Global Data Privacy Guide |
|
USA, Delaware |
|
| (United States) Firm Richards, Layton & Finger, P.A. Updated 12 Aug 2025 | |
| 1. What is the key legislation? | Three statutes generally govern data security and privacy in the State of Delaware: • The Delaware Personal Data Privacy Act, 6 Del. C. § 12D-101 et seq. (“DPDPA”) |
| 2. What are the key decisions applying that legislation? | None as yet. |
| 1. How are “personal data” and “sensitive data” defined? | The DPDPA defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data or publicly available information.” 6 Del. C. § 12D-102(21). The DPDPA defines “Sensitive Data” as “personal data that includes any of the following: a. Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status. b. Genetic or biometric data. c. Personal data of a known child. d. Precise geolocation data.” Id. § 12D-102(30). The DOPPA defines “personally identifiable information” as “any personally identifiable information about a user of a commercial internet website, online or cloud computing service, online application, or mobile application that is collected online by the operator of that commercial internet website, online service, online application, or mobile application from that user and maintained by the operator in an accessible form, including a first and last name, a physical address, an e-mail address, a telephone number, a Social Security number, or any other identifier that permits the physical or online contacting of the user, and any other information concerning the user collected by the operator of the commercial internet website, online service, online application, or mobile application from the user and maintained in personally identifiable form in combination with any identifier described in this paragraph.” Id. § 1202C(15). The CSB Statute defines “personal Information” as “a Delaware resident’s first name or first initial and last name in combination with any 1 or more of the following data elements that relate to that individual: 1. Social Security number. 2. Driver's license number or state or federal identification card number. 3. Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account. 4. Passport number. 5. A username or email address, in combination with a password or security question and answer that would permit access to an online account. 6. Medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a health care professional, or deoxyribonucleic acid profile. 7. Health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person. 8. Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes. 9. An individual taxpayer identification number.” Id. § 12B-101(7)(a). |
| 2. How is the defined data protected? | The DPDPA requires that reasonable administrative, technical, and physical measures be taken to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. 6 Del. C. § 12D-110(f). The CSB Statute requires those subject to its requirements to implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business. Id. § 12B-100. |
| 3. Who is subject to privacy obligations? | The DPDPA imposes obligations on persons who conduct business in the State of Delaware or persons who produce products or services targeted to residents of the State of Delaware and who during the preceding calendar year: • controlled or processed the personal data of not less than 35,000 consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction), or • controlled or processed the personal data of not less than 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data. • an operator of an internet website, online or cloud computing service, online application, or mobile application directed to children, and • an advertising service that provides marketing or advertising for such a website, service, or application that has been notified by the operator that the operator’s website, service, or application is directed to children. The CSB Statute applies to any person who conducts business in the State of Delaware and owns, licenses, or maintains personal information. Id. § 12B-100. |
| 4. How is “data processing” defined? | The DPDPA addresses data processing and defines “process” or “processing” as “any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.” 6 Del. C. § 12D-102(23). |
| 5. What are the principles applicable to personal data processing? | As stated in a September 2, 2024, letter from the Attorney General of the State of Delaware addressed to businesses regarding the implementation of the DPDPA, the principles of personal data processing reflected in the law are transparency, data minimization, security, accountability, and documentation. |
| 6. How is the processing of personal data regulated? | The DPDPA requires a controller (i.e., someone who determines the purpose and means of processing personal data) to, among other things: • limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed; 6 Del. C. § 12D-106(a). Controllers must also provide to consumers a reasonably accessible, clear, and meaningful privacy notice that includes certain mandatory disclosures set forth in the DPDPA; a mechanism for consumers to revoke consent; and a means by which consumers can opt out of the sale of personal data or processing of personal data for targeted advertising. Id. § 12D-106(c)–(e). |
