{"id":4350,"date":"2023-09-15T06:01:00","date_gmt":"2023-09-15T12:01:00","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=resource&#038;p=4350"},"modified":"2025-05-07T11:43:22","modified_gmt":"2025-05-07T16:43:22","slug":"delaware-personal-data-privacy-act-brief","status":"publish","type":"resource","link":"https:\/\/trustarc.com\/resource\/delaware-personal-data-privacy-act-brief\/","title":{"rendered":"Background Brief: Delaware Personal Data Privacy Act"},"content":{"rendered":"\t\t<section id=\"block_1a56c5df85eaaf9f63471c95bbd88531\" class=\"resource-intro intro-simple\">\n\t\t\t<div class=\"container\">\n\t\t\t\t\t\t\t\t\t<strong class=\"sub-title block uppercase\">Article<\/strong>\n\t\t\t\t\t\t\t\t\t\t<h1>Background Brief: Delaware Personal Data Privacy Act<\/h1>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t<section id=\"block_e21b1fa55319d94c5d43bfba4b874f9b\" class=\"columns-content\">\n\t\t<div class=\"container\">\n\t\t\t<div class=\"left\">\n\t\t\t\t\t\t\t<\/div>\n\t\t\t<div class=\"middle\">\n\t\t\t\t<div class=\"content\">\n\t\t\t\t\t<p>The \u201cDiamond State\u201d has passed the Delaware Personal Data Privacy Act, a modern consumer privacy law that gives its residents some of the important data protection rights found in other states\u2019 privacy regulations. Citizens are covered by the Act as individuals, but not in an employment or commercial context.<\/p>\n<p>Delaware Governor John Carney signed the Act into law on September 11, 2023, and it will become effective on January 1, 2025. An additional rule requiring controllers to recognize and act on universal opt-out signals goes into force on January 1, 2026.<\/p>\n<h2>Delaware Personal Data Privacy Act: Key dates<\/h2>\n<ul>\n<li>May 12, 2023 \u2013 Following lobbying by consumer and privacy groups, and the growing trend across the U.S. to give consumers more protections in an increasingly data-driven business landscape, <a href=\"https:\/\/legis.delaware.gov\/BillDetail?LegislationId=140388\" target=\"_blank\" rel=\"noopener\">House Bill 154<\/a> is introduced by Rep. Krista Griffith with backing from several senators and representatives.<\/li>\n<li>May 15, 2023 \u2013 in a <a href=\"https:\/\/housedems.delaware.gov\/2023\/05\/15\/griffith-bill-would-enhance-personal-data-privacy-for-delawareans\/\" target=\"_blank\" rel=\"noopener\">media release announcing the Delaware Personal Data Privacy Act<\/a> Rep. Griffiths says: <em>\u201cThe Delaware Personal Data Privacy Act is a critical step in safeguarding the privacy rights of Delawareans in our digital age. With the increasing collection and use of our sensitive personal data, it\u2019s so important that we establish comprehensive rights for consumers and ensure that they have avenues to take control over their personal information. This legislation will give them that control and provide much-needed transparency and accountability in the use of personal data by companies.\u201d<\/em><\/li>\n<li>June 8, 2023 \u2013 following two days of meetings to review amendments to the HB 154 the House votes 33-5 in favor.<\/li>\n<li>June 27, 2023 \u2013 amendments to the bill are tabled with the Banking, Insurance and Technology Committee in Delaware\u2019s Senate, with exclusions for registered securities brokers and dealers alongside financial organizations covered under the <a href=\"\/regulations\/glba\/\" rel=\"noopener\">Gramm-Leach-Bliley Act<\/a>.<\/li>\n<li>June 29, 2023 \u2013 the Delaware Senate unanimously passes the amendments, then passes the bill with a 15-4 vote in favor.<\/li>\n<li>June 30, 2023 \u2013 the Delaware House votes 37-3 in favor of passing HB 154 to create the Delaware Personal Data Privacy Act.<\/li>\n<li>July 20, 2023 \u2013 <a href=\"https:\/\/delawarebusinesstimes.com\/news\/delaware-personal-data-act-heads-to-governor\/\" target=\"_blank\" rel=\"noopener\">Rep. Griffith tells the <em>Delaware Business Times<\/em><\/a> the compromises in Delaware\u2019s data privacy law were to \u2018get it over the line\u2019, adding: <em>\u201cBanks and financial firms are subject to the <\/em>[Gramm-Leach-Bliley Act]<em> guidelines, so there wasn\u2019t so much heartburn in that. And shortly after the bill passed the House, <\/em>FINRA [Financial Industry Regulatory Authority]<em> reached out to us to ask to be included in the exemptions. I\u2019m pleased that it passed. I know this bill caught a lot of attention from several industries for its implications. But in practice, we wanted to give power back to our consumers on how their data is used.