(a) This chapter applies to persons that conduct business in the State or persons that produce products or services that are targeted to residents of the State and that during the preceding calendar year did any of the following: (1) Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction. (2) Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data. (b) This chapter does not apply to any of the following entities: (1) Any regulatory, administrative, advisory, executive, appointive, legislative, or judicial body of the State or a political subdivision of the State, including any board, bureau, commission, agency of the State or a political subdivision of the State, but excluding any institution of higher education. (2) Any financial institution or affiliate of a financial institution, all as defined in 15 U.S.C. § 6809, to the extent that the financial institution or affiliate is subject to Title V of the Gramm Leach Bliley Act (15 U.S.C. § 6801, et seq., as amended) and the rules and implementing regulations promulgated thereunder. (3) Any nonprofit organization dedicated exclusively to preventing and addressing insurance crime. (4) A national securities association registered pursuant to § 15A of the Securities Exchange Act of 1934 (15 U.S.C. § 78o-3, as amended) and the rules and implementing regulations promulgated thereunder, or a registered futures association so designated pursuant to § 17 of the Commodity Exchange Act (7 U.S.C. § 21, as amended) and the rules and implementing regulations promulgated thereunder. (c) This chapter does not apply to the following information and data: (1) Protected health information under HIPAA. (2) Patient-identifying information for purposes of 42 U.S.C. § 290dd-2. (3) Identifiable private information, as defined in 45 C.F.R. § 46.102, to the extent that it is used for purposes of the federal policy for the protection of human subjects pursuant to 45 C.F.R. Part 46. (4) Identifiable private information to the extent it is collected and used as part of human subjects research pursuant to the ICH E6 Good Clinical Practice Guideline issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or the protection of human subjects under 21 C.F.R. Parts 50 and 56. (5) Patient safety work product, as defined in 42 C.F.R. § 3.20, that is created and used for purposes of patient safety improvement pursuant to 42 C.F.R. Part 3, established pursuant to 42 U.S.C. §§ 299b-21 to 299b-26. (6) Information to the extent it is used for public health, community health, or population health activities and purposes, as authorized by HIPAA, when provided by or to a covered entity or when provided by or to a business associate pursuant to a business associate agreement with a covered entity. (7) The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681, et seq., as amended). (8) Personal data collected, processed, sold, or disclosed in compliance with the Driver's Privacy Protection Act of 1994, 18 U.S.C. § 2721, et seq., as amended. (9) Personal data regulated by the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, et seq., as amended. (10) Personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act, 12 U.S.C. § 2001, et seq., as amended. (11) Data processed or maintained in any of the following ways: a. In the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role. b. As the emergency contact information of an individual, used for emergency contact purposes. c. Necessary to retain to administer benefits for another individual relating to the individual who is the subject of the information under paragraph (c)(11)a. of this section and used for the purposes of administering such benefits. (12) Personal data collected, processed, sold, or disclosed in relation to price, route, or service, as such terms are used in the Airline Deregulation Act, 49 U.S.C. § 40101, et seq., as amended, by an air carrier subject to said act, to the extent any part of this chapter is preempted by the Airline Deregulation Act, 49 U.S.C. § 41713, as amended. (13) Personal data of a victim of or witness to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking that is collected, processed, or maintained by a nonprofit organization that provides services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking. (14) Data subject to Title V of the Gramm Leach Bliley Act (15 U.S.C. § 6801, et. seq., as amended) and the rules and implementing regulations promulgated thereunder. (d) Controllers and processors that comply with the verifiable parental consent requirements of COPPA shall be deemed compliant with any obligation to obtain parental consent set forth in this chapter with respect to a consumer who is a child.
‹ Prev All Delaware sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.