| 7. How are storage, security and retention of personal data regulated? | Under the DPDPA, a contract between a controller and a processor regarding data processing must require that the processor delete or return all personal data to the controller once the services have been provided (unless retention is required by law). 6 Del. C. § 12D-107(b). |
| 8. What are the data subjects' rights under the data legislation? | Under the DPDPA, a consumer has the right to: • confirm whether a controller is processing the consumer’s personal data and access such personal data (unless doing so would require the controller to reveal a trade secret); |
| 9. What are the consent requirements for data subjects? | Under the DPDPA, a controller must obtain a consumer’s consent to process the consumer’s personal data for purposes that are neither reasonably necessary to, nor compatible with, the purposes disclosed to the consumer for which such personal data is processed. 6 Del. C. § 12D-106(a)(2). A controller must also obtain a consumer’s consent to process the consumer’s sensitive data (or the consent of a parent or lawful guardian of a known child to process the latter’s sensitive data). Id. § 12D-106(a)(4). If the controller has actual knowledge or wilfully disregards that the consumer is at least 13 years of age but younger than 18 years of age, the controller may not process the consumer’s personal data for targeted advertising or sell the consumer’s personal data without the consumer’s consent. Id. § 12D-106(a)(7). The DPDPA also requires the controller to establish a mechanism for the consumer to revoke consent. Id. § 12D-106(a)(6). Under the DOPPA, a book service provider (i.e., a commercial entity that provides individuals with the ability to rent, purchase, borrow, browse, or view books electronically or via the Internet) may disclose a user’s book service information (generally, certain identifying information regarding the user of such a service or the user’s access to a book) to a person if the user has given informed, affirmative consent in writing to the specific disclosure to the specific person for a particular purpose. Id. § 1206C(a)(4). |
| 10. How is authorization for use of data handled? | The DPDPA requires a controller to provide consumers with a reasonably accessible, clear, and meaningful privacy notice. 6 Del. C. § 12D-106(c). The privacy notice must include: • the categories of personal data processed by the controller; Id. § 12D-106(c). A controller must obtain a consumer’s consent to process the consumer’s personal data for purposes that are neither reasonably necessary to, nor compatible with, the purposes disclosed to the consumer for which such personal data is processed. Id. § 12D-106(a)(2). |
| 11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers? | The DPDPA, the DOPPA, and the CSB Statute do not regulate cross-border data transfers. |
| 12. How are data "incidents" and "breaches" defined? | The CSB Statute defines “breach of security” as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.” 6 Del. C. § 12B-101(1)(a). This definition excludes the good-faith acquisition of personal information by an employee or agent of any person for the purposes of such person, provided that the personal information is not used for an unauthorized purpose or subject to further unauthorized disclosure. Id. |
| 13. Are there any notification requirements for incidents and/or data breaches? | Yes. Under the CSB Statute, notice must be provided to any resident of the State of Delaware whose personal information was breached or is reasonably believed to have been breached, unless, after an appropriate investigation, it is reasonably determined that the breach of security is unlikely to result in harm to the individuals whose personal information has been breached. 6 Del. C. § 12B-102(a). If the breach requires notification to more than 500 residents of Delaware, notice must also be provided to the Attorney General of the State of Delaware. Id. § 12B-102(d). |
| 14. Who is/are the privacy regulator(s)? | The Delaware Department of Justice has authority to enforce the DPDPA. 6 Del. C. § 12D-111(a). The Consumer Protection Unit of the Delaware Department of Justice has the authority to enforce the DOPPA. Id. § 1203C. The Attorney General of the State of Delaware pursuant to the enforcement duties and powers of the Director of Consumer Protection of the Delaware Department of Justice has the authority to enforce the CSB statute. Id. § 12B-104(a). |
| 15. What are the consequences of a data breach? | In the event of a data security breach, the CSB Statute requires affected residents of the State of Delaware and the Attorney General of the State of Delaware to be notified under certain circumstances. Additionally, if the breach of security includes a Social Security number, each resident whose personal information was breached or is reasonably believed to have been breached must be offered credit monitoring at no cost for one year and be provided information on how to place a credit freeze on such resident’s credit file. 6 Del. C. § 12B-102(e). |