\u201d<\/em><\/li>\n<li>September 11, 2023 \u2013 Delaware Governor John Carney signs the Delaware Personal Data Privacy Act into law.<\/li>\n<li>January 1, 2025 \u2013 Delaware\u2019s privacy law goes into effect.<\/li>\n<li>January 1, 2026 \u2013 an additional requirement for controllers to honor universal opt-out signals goes into effect.<\/li>\n<\/ul>\n<h2>New data privacy rights for Delaware consumers<\/h2>\n<p>Delawareans gain new protections under the state\u2019s data privacy law as consumers, but not as employees.<\/p>\n<p>The Act defines a \u2018<strong>consumer<\/strong>\u2019 as <em>\u201can individual who is a resident of this State. \u2018Consumer\u2019 does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit organization, or government agency whose communications or transactions with the controller occur solely within the context of that individual\u2019s role with the company, partnership, sole proprietorship, nonprofit organization, or government agency.\u201d<\/em><\/p>\n<p>The definition for \u2018personal data\u2019 is very similar to that found in other states\u2019 data privacy laws: <em>\u201c\u2018<strong>Personal data<\/strong>\u2019 means any information that is linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data or publicly available information\u201d.<\/em><\/p>\n<p><strong>Under the Delaware Personal Data Privacy Act Delawareans (as individual consumers) have gained the following data privacy rights:<\/strong><\/p>\n<ul>\n<li><strong>Right to confirm<\/strong> \u2013 consumers have a right to know whether a controller is processing their personal data, including the categories of data processed and the purposes for processing.<\/li>\n<li><strong>Right to access<\/strong> and right to data portability \u2013 a consumer can request records of their personal data held by a controller \u201cunless such confirmation or access would require the controller to reveal a trade secret\u201d. Consumers also have the right to access a list of the categories of third parties to which the controller has disclosed their personal data. If this information isn\u2019t available in a format specific to the consumer the controller can provide a list of specific third parties it has shared data with instead.<\/li>\n<li><strong>Right to correct<\/strong> \u2013 consumers in Delaware can request a controller correct inaccuracies in records of their personal data, \u201ctaking into account the nature of the personal data and the purposes of the processing of the consumer\u2019s personal data\u201d.<\/li>\n<li><strong>Right to delete<\/strong> \u2013 a consumer can ask a controller to delete personal data provided by or obtained about them.<\/li>\n<li><strong>Right to opt-out<\/strong> \u2013 a consumer can tell a controller their personal data cannot be sold (see below for exceptions) or used for targeted advertising or profiling (when that profiling is \u201cin furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer\u201d).<\/li>\n<li><strong>Right to non-discrimination<\/strong> \u2013 Delawarean consumers exercising personal data privacy rights have a right not to be discriminated against, examples of discrimination listed in the Act include: \u201cdenying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer\u201d.<\/li>\n<li><strong>Right not to have sensitive personal information processed<\/strong> \u2013 controllers must obtain consent from consumers first, through a clear and easy-to-understand consent form. Sensitive data is defined as personal information that could reveal a consumer\u2019s:\n<ul>\n<li>racial or ethnic origin<\/li>\n<li>religious beliefs<\/li>\n<li>mental or physical health condition or diagnosis (including pregnancy)<\/li>\n<li>sex life and sexual orientation<\/li>\n<li>status as transgender or nonbinary<\/li>\n<li>citizenship or immigration status<\/li>\n<li>genetic or biometric information; or<\/li>\n<li>precise geolocation.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Any personal data of a known child is also covered as sensitive personal data in the Act. Parents or legal guardians can exercise consumer rights on behalf of their child\/ren aged under 13.<\/p>\n<p>Until January 1, 2026, when the rule about universal opt-out signals applies, consumers (or parents\/guardians acting on behalf of a child) will need to contact each controller and lodge requests to exercise any of these rights.<\/p>\n<h3>From January 1, 2026: Universal Opt-Out Signals apply in Delaware<\/h3>\n<p>Section 12D-105 of the Delaware Personal Data Privacy Act gives consumers in the state the option of designating an authorized agent to exercise their rights on their behalf, including through universal opt-out mechanisms. This rule is effective from January 1, 2026.