal information about Delaware consumers to be transparent regarding how and why they collect and use the information. Personal information includes any information that is linked or reasonably linkable to an individual who can be readily identified, directly or indirectly. The DPDPA also conveys rights to consumers in their personal information, such as the right to access it, correct it, or delete it, and it establishes timeframes for responding to these requests and for notifying consumers if a breach of their personal information occurs.
The DPDPA could require businesses, including the University of Delaware, to rethink their data collection practices. However, in 2022, the University adopted the “Personally Identifying Information Policy” (the “Policy”). The Policy incorporated the transparency practices the DPDPA is now mandating, and it acknowledged that consumers have rights in their personal information. The DPDPA includes some additional requirements, such as timeframes for responding to consumer requests regarding their personal information and for notifying them if breaches occur. The Policy has been updated to reflect these additional requirements. The University’s privacy statement (available on its website) has also been updated to provide some additional information specific to the DPDPA. So, the University is already poised to meet the DPDPA requirements.
From an ongoing compliance perspective, however, the DPDPA adds an extra layer to the privacy equation because it applies to businesses, including the University, even though they may be subject to other privacy laws. Typically, when a business is subject to one privacy law, other privacy laws exclude it because the personal information is already protected.
For example, a tremendous amount of the personal information used for University operations is already subject to a number of privacy laws including the Family Educational Records and Privacy Act (“FERPA”) (student information), the Health Insurance Portability and Accountability Act (“HIPAA”) (patient information), and the Graham Leach Bliley Act (“GLBA”) (financial information). In addition, personal information collected during research or included within a patient safety work product is also subject to other privacy laws as is personal data used to complete a payment transaction (e.g., ticket sales). In each case, these laws mandate certain practices and safeguards for the personal information to which they apply.
The DPDPA does not exclude businesses subject to other privacy laws, but it excludes the personal information subject to those laws. As such, the DPDPA is a “catch-all” privacy law that applies to personal information not covered by anything else.
In total there are fifteen categories of personal information that the DPDPA excludes from its scope, including those mentioned above. Because so much of the personal information the University uses falls within these fifteen categories, the DPDPA footprint at the University is quite small. However, it cannot be ignored because while the other privacy laws have provisions in common with the DPDPA, they vary in some degree with respect to transparency requirements and timeframes for responding to consumer requests and for notifying them of breaches. The regulatory agencies charged with enforcing the laws also vary as do the penalties for noncompliance.
Because the DPDPA is a new law, consumers may want to test it. As noted above, determining whether the personal information is subject to the DPDPA is the first step in responding to a request invoking the DPDPA, and it can be confusing to figure that out. Even if the DPDPA does not apply, one of the other privacy laws likely does and will require a response according to that laws’ requirements.
If you receive an inquiry regarding the University’s compliance with the DPDPA or requests from consumers to exercise their DPDPA rights, please forward the request to PrivacyOffice@udel.edu. Together we will respond to the request in accordance with all applicable laws.