| 16. How is electronic marketing regulated? | Under the DPDPA, a controller must make available to the consumer a privacy policy that discloses the processing of personal data for targeted advertising and provides a means by which consumers can opt out of such processing. 6 Del. C. § 12D-106(d). If the controller has actual knowledge or wilfully disregards that the consumer is at least 13 years of age but younger than 18 years of age, the controller may not process the consumer’s personal data for purposes of targeted advertising. Id. § 12D-106(a)(7). The DOPPA prohibits the operator of an internet website, online or cloud computing service, online application, or mobile application from marketing or advertising certain products or services (listed below) if (1) the website, service, or application is directed to children, or (2) the operator has actual knowledge that a child is using its website, service, or application and the marketing or advertising is directed to the child based upon information specific to that child. In either instance, the operator may not knowingly use, disclose, or compile, or allow another person to use, disclose, or compile, the personal information of the child if the operator has actual knowledge that the child’s personally identifiable information will be used for marketing or advertising the following products and services: • alcoholic liquor; |
| 17. Are there sector-specific or industry-specific privacy requirements? | The DOPPA prohibits a book service provider (i.e., a commercial entity that provides individuals with the ability to rent, purchase, borrow, browse, or view books electronically or via the Internet) from knowingly disclosing, or being compelled to disclose, book service information about a user to any person, except in certain circumstances. 6 Del. C. § 1206C. The Insurance Data Security Act, 18 Del. C. § 8601, et seq., applies to persons who are licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered, under the insurance laws of the State of Delaware. |
| 18. What are the requirements for appointing Data Protection Officers or similar roles? | The DPDPA, the DOPPA, and the CSB Statute do not require the appointment of a data protection officer. |
| 19. What are the record-keeping and documentation obligations? | Not applicable. |
| 20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)? | Under the DPDPA, a controller that controls or processes the data of not less than 100,000 consumers (excluding data controlled or processed solely for the purpose of completing a payment transaction) must conduct and document, on a regular basis, a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer. 6 Del. C. § 12D-108(a). A heightened risk of harm to a consumer includes the processing of personal data for the purposes of targeted advertising; the sale of personal data; the processing of sensitive data; and the processing of personal data for the purposes of profiling that presents a reasonably foreseeable risk of: • unfair or deceptive treatment of, or unlawful disparate impact on, consumers; |
| 21. What are the requirements for third-party vendor management and data sharing? | Under the DPDPA, a contract between the controller and a processor regarding data processing procedures must address the nature and purpose of the processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. 6 Del. C. § 12D-107(b). The contract must require that the processor: • ensure that each person processing personal data is subject to a duty of confidentiality; • at the time of disclosure, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller had violated or would violate the DPDPA, and Under the DOPPA, the operator of a commercial internet website, online or cloud computing service, online application, or mobile application that collects personally identifiable information through the Internet about individual users who reside in the State of Delaware and who use or visit the such website, service, or application must make available a privacy policy that identifies the categories of third-parties with whom the operator may share such personally identifiable information. Id. § 1205C(a)–(b)(1). |
| 22. What are the penalties and enforcement mechanisms for non-compliance? | The Delaware Department of Justice may investigate and prosecute violations of the DPDPA in accordance with the provisions of Delaware’s consumer protection laws, which authorize the issuance of cease-and desist-orders; the pursuit of administrative remedies for violations; the initiation and prosecution of civil or criminal actions in any court of competent jurisdiction; the pursuit of restitution, rescission, reformation of contract, recoupment, disgorgement of profits or any moneys improperly obtained, or otherwise prevent unjust enrichment against violators; and any other lawful action to enforce the consumer protection statutes and to carry out their purposes. 6 Del. C. § 12D-11125; 29 Del. C. § 2520(a). The Consumer Protection Unit of the Delaware Department of Justice may investigate and prosecute violations of the DOPPA in accordance with the provisions of Delaware’s consumer protection laws, which authorize the issuance of cease-and desist-orders; the pursuit of administrative remedies for violations; the initiation and prosecution of civil or criminal actions in any court of competent jurisdiction; the pursuit of restitution, rescission, reformation of contract, recoupment, disgorgement of profits or any moneys improperly obtained, or otherwise prevent unjust enrichment against violators; and any other lawful action to enforce the consumer protection statutes and to carry out their purposes. 6 Del. C. § 1203C; 29 Del. C. § 2520(a). The Attorney General of the State of Delaware may bring an action in law or equity to address violations of the CSB statute and for other relief that may be appropriate to ensure proper compliance with the statute, or to recover direct economic damages resulting from a violation, or both. 6 Del. C. § 12B-104. |