<\/p>\n<p>This rule notes platforms, technologies, browser settings\/extensions (e.g. Global Privacy Control), global device settings or mechanisms <em>\u201cmay function as the agent for purposes of conveying the consumer\u2019s decision to opt-out\u201d<\/em>.<\/p>\n<p>Part (b) of the text in this section explaining controllers\u2019 obligations is mostly identical to similar U.S. states\u2019 data privacy laws:<\/p>\n<p><em>\u201cA controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent\u2019s authority to act on such consumer\u2019s behalf.\u201d<\/em><\/p>\n\t\t\t\t\t\t\t\t\t<div class=\"question-box-multiple\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"question-box bg-white\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"icon\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/icon_Framework_Small.svg\" class=\"attachment-full size-full\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<h4>Global Privacy Control: Technical brief<\/h4>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<p>What is GPC? What laws mandate its use?<\/p>\n<a href=\"\/resource\/global-privacy-control-known-user-consent\/\" class=\"cta\">Learn more<\/a>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"question-box bg-white\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"icon\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/icon_Consent_Small.svg\" class=\"attachment-full size-full\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<h4>Cookie Consent Manager<\/h4>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<p>Manage essential processes to achieve cookie compliance with state and international privacy laws.<\/p>\n<a href=\"\/products\/consent-consumer-rights\/cookie-consent-manager\/\" class=\"cta\">Learn more<\/a>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<h2>Does the Delaware Data Privacy Law apply to your organization?<\/h2>\n<p>Delaware\u2019s privacy law is mostly like other states\u2019 equivalent data privacy regulations enacted so far in that it applies to:<\/p>\n<ul>\n<li>Persons that conduct business in the state; or<\/li>\n<li>Produce products or services targeted to residents of the state.<\/li>\n<\/ul>\n<p>And during the preceding calendar year did any of the following:<\/p>\n<ul>\n<li>Controlled or processed the personal data of not less than 35,000 consumers \u2013 excluding personal data controlled or processed solely for the purpose of completing a payment transaction. (This is the lowest threshold so far in any U.S. state privacy act); or<\/li>\n<li>Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data.<\/li>\n<\/ul>\n<p><strong>Note:<\/strong> The Delaware Personal Data Privacy Act applies to any institute of higher education. It generally also applies to nonprofit organizations if they meet the above thresholds (so far the only other state privacy acts to also not exempt nonprofits are the <a href=\"\/resource\/colorado-privacy-act-guide\/\">Colorado Privacy Act<\/a> and the <a href=\"\/resource\/oregon-consumer-privacy-act-brief\/\">Oregon Consumer Privacy Act<\/a>).<\/p>\n<h3>Organizations exempt from Delaware\u2019s Data Privacy Law<\/h3>\n<ul>\n<li>Delaware state bodies (regulatory, administrative, advisory, executive, appointive, legislative or judicial) and state political subdivisions, including agencies, boards, bureaus and commissions of the state or its political subdivisions; and<\/li>\n<li>Financial institutions and their affiliates to the extent these organizations are subject to the <a href=\"https:\/\/www.ftc.gov\/business-guidance\/privacy-security\/gramm-leach-bliley-act\" target=\"_blank\" rel=\"noopener\">Gramm-Leach-Bliley Act<\/a>.<\/li>\n<\/ul>\n<h3>Personal data exempt from Delaware\u2019s Data Privacy Law<\/h3>\n<ul>\n<li>Personal information related to employment and business relationships (though only when used in context of that role).<\/li>\n<li>Emergency contact information when used for emergency contact purposes.<\/li>\n<li>Protected health information is defined under <a href=\"\/resource\/hipaa-compliance-privacy-solutions\/\">HIPAA (Health Insurance Portability and Accountability Act)<\/a>.<\/li>\n<li>Consumer credit reporting data under the <a href=\"https:\/\/www.consumer.ftc.gov\/sites\/default\/files\/articles\/pdf\/pdf-0111-fair-credit-reporting-act.pdf\" target=\"_blank\" rel=\"noopener\">Fair Credit Reporting Act<\/a>, (note: this exemption covers nonprofits exclusively focused on identifying and preventing insurance crime).