WILMINGTON— Come Jan. 1 Delawareans will have the right to request their personal information and data and learn more about who’s collecting it. Businesses will be tasked with providing it upon request.
The Delaware Department of Justice (DOJ) is preparing to launch a new website that will provide instructions on how to request data from companies that may be collecting or processing sensitive data on race, citizenship status, age, sexual orientation, gender identity, precise geolocation data or other biometric data.
Once the request is submitted, the business has 45 days to respond to the request and provide the data under the
Delaware Personal Data Privacy Act. But the responsibility is on the businesses to comply, and more importantly, disclose the new state law in the company’s terms and conditions.
“The typical situation would be you go to a company’s website, say Facebook, and you go to their privacy policy. Typically, they have a slightly different privacy policy depending on what state you’re from. Now in Delaware, that page is going to have information on how you can access your information or to request corrections or deletions,” Deputy Attorney General John Eakins told the Delaware Business Times.
Consumers will also have the right to receive a copy of the data in a portable and easy-to-use format, unless it reveals company secrets. People can opt out of companies processing personal data for purposes of targeted advertising and sale of data.
These data privacy laws are relatively new across the nation, and Delaware is the ninth to do so, after California, Virginia, Connecticut and Florida. But while Delaware’s law is largely dependent on self-compliance, it’s unique in that it’s the one of the only to have a designated enforcement mechanism in place.
Between Jan. 1 and Dec. 31, 2025, the DOJ will issue notices to company violators, if they determine a cure is possible. If the company does not do so within 60 days of receiving the notice, the DOJ may launch an investigation or court proceeding or fine the company $10,000.
However, it should be noted that the
Personal Data Privacy Act would apply to businesses that process or control the data of no less than 35,000 consumers or companies that process data of 10,000 consumers and receive more than 20% gross revenue from selling it.
The intent behind those provisions is to exempt small businesses that may be collecting data like email addresses for newsletters or promotions - it was introduced in a later version of the bill as the 2022 version of the
bill without that provision.
Consumers who are concerned about business data practices can lodge complaints to the DOJ, and the department would then conduct routine investigations of popular smartphones and websites. In particular, the state DOJ is likely to focus on companies that handle data relating to children and teenagers as well as geolocation.
One easy way to determine if a company is not in compliance is to check if it has an opt-out feature for facial and thumbprint scans.
Eakins said the best way to head off any of these complaints is for companies to understand how they can best use the data and the new law. In the past six months, the DOJ has held meetings with state chambers, the Delaware Alliance for Nonprofit Advancement and other organizations around the state.
“We anticipate reaching out to those not in compliance and letting them know they have time to fix it, as that’s how every other state has handled it, and we think we’ll be operating in the same way,” Eakins said. “We can’t police every single company out there, so a lot of our efforts are going to be on education and outreach. But we’ll be reacting to any complaint that Delaware consumers submit to us.”