In January 2025, new consumer data privacy laws took effect in Delaware and New Jersey. This article summarizes the key requirements of both new state laws.

Delaware Data Privacy Law—Delaware Personal Data Privacy Act (DPDPA)

On Jan. 1, 2025, the DPDPA took effect. Delaware became the thirteenth state with a comprehensive privacy law, following the recent enactments of data privacy laws in Iowa, Indiana, Florida, Montana, Tennessee, Texas and Oregon. Currently, other states with data privacy laws include California, Colorado, Connecticut, Utah and Virginia.

Who Needs to Comply With the DPDPA?

The Delaware law applies to all “controllers” or “processors” who conduct business in Delaware or produce products or services that are targeted to residents of Delaware, and who during the preceding calendar year, either controlled or processed personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or personal data of at least 10,000 consumers AND derived more than 20% of their gross revenue from the sale of personal data. A consumer is an individual who is a resident of Delaware. A consumer does not include an individual acting in a commercial or employment context.

A controller is a person who, alone or jointly with others, determines the purpose and means of processing personal data. A processor is a person that processes personal data on behalf of a controller. Determining whether a person is acting as a controller or processor is a fact-based determination that depends upon the context in which personal data is to be processed. A person who is not limited in processing personal data pursuant to a controller’s instructions or who fails to adhere to such instructions is a controller with respect to a specific processing of data.

What Information and Data Are Protected?

The DPDPA protects personal data, which means any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information. The DPDPA further defines Sensitive Data and adds an additional layer of protection, requiring consent from a consumer to process such sensitive data. Sensitive data includes any of the following: data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, national origin, citizenship status, or immigration status, genetic or biometric data, personal data of a known child, or precise geolocation data.

What Are a Controller’s Obligations?

In summary, a controller shall:

  • Limit the collection of personal data to the extent reasonably necessary for the disclosed purposes
  • Without the consumer’s consent, not process personal data for purposes that are not reasonably necessary to the disclosed purposes
  • Have reasonable data security practices in place to protect personal data in light of personal data
  • Not process sensitive data concerning a consumer without the consumer’s consent (in case of a known child, consent from the child’s parent or legal guardian)
  • Not process personal data in a way that would constitute unlawful discrimination
  • Provide a mechanism for a consumer to revoke the consumer’s consent that is at least as easy as the mechanism by which the consumer provided the consent and, upon such revocation, cease to process the data as soon as practicable, but within 15 days after the receipt of such request
  • Without the consumer’s consent, not process personal data for targeted advertising or sell personal data where a controller has actual knowledge or willfully disregards that the consumer is at least 13 years of age but younger than 18 years of age (the Children’s Online Privacy Protection Act applies to children under the age of 13)
  • Not discriminate against a consumer for exercising the consumer’s rights under the DPDPA.

A controller shall provide consumers with a reasonable privacy notice that includes:

the categories of personal data processed by the controller, the purpose for processing personal data, how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision about the consumer’s request, the categories of personal data that the controller shares with third parties, the categories of third parties with which the controller shares personal data, and an electronic mail address or other online mechanisms that the consumer may use to contact the controller.

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.

A controller that controls or processes the data of 100,000 or more consumers, excluding data solely for completing a payment transaction, shall regularly conduct and document a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer. If a controller conducts a data protection assessment to comply with another applicable law or regulation, the data protection assessment shall be deemed to satisfy the requirements if such data protection assessment is reasonably similar to the DPDPA data protection assessment.

A heightened risk of harm to a consumer includes: the processing of personal data for the purposes of targeted advertising, the sale of personal data, the processing of personal data for the purposes of profiling, where such profiling presents a certain reasonably foreseeable risk, and the processing of sensitive data.

What Are a Processor’s Obligations?

Processors have certain duties along with their controllers under the DPDPA. In summary, a processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller’s obligations. A contract between a controller and a processor must govern the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract must be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract must also require the processor to take certain actions defined in the DPDPA.

Which Entities or Data Are Exempted From the DPDPA?