<\/li>\n<li>Personal data collected, processed or maintained by a nonprofit organization that provides services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony or stalking.<\/li>\n<li>Patient-identifying information covered by <a href=\"https:\/\/www.govinfo.gov\/content\/pkg\/USCODE-2010-title42\/html\/USCODE-2010-title42-chap6A-subchapIII-A-partD-sec290dd-2.htm\" target=\"_blank\" rel=\"noopener\">U.S. Code 42 Section 290dd-2 (Public health and welfare \u2013 Confidentiality of records)<\/a>.<\/li>\n<li>Identifiable private information when used under federal regulations for the protection of human subjects in medical and scientific research (<a href=\"https:\/\/www.hhs.gov\/ohrp\/regulations-and-policy\/regulations\/45-cfr-46\/index.html\" target=\"_blank\" rel=\"noopener\">45 CFR 46<\/a>, <a href=\"https:\/\/www.ecfr.gov\/current\/title-21\/chapter-I\/subchapter-A\/part-50\" target=\"_blank\" rel=\"noopener\">21 CFR 50<\/a>, and <a href=\"https:\/\/www.ecfr.gov\/current\/title-21\/chapter-I\/subchapter-A\/part-56\" target=\"_blank\" rel=\"noopener\">21 CFR 56<\/a>).<\/li>\n<li>Patient safety work product created and used to improve patient safety under the <a href=\"https:\/\/www.govinfo.gov\/link\/plaw\/109\/public\/41\" target=\"_blank\" rel=\"noopener\">Patient Safety and Improvement Act<\/a>.<\/li>\n<li>Personal data used in compliance with the <a href=\"https:\/\/www.govinfo.gov\/app\/details\/USCODE-2011-title18\/USCODE-2011-title18-partI-chap123-sec2721\" target=\"_blank\" rel=\"noopener\">Driver\u2019s Privacy Protection Act<\/a>, <a href=\"https:\/\/www.govinfo.gov\/app\/details\/USCODE-2021-title12\/USCODE-2021-title12-chap23-sec2001\" target=\"_blank\" rel=\"noopener\">Farm Credit Act<\/a>, <a href=\"https:\/\/www.govinfo.gov\/app\/details\/USCODE-2017-title20\/USCODE-2017-title20-chap31-subchapIII-part4-sec1232g\" target=\"_blank\" rel=\"noopener\">Family Educational and Privacy Rights<\/a> or <a href=\"https:\/\/www.govinfo.gov\/app\/details\/USCODE-2021-title49\/USCODE-2021-title49-subtitleVII-partA-subpartii-chap417-subchapI-sec41713\" target=\"_blank\" rel=\"noopener\">Airline Deregulation Act<\/a>.<\/li>\n<\/ul>\n<p>Additionally, controllers and processors that comply with the <a href=\"\/resource\/coppa-compliance-made-easy-keep-kids-in-mind\/\">verifiable parental consent requirements of Children\u2019s Online Privacy Protection Act (COPPA)<\/a> will be deemed compliant with obligations under Delaware privacy law to obtain parental consent concerning a consumer who is a child.<\/p>\n<h2>Delaware Privacy Law compliance obligations for controllers<\/h2>\n<p>Delaware\u2019s privacy law defines a \u2018<strong>controller<\/strong>\u2019 as <em>\u201ca person that, alone or jointly with others, determines the purpose and means of processing personal data\u201d<\/em> and requires a controller to:<\/p>\n<ul>\n<li>Limit collection of personal data to what is <em>\u201cadequate, relevant and reasonably necessary\u201d<\/em> to the purposes disclosed to the consumer. Any other processing of personal data, including sensitive personal information, must be consented to by the consumer first, or in the case of a known child, consent must be obtained from their parent or guardian.<\/li>\n<li>Not process for the purposes of targeted advertising or sell the personal data of a young consumer aged between 13 and under 18 years old without their consent.<\/li>\n<li>Not process personal data in violation of Delaware state laws or federal laws prohibiting unlawful discrimination.<\/li>\n<li>Protect personal data with reasonable data security practices appropriate to the volume and nature of the personal data at issue.<\/li>\n<li>Provide an effective and easy-to-use mechanism for a consumer to revoke previously given consent and stop processing the data within 15 days. The mechanism for a consumer to revoke consent must be at least as easy as the consent mechanism they used previously.<\/li>\n<li>Not discriminate against a consumer for exercising their consumer privacy rights.<\/li>\n<li>Respond to a consumer\u2019s request to exercise their consumer privacy rights within 45 days.<br \/>\nThe information given to the consumer in response shall be provided free of charge to the consumer \u2013 but controllers only need to make it free once per consumer in 12 months. A controller can charge a reasonable fee to cover administrative costs for excessive, repetitive or unfounded requests \u2013 or reject such requests \u2013 but the burden of proof is on the controller. Consumers may appeal.