| 23. What are the ongoing compliance and audit requirements? | Under the DPDPA, a controller that controls or processes the data of not less than 100,000 consumers, excluding data controlled or processed solely for the purpose of completing a payment transaction, must conduct and document, on a regular basis, a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer. 6 Del. C. § 12D-108(a). |
| 24. Are there any recent developments or expected reforms? | Both the DPDPA and the DOPPA went into effect on January 1, 2025. The DPDPA’s data protection assessment requirements apply to processing activities created or generated on or after July 1, 2025. 6 Del. C. § 12D-108(f). By no later than January 1, 2026, a controller must allow a consumer to use an opt-out preference signal sent by a platform, technology, or mechanism to indicate the consumer’s intent to opt out of the sale of the consumer’s personal data or the processing of such data for targeted advertising. Id. § 12D-106(e)(1)(a)(2). Until December 31, 2025, before initiating any action for a violation of any provision of DPDPA, the Delaware Department of Justice must issue a notice of violation to the controller if it determines that a cure is possible. Id. § 12D-111(b). If the controller fails to cure the violation within 60 days of receiving notice, the Department of Justice may bring an enforcement proceeding. Id. Starting on January 1, 2026, in determining whether to afford an opportunity to cure, the Department of Justice may consider: • the number of violations; Id. § 12D-111(c) |
Global Data Privacy Guide
Three statutes generally govern data security and privacy in the State of Delaware:
• The Delaware Personal Data Privacy Act, 6 Del. C. § 12D-101 et seq. (“DPDPA”)
• The Delaware Online Privacy and Protection Act, 6 Del. C. § 1201C et seq. (“DOPPA”)
• The Computer Security Breaches statute, 6 Del. C. § 12B-100 et seq. (“CSB Statute”)
This overview of these laws is a summary only; the text of these statutes should be consulted, under the guidance of legal counsel, for their definitions, exceptions, conditions, cross-references, exact wording, complete sections, and other matters that may affect the interpretation and application of these statutes.
None as yet.
The DPDPA defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data or publicly available information.” 6 Del. C. § 12D-102(21). The DPDPA defines “Sensitive Data” as “personal data that includes any of the following: a. Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status. b. Genetic or biometric data. c. Personal data of a known child. d. Precise geolocation data.” Id. § 12D-102(30).
The DOPPA defines “personally identifiable information” as “any personally identifiable information about a user of a commercial internet website, online or cloud computing service, online application, or mobile application that is collected online by the operator of that commercial internet website, online service, online application, or mobile application from that user and maintained by the operator in an accessible form, including a first and last name, a physical address, an e-mail address, a telephone number, a Social Security number, or any other identifier that permits the physical or online contacting of the user, and any other information concerning the user collected by the operator of the commercial internet website, online service, online application, or mobile application from the user and maintained in personally identifiable form in combination with any identifier described in this paragraph.” Id. § 1202C(15).
The CSB Statute defines “personal Information” as “a Delaware resident’s first name or first initial and last name in combination with any 1 or more of the following data elements that relate to that individual: 1. Social Security number. 2. Driver's license number or state or federal identification card number. 3. Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account. 4. Passport number. 5. A username or email address, in combination with a password or security question and answer that would permit access to an online account. 6. Medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a health care professional, or deoxyribonucleic acid profile. 7. Health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person. 8. Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes. 9. An individual taxpayer identification number.” Id. § 12B-101(7)(a).