The DPDPA narrowly exempts a number of entities, including:

  • State government entities and political subdivisions of the state, but excluding public institutions of higher education
  • Financial institutions and their affiliates subject to the Gramm Leach Biley Act (GLBA)
  • Nonprofit organizations dedicated exclusively to preventing and addressing insurance crime

A national securities association registered pursuant to Section 15A of the Securities Exchange Act or a registered futures association designated pursuant to Section 17 of the Commodity Exchange Act. Covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) are not exempted from the DPDPA.

However, the law contains data-level exceptions, including for HIPAA data. The DPDPA exempts the following personal data:

  • Protected health information under the HIPAA
  • Certain health data under specified laws
  • Certain consumer information regulated under the federal Fair Credit Reporting Act (FCRA)
  • Personal data under the Driver’s Privacy Protection Act (DPPA), the Family Educational Rights and Privacy Act (FERPA), and the Farm Credit Act
  • Certain Personal data to the extent preempted by the Airline Deregulation Act
  • Personal data of a victim of or witness to certain crimes that is collected, processed, or maintained by a nonprofit organization that provides services to victims of or witnesses to such crimes
  • Personal Data subject to the GLBA
  • Emergency contact information of an individual.

What Data Rights Does a Consumer Have?

A consumer has the right to: confirm whether a controller is processing the consumer’s personal data and accessing such personal data, correct inaccuracies in the consumer’s personal data, delete personal data about the consumer, obtain a copy of the consumer’s personal data processed by the controller, in a format that allows the consumer to transmit the data to another controller without hindrance, obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data, and opt out of the processing of the personal data for targeted advertising, the sale of personal data, or profiling solely for automated decisions that produce legal effects concerning the consumer.

Who Can Enforce the DPDPA?

The DPDPA does not provide a private right of action. The DPDPA will be enforced solely by the Delaware Department of Justice.

New Jersey Privacy Law—New Jersey Data Privacy Act (NJDPA)

The effective date for New Jersey’s new consumer data privacy law, the NJDPA, was Jan. 15, 2025. Although the New Jersey privacy law and Delaware privacy law have similar approaches, they have different applicability.

Who Needs to Comply With the NJDPA?

The New Jersey law applies to all “controllers” or “processors” who conduct business in New Jersey or produce products or services that are targeted to residents of New Jersey and, who during a calendar year, either control or process the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or the personal data of at least 25,000 consumers AND derives revenue, or receive a discount on the price of any goods or services, from the sale of personal data. A consumer is an identified individual person who is a resident of New Jersey. A consumer does not include a person acting in a commercial or employment context.

A controller is an individual or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data. A processor is a person, private entity, public entity, agency, or other entity that processes personal data on behalf of the controller. Determining whether a person is acting as a controller or processor is a fact-based determination that depends upon the context in which personal data are to be processed. A person who is not limited in the processing of personal data pursuant to a controller’s instructions or who fails to adhere to the instructions shall be deemed a controller with respect to a specific processing of data.

What Information and Data Are Protected?

The NJDPA protects personal data, which means any information that is linked to or reasonably linkable to an identified or identifiable person and does not include de-identified data or publicly available information. The NJDPA further defines Sensitive data and adds an additional layer of protection, requiring consent from a consumer to process such sensitive data. Sensitive data includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition, treatment, or diagnosis, financial information, sex life or sexual orientation, citizenship or immigration status, status as transgender or nonbinary, genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, personal data collected from a known child, and precise geolocation data.

What Are a Controller’s Obligations?

A controller has certain duties under the NJDPA, and the following is a summary of the duties.

In summary, a controller shall:

  • Limit the collection of personal data to the extent reasonably necessary for the disclosed purposes
  • Without the consumer’s consent, not process personal data for purposes that are not reasonably necessary to the disclosed purposes
  • Have reasonable data security practices in place to protect personal data in light of personal data and to secure personal data from unauthorized acquisition
  • Not process sensitive data concerning a consumer without the consumer’s consent (in case of a known child, consent from the child’s parent or legal guardian)
  • Not process personal data in a way that would constitute unlawful discrimination
  • Provide a mechanism for a consumer to revoke the consumer’s consent that is at least as easy as the mechanism by which the consumer provided the consent and, upon such revocation, cease to process the data as soon as practicable, but within 15 days after the receipt of such request
  • Without the consumer’s consent, not process personal data for targeted advertising or sell personal data, where a controller has actual knowledge or willfully disregards that the consumer is at least 13 years of age but younger than 18 years of age (the Children’s Online Privacy Protection Act applies to children under the age of 13)
  • Specify the purposes for processing personal data
  • Not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment
  • Not discriminate against a consumer for opting out of the processing of the personal data for sale, targeted advertising, or profiling for automated decisions that produce legal effects concerning the consumer
  • Not require a consumer to create a new account to exercise a consumer right
  • Not discriminate against a consumer for exercising the consumer’s rights

A controller shall provide consumers with a reasonable privacy notice that includes: the categories of personal data processed by the controller, the purpose for processing personal data, the categories of third parties to which the controller may disclose personal data, how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision regarding the consumer’s request, how consumers may exercise their rights, including how to appeal a decision regarding a consumer request, and the controller’s contact information, the process by which the controller notifies consumers of material changes to the privacy notice along with the effective date of the notice, and an electronic mail address or other online mechanism that the consumer may use to contact the controller.

If a controller sells personal data to third parties or processes personal data for targeted advertising, the sale of personal data, or profiling for decisions that produce legal effects concerning the consumer, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such sale or processing.

When a controller conducts processing that presents a heightened risk of harm to a consumer, the controller shall conduct and document a data protection assessment of each of the controller’s processing activities. Data protection assessments shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks.

A heightened risk of harm to a consumer includes: the processing of personal data for the purposes of targeted advertising, the sale of personal data, the processing of personal data for the purposes of profiling, where such profiling presents a certain reasonably foreseeable risk, and the processing of sensitive data.

What Are a Processor’s Obligations?

Processors have certain duties along with their controllers under the NJDPA. In summary, a processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller’s obligations. A controller and processor shall consider the context of processing and implement appropriate measures to ensure a level of security appropriate to the risk and establish an allocation of the responsibilities between them to implement the measures. A contract between a controller and a processor must be binding and clearly set forth instructions for processing data, the type of data subject to processing, the duration of processing and the requirements under the NJDPA.

Which Entities or Data Are Exempted From the NJDPA?

The NJDPA narrowly exempts a number of entities, including:

  • State government entities and political subdivisions of the state
  • Financial institutions and their affiliates subject to the GLBA
  • Certain secondary market institutions
  • Certain insurance institutions.

Covered entities and business associates subject to the HIPAA are not exempted from the NJDPA. However, the law exempts personal health information subject to the HIPAA. The NJDPA also does not exempt nonprofit organizations or institutions of higher education.At the data level, the NJDPA contains the following exemptions:

  • Protected health information collected by a covered entity or business associate under the HIPAA
  • Financial data subject to the GLBA
  • Certain sales of consumer personal data covered by the DPPA
  • Personal data collected, processed, sold, or disclosed in compliance with the FCRA
  • Certain health data under specified laws

The NJDPA does not contain an exemption for personal data governed by the FERPA.

What Data Rights Does a Consumer Have?

A consumer has the right to: confirm whether a controller processes the consumer’s personal data and accesses such personal data, correct inaccuracies in the consumer’s personal data, delete personal data concerning the consumer, obtain a copy of the consumer’s personal data processed by the controller, in a format that allows the consumer to transmit the data to another entity without hindrance, and opt out of the processing of the personal data for targeted advertising, the sale of personal data, or profiling for decisions that produce legal effects concerning the consumer.

Who Can Enforce the NJDPA?

The NJDPA does not provide a private right of action. The NJDPA will be enforced solely by the New Jersey Attorney General’s Office.

Devin Chwastyk is a member of McNees Wallace & Nurick and the chair of the firm’s privacy and data security group. For more than 15 years, Chwastyk has counseled businesses on compliance with emerging privacy laws. Yangmo (Harvey) Ahn is an associate in the firm’s privacy and data security and intellectual property and patent goups who assists clients with technology-related matters. Ahn recently earned the certified artificial intelligence governance professional (AIGP) credential through the International Association of Privacy Professionals.