<br \/>\nA controller may also extend the response period by another 45 days <em>\u201cwhen reasonably necessary, considering the complexity and number of the consumer\u2019s requests\u201d<\/em> only if they notify the consumer about the need for this extension within the first 45-day response period. Consumers may appeal rejected requests and in turn controllers must respond to appeals within 60 days.<\/li>\n<li>Provide a clear and conspicuous link on the controller\u2019s website to a webpage where a consumer (or their agent) can opt out of having their personal data sold or used for targeted advertising.<br \/>\nRemember: universal opt-out signals must be acted on from January 1, 2026.<\/li>\n<li>Provide a privacy notice that is reasonably accessible, clear and meaningful that includes:\n<ul>\n<li>Categories of personal data processed<\/li>\n<li>Categories of personal data shared with third parties (if any) and the categories of third parties with which the controller shares personal data<\/li>\n<li>Purpose for processing personal information<\/li>\n<li>Information on how consumers may exercise their consumer privacy rights, including how they can appeal a controller\u2019s decision about a data rights request<\/li>\n<li>One or more secure and reliable means for consumers to submit a request to exercise their consumer privacy rights, which takes into account the ways consumers normally interact with the controller; and<\/li>\n<li>Online mechanism or active email address consumers can use to contact the controller.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Delaware Privacy Law compliance requirements for processors<\/h3>\n<p>Any processor engaged by a controller to process Delawareans\u2019 personal information is required to enter a binding written contract governing the processor\u2019s activities on behalf of the controller. The contract must set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties.<\/p>\n<h3>Data Protection Assessments<\/h3>\n<p>If a controller controls or processes the personal data of more than 100,000 Delaware consumers \u2013 excluding data that is only controlled or processed for payment transactions \u2013 they are also obliged to conduct and document a regular data protection assessment for each processing activity considered a heightened risk of harm to the consumer.<\/p>\n<p>Data protection assessments must be performed for personal data that is intended to be sold or for processing for targeted advertising or profiling. Each assessment must consider the benefits of a processing activity versus the risk of harm to the consumer.<\/p>\n<h3>Enforcement for violations of the Delaware Personal Data Privacy Act<\/h3>\n<p>The Delaware Department of Justice (DDoJ) has exclusive authority to investigate and prosecute violations of the Act.<\/p>\n<p>Delawareans do not have a private right of action.<\/p>\n<p>Up until December 31, 2025, if the DDoJ issues a notice of violation it must give the accused party up to 60 days to cure the violation if it determines the violation is curable. Then from January 1, 2026, the DDoJ may choose to offer a cure period at its discretion.<\/p>\n<p>The DDoJ can initiate court actions to pursue orders against any controller or processor found to have wilfully violated the Delaware Personal Data Privacy Act, with civil penalties of $10,000 for each deliberate violation.<\/p>\n<h2>TrustArc resources for compliance with U.S. State Privacy Laws<\/h2>\n<p>TrustArc offers several resources to help organizations keep up to date with <a href=\"\/resource\/evolution-us-state-data-privacy-laws-2023-2024\/\">existing and emerging state privacy laws in the U.S<\/a>, including:<\/p>\n\t\t\t\t\t\t\t\t\t<div class=\"question-box-multiple\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"question-box bg-white\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"icon\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/icon_Data-Lock_Small.svg\" class=\"attachment-full size-full\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<h4>Automate your compliance program<\/h4>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<p>Use PrivacyCentral to streamline privacy compliance across all relevant jurisdictions.