The DPDPA requires that reasonable administrative, technical, and physical measures be taken to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. 6 Del. C. § 12D-110(f).
The CSB Statute requires those subject to its requirements to implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business. Id. § 12B-100.
The DPDPA imposes obligations on persons who conduct business in the State of Delaware or persons who produce products or services targeted to residents of the State of Delaware and who during the preceding calendar year:
• controlled or processed the personal data of not less than 35,000 consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction), or
• controlled or processed the personal data of not less than 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data.
6 Del. C. § 12D-103(a). This law exempts certain categories of entities from its requirements (such as financial institutions subject to the data security and privacy obligations of the federal Gramm Leach Bliley Act), as well as certain categories of data (such as protected health information regulated under the federal Health Insurance Portability and Accountability Act).
The DOPPA’s restrictions on marketing or advertising certain products and services to minors apply to:
• an operator of an internet website, online or cloud computing service, online application, or mobile application directed to children, and
• an advertising service that provides marketing or advertising for such a website, service, or application that has been notified by the operator that the operator’s website, service, or application is directed to children.
Id. § 1204C(a), (d), (e).
The DOPPA’s restrictions on the disclosure of book service information apply to any commercial entity that offers to the public a book service (i.e., a service by which an entity, as its primary purpose, provides individuals with the ability to rent, purchase, borrow, browse, or view books electronically or via the Internet). Id. § 1202C(3)–(5); id. § 1206C.
The CSB Statute applies to any person who conducts business in the State of Delaware and owns, licenses, or maintains personal information. Id. § 12B-100.
The DPDPA addresses data processing and defines “process” or “processing” as “any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.” 6 Del. C. § 12D-102(23).
As stated in a September 2, 2024, letter from the Attorney General of the State of Delaware addressed to businesses regarding the implementation of the DPDPA, the principles of personal data processing reflected in the law are transparency, data minimization, security, accountability, and documentation.
The DPDPA requires a controller (i.e., someone who determines the purpose and means of processing personal data) to, among other things:
• limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed;
• not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, unless the controller obtains the consumer's consent;
• establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue;
• not process sensitive data concerning a consumer without obtaining the consumer’s consent, or the consent of a child’s parent or lawful guardian for the processing of sensitive data concerning a known child; and
• not process personal data in violation of the laws of this State and federal laws that prohibit unlawful discrimination.
6 Del. C. § 12D-106(a).
Controllers must also provide to consumers a reasonably accessible, clear, and meaningful privacy notice that includes certain mandatory disclosures set forth in the DPDPA; a mechanism for consumers to revoke consent; and a means by which consumers can opt out of the sale of personal data or processing of personal data for targeted advertising. Id. § 12D-106(c)–(e).
Under the DPDPA, a contract between a controller and a processor regarding data processing must require that the processor delete or return all personal data to the controller once the services have been provided (unless retention is required by law). 6 Del. C. § 12D-107(b).
Under the DPDPA, a consumer has the right to:
• confirm whether a controller is processing the consumer’s personal data and access such personal data (unless doing so would require the controller to reveal a trade secret);
• correct inaccuracies in the consumer’s personal data;
• delete personal data provided by, or obtained about, the consumer;
• obtain a copy of the consumer’s personal data processed by the controller where the processing is carried out by automated means (provided that the copy does not reveal any trade secret of the controller);
• obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data; and
• opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data (subject to certain exceptions), or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
6 Del. C. § 12D-104(a).
Under the DPDPA, a controller must obtain a consumer’s consent to process the consumer’s personal data for purposes that are neither reasonably necessary to, nor compatible with, the purposes disclosed to the consumer for which such personal data is processed. 6 Del. C. § 12D-106(a)(2).