<\/p>\n<a href=\"\/products\/privacy-data-governance\/privacycentral\/\" class=\"cta\">Learn more<\/a>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"question-box bg-white\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"icon\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/icon_Online-Privacy_Small.svg\" class=\"attachment-full size-full\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<h4>Nymity Research<\/h4>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<p>Stay up to date on hundreds of global privacy laws, regulations, and standards.<\/p>\n<a href=\"\/products\/privacy-data-governance\/nymity-research\/\" class=\"cta\">Start today<\/a>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t\t<div class=\"right sm\">\n\t\t\t\t<div class=\"share-it\">\n\t\t\t\t\t<strong class=\"title block uppercase\">Follow us<\/strong>\n\t\t\t\t\t<div class=\"soc-list\">\n\t\t\t\t\t\t<a href=\"https:\/\/www.linkedin.com\/company\/trustarc\/\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/li-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<a href=\"\nhttps:\/\/twitter.com\/TrustArc\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/tw-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<a href=\"javascript:;\" id=\"copy-url\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/link-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<span class=\"copied\" style=\"display:none;\">Link Copied!<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<div class=\"key-topics\">\n\t\t\t\t\t\t<strong class=\"title block uppercase\">Key Topics<\/strong>\n\t\t\t\t\t\t<ul>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li><a href=\"https:\/\/trustarc.com\/topic-resource\/us-consumer-privacy-laws\/\" class=\"badge\">US Consumer Privacy Laws<\/a><\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/ul>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<div class=\"cta-area\">\n\t\t\t\t\t<p>Get the latest resources sent to your inbox<\/p>\n\t\t\t\t\t<a href=\"\/subscription-center\/\" class=\"cta\">Subscribe<\/a>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/section>\n\t\n\n\t\t<section id=\"block_8c1aabcf4c5b95b95a3677683ec04e9d\" class=\"resource-section\">\n\t\t\t<div class=\"container\">\n\t\t\t<div class=\"resource-head\">\n\t\t\t\t\t\t\t<h2>Related resources<\/h2>\n\t\t\t\t<a href=\"https:\/\/trustarc.com\/resources\/\" target=\"_blank\" rel=\"noreferrer\" class=\"cta block\">See all resources<\/a>\t\t<\/div>\n\t\t\t\t\t\t<ul class=\"resource-lists \">\n\t\t\t\t\t\t\t<li>\n\t\t\t\t\t<a href=\"https:\/\/trustarc.com\/resource\/new-in-2026-state-privacy-laws-in-indiana-kentucky-and-rhode-island\/\" class=\"resource-single\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"img-holder\">\n\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"380\" height=\"120\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-plus-purple-380x120.png\" class=\"attachment-380x120 size-380x120 wp-post-image\" alt=\"\" \/>\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"text-holder\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"resource-label uppercase\">Articles<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<h4>New in 2026: State privacy laws in Indiana, Kentucky, and Rhode Island\u00a0<\/h4>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<li>\n\t\t\t\t\t<a href=\"https:\/\/trustarc.com\/resource\/california-ai-transparency-laws-sb942-ab2013\/\" class=\"resource-single\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"img-holder\">\n\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"380\" height=\"120\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/01\/res-feat-woven-blue-test-380x120.png\" class=\"attachment-380x120 size-380x120 wp-post-image\" alt=\"\" \/>\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"text-holder\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"resource-label uppercase\">Articles<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<h4>California\u2019s AI Transparency Laws: How SB 942 and AB 2013 Will Reshape AI Data Practices<\/h4>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<li>\n\t\t\t\t\t<a href=\"https:\/\/trustarc.com\/resource\/texas-privacy-law-enforcement\/\" class=\"resource-single\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"img-holder\">\n\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"380\" height=\"120\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-city-gray-380x120.png\" class=\"attachment-380x120 size-380x120 wp-post-image\" alt=\"\" \/>\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"text-holder\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"resource-label uppercase\">Articles<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<h4>Texas Privacy Enforcement: Navigating the Attorney General\u2019s Aggressive Approach<\/h4>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/li>\n\t\t\t\t\t\t<\/ul>\n\t\t\t\t\t<\/div>\t\t<\/section>\n\t\t","protected":false},"excerpt":{"rendered":"<p>The Delaware Personal Data Privacy Act gives citizens more protections and control over their personal information.