A controller must also obtain a consumer’s consent to process the consumer’s sensitive data (or the consent of a parent or lawful guardian of a known child to process the latter’s sensitive data). Id. § 12D-106(a)(4). If the controller has actual knowledge or wilfully disregards that the consumer is at least 13 years of age but younger than 18 years of age, the controller may not process the consumer’s personal data for targeted advertising or sell the consumer’s personal data without the consumer’s consent. Id. § 12D-106(a)(7).
The DPDPA also requires the controller to establish a mechanism for the consumer to revoke consent. Id. § 12D-106(a)(6).
Under the DOPPA, a book service provider (i.e., a commercial entity that provides individuals with the ability to rent, purchase, borrow, browse, or view books electronically or via the Internet) may disclose a user’s book service information (generally, certain identifying information regarding the user of such a service or the user’s access to a book) to a person if the user has given informed, affirmative consent in writing to the specific disclosure to the specific person for a particular purpose. Id. § 1206C(a)(4).
The DPDPA requires a controller to provide consumers with a reasonably accessible, clear, and meaningful privacy notice. 6 Del. C. § 12D-106(c). The privacy notice must include:
• the categories of personal data processed by the controller;
• the purpose for processing personal data;
• how consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision with regard to the consumer's request;
• the categories of personal data that the controller shares with third parties, if any;
• the categories of third parties with which the controller shares personal data, if any;
• an active electronic mail address or other online mechanism that the consumer may use to contact the controller.
Id. § 12D-106(c). A controller must obtain a consumer’s consent to process the consumer’s personal data for purposes that are neither reasonably necessary to, nor compatible with, the purposes disclosed to the consumer for which such personal data is processed. Id. § 12D-106(a)(2).
The DOPPA also requires that a privacy policy be made conspicuously available on any commercial internet website, online or cloud computing service, online application, or mobile application that collects personally identifiable information through the Internet about individual users residing in Delaware who use or visit such website, service, or application. Id. § 1205C(a).
The DPDPA, the DOPPA, and the CSB Statute do not regulate cross-border data transfers.
The CSB Statute defines “breach of security” as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.” 6 Del. C. § 12B-101(1)(a). This definition excludes the good-faith acquisition of personal information by an employee or agent of any person for the purposes of such person, provided that the personal information is not used for an unauthorized purpose or subject to further unauthorized disclosure. Id.
Yes. Under the CSB Statute, notice must be provided to any resident of the State of Delaware whose personal information was breached or is reasonably believed to have been breached, unless, after an appropriate investigation, it is reasonably determined that the breach of security is unlikely to result in harm to the individuals whose personal information has been breached. 6 Del. C. § 12B-102(a). If the breach requires notification to more than 500 residents of Delaware, notice must also be provided to the Attorney General of the State of Delaware. Id. § 12B-102(d).
The Delaware Department of Justice has authority to enforce the DPDPA. 6 Del. C. § 12D-111(a).
The Consumer Protection Unit of the Delaware Department of Justice has the authority to enforce the DOPPA. Id. § 1203C.
The Attorney General of the State of Delaware pursuant to the enforcement duties and powers of the Director of Consumer Protection of the Delaware Department of Justice has the authority to enforce the CSB statute. Id. § 12B-104(a).
In the event of a data security breach, the CSB Statute requires affected residents of the State of Delaware and the Attorney General of the State of Delaware to be notified under certain circumstances. Additionally, if the breach of security includes a Social Security number, each resident whose personal information was breached or is reasonably believed to have been breached must be offered credit monitoring at no cost for one year and be provided information on how to place a credit freeze on such resident’s credit file. 6 Del. C. § 12B-102(e).
Under the DPDPA, a controller must make available to the consumer a privacy policy that discloses the processing of personal data for targeted advertising and provides a means by which consumers can opt out of such processing. 6 Del. C. § 12D-106(d). If the controller has actual knowledge or wilfully disregards that the consumer is at least 13 years of age but younger than 18 years of age, the controller may not process the consumer’s personal data for purposes of targeted advertising. Id. § 12D-106(a)(7).
The DOPPA prohibits the operator of an internet website, online or cloud computing service, online application, or mobile application from marketing or advertising certain products or services (listed below) if (1) the website, service, or application is directed to children, or (2) the operator has actual knowledge that a child is using its website, service, or application and the marketing or advertising is directed to the child based upon information specific to that child. In either instance, the operator may not knowingly use, disclose, or compile, or allow another person to use, disclose, or compile, the personal information of the child if the operator has actual knowledge that the child’s personally identifiable information will be used for marketing or advertising the following products and services:
• alcoholic liquor;
• tobacco products, smokeless tobacco products, or moist snuff;
• tobacco substitutes;
• firearm or ammunition for a firearm;
• electronic control devices; fireworks;
• tanning equipment or device or tanning facility;
• dietary supplement products containing ephedrine group alkaloids;
• lottery, internet lottery, internet table games, internet ticket games, internet video lottery, sports lottery, table game, video lottery, or video lottery facility;
• Salvia divinorum or Salvinorin A, or any substance or material containing Salvia divinorum or Salvinorin A;
• body-piercing;
• branding;
• tattoos;
• drug paraphernalia;
• tongue-splitting; or
• any material, including any book, article, magazine, publication, or written matter of any kind, drawing, etching, painting, photograph, video, film, motion picture, or sound recording, which is sexually-oriented and predominately appeals to the prurient, shameful, or morbid interest of minors, is patently offensive to prevailing standards in the adult community as a whole with respect to what is suitable material for minors, and taken as a whole lacks serious literary, artistic, political, social, or scientific value for minors; or a projectile weapon.
Id. § 1204C.
The DOPPA prohibits a book service provider (i.e., a commercial entity that provides individuals with the ability to rent, purchase, borrow, browse, or view books electronically or via the Internet) from knowingly disclosing, or being compelled to disclose, book service information about a user to any person, except in certain circumstances. 6 Del. C. § 1206C.
The Insurance Data Security Act, 18 Del. C. § 8601, et seq., applies to persons who are licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered, under the insurance laws of the State of Delaware.
The DPDPA, the DOPPA, and the CSB Statute do not require the appointment of a data protection officer.
Not applicable.
Under the DPDPA, a controller that controls or processes the data of not less than 100,000 consumers (excluding data controlled or processed solely for the purpose of completing a payment transaction) must conduct and document, on a regular basis, a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer. 6 Del. C. § 12D-108(a).
A heightened risk of harm to a consumer includes the processing of personal data for the purposes of targeted advertising; the sale of personal data; the processing of sensitive data; and the processing of personal data for the purposes of profiling that presents a reasonably foreseeable risk of:
• unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
• financial, physical, or reputational injury to consumers;
• a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or
• other substantial injury to consumers.
Under the DPDPA, a contract between the controller and a processor regarding data processing procedures must address the nature and purpose of the processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. 6 Del. C. § 12D-107(b). The contract must require that the processor:
• ensure that each person processing personal data is subject to a duty of confidentiality;
• at the controller’s direction, delete or return all personal data to the controller once the services have been provided (unless retention is required by law);
• upon the reasonable request of the controller, make available to the controller all information necessary to demonstrate compliance with the obligations of the DPDPA;
• after providing the controller an opportunity to object, engage any subcontractor under a contract that requires the subcontractor to meet the obligations of the processor as to the personal data; and
• allow and cooperate with reasonable assessments by the controller or its designated assessor, or arrange for a qualified and independent assessor to assess the processor’s policies and technical and organizational measures in support of its obligations under the DPDPA, using an appropriate and accepted control standard or framework and assessment procedure for such assessments.
Id. A controller must also disclose to consumers in a privacy notice any categories of personal data that the controller shares with third parties, as well as the categories of third parties with which such data is shared. Id. § 12D-106(c)(4)–(5). If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing. Id. § 12D-106(d).
A violation of the DPDPA by a processor or third-party controller to which personal data was disclosed does not amount to a violation by the disclosing controller or processor if:
• at the time of disclosure, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller had violated or would violate the DPDPA, and
• the disclosing controller or processor was, and remained, in compliance with its obligations as the discloser of such data.