<\/p>\n","protected":false},"featured_media":1686,"template":"","topic-resource":[114],"type-resource":[6],"class_list":["post-4350","resource","type-resource","status-publish","has-post-thumbnail","hentry","topic-resource-us-consumer-privacy-laws","type-resource-articles"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.4 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Background Brief: Delaware Personal Data Privacy Act | TrustArc<\/title>\n<meta name=\"description\" content=\"The Delaware Personal Data Privacy Act gives citizens basic rights over their personal information, including the right to know, correct and delete their records held by businesses.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/trustarc.com\/resource\/delaware-personal-data-privacy-act-brief\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/delaware-personal-data-privacy-act-brief\\\/\",\"url\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/delaware-personal-data-privacy-act-brief\\\/\",\"name\":\"Background Brief: Delaware Personal Data Privacy Act | TrustArc\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/delaware-personal-data-privacy-act-brief\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/delaware-personal-data-privacy-act-brief\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-city-pink.png\",\"datePublished\":\"2023-09-15T12:01:00+00:00\",\"dateModified\":\"2025-05-07T16:43:22+00:00\",\"description\":\"The Delaware Personal Data Privacy Act gives citizens basic rights over their personal information, including the right to know, correct and delete their records held by businesses.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/trustarc.com\\\/resource\\\/delaware-personal-data-privacy-act-brief\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/delaware-personal-data-privacy-act-brief\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-city-pink.png\",\"contentUrl\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-city-pink.png\",\"width\":610,\"height\":152},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/#website\",\"url\":\"https:\\\/\\\/trustarc.com\\\/\",\"name\":\"TrustArc\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/trustarc.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Background Brief: Delaware Personal Data Privacy Act | TrustArc","description":"The Delaware Personal Data Privacy Act gives citizens basic rights over their personal information, including the right to know, correct and delete their records held by businesses.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/trustarc.com\/resource\/delaware-personal-data-privacy-act-brief\/","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/trustarc.com\/resource\/delaware-personal-data-privacy-act-brief\/","url":"https:\/\/trustarc.com\/resource\/delaware-personal-data-privacy-act-brief\/","name":"Background Brief: Delaware Personal Data Privacy Act | TrustArc","isPartOf":{"@id":"https:\/\/trustarc.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/trustarc.com\/resource\/delaware-personal-data-privacy-act-brief\/#primaryimage"},"image":{"@id":"https:\/\/trustarc.com\/resource\/delaware-personal-data-privacy-act-brief\/#primaryimage"},"thumbnailUrl":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-city-pink.png","datePublished":"2023-09-15T12:01:00+00:00","dateModified":"2025-05-07T16:43:22+00:00","description":"The Delaware Personal Data Privacy Act gives citizens basic rights over their personal information, including the right to know, correct and delete their records held by businesses.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/trustarc.com\/resource\/delaware-personal-data-privacy-act-brief\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/trustarc.com\/resource\/delaware-personal-data-privacy-act-brief\/#primaryimage","url":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-city-pink.png","contentUrl":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-city-pink.png","width":610,"height":152},{"@type":"WebSite","@id":"https:\/\/trustarc.com\/#website","url":"https:\/\/trustarc.com\/","name":"TrustArc","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/trustarc.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/resource\/4350","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