Id. § 12D-110(d). Similarly, independent misconduct of the disclosing controller or processor does not amount to a violation of the DPDPA by a recipient third-party controller or processor, provided that the third parties themselves comply with the DPDPA. Id.
A controller may not sell the personal data of a consumer if the controller has actual knowledge or wilfully disregards that the consumer is at least 13 years of age but younger than 18 years of age, unless the controller obtains such consumer’s consent. Id. § 12D-106(a)(7).
Under the DOPPA, the operator of a commercial internet website, online or cloud computing service, online application, or mobile application that collects personally identifiable information through the Internet about individual users who reside in the State of Delaware and who use or visit the such website, service, or application must make available a privacy policy that identifies the categories of third-parties with whom the operator may share such personally identifiable information. Id. § 1205C(a)–(b)(1).
The Delaware Department of Justice may investigate and prosecute violations of the DPDPA in accordance with the provisions of Delaware’s consumer protection laws, which authorize the issuance of cease-and desist-orders; the pursuit of administrative remedies for violations; the initiation and prosecution of civil or criminal actions in any court of competent jurisdiction; the pursuit of restitution, rescission, reformation of contract, recoupment, disgorgement of profits or any moneys improperly obtained, or otherwise prevent unjust enrichment against violators; and any other lawful action to enforce the consumer protection statutes and to carry out their purposes. 6 Del. C. § 12D-11125; 29 Del. C. § 2520(a).
The Consumer Protection Unit of the Delaware Department of Justice may investigate and prosecute violations of the DOPPA in accordance with the provisions of Delaware’s consumer protection laws, which authorize the issuance of cease-and desist-orders; the pursuit of administrative remedies for violations; the initiation and prosecution of civil or criminal actions in any court of competent jurisdiction; the pursuit of restitution, rescission, reformation of contract, recoupment, disgorgement of profits or any moneys improperly obtained, or otherwise prevent unjust enrichment against violators; and any other lawful action to enforce the consumer protection statutes and to carry out their purposes. 6 Del. C. § 1203C; 29 Del. C. § 2520(a).
The Attorney General of the State of Delaware may bring an action in law or equity to address violations of the CSB statute and for other relief that may be appropriate to ensure proper compliance with the statute, or to recover direct economic damages resulting from a violation, or both. 6 Del. C. § 12B-104.
Under the DPDPA, a controller that controls or processes the data of not less than 100,000 consumers, excluding data controlled or processed solely for the purpose of completing a payment transaction, must conduct and document, on a regular basis, a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer. 6 Del. C. § 12D-108(a).
Both the DPDPA and the DOPPA went into effect on January 1, 2025.
The DPDPA’s data protection assessment requirements apply to processing activities created or generated on or after July 1, 2025. 6 Del. C. § 12D-108(f).
By no later than January 1, 2026, a controller must allow a consumer to use an opt-out preference signal sent by a platform, technology, or mechanism to indicate the consumer’s intent to opt out of the sale of the consumer’s personal data or the processing of such data for targeted advertising. Id. § 12D-106(e)(1)(a)(2).
Until December 31, 2025, before initiating any action for a violation of any provision of DPDPA, the Delaware Department of Justice must issue a notice of violation to the controller if it determines that a cure is possible. Id. § 12D-111(b). If the controller fails to cure the violation within 60 days of receiving notice, the Department of Justice may bring an enforcement proceeding. Id. Starting on January 1, 2026, in determining whether to afford an opportunity to cure, the Department of Justice may consider:
• the number of violations;
• the size and complexity of the controller or processor;
• the nature and extent of the controller’s or processor’s processing activities;
• the substantial likelihood of injury to the public;
• the safety of persons or property;
• whether such alleged violation was likely caused by human or technical error; and
• the extent to which the controller or processor has violated this or similar laws in the past.
Id. § 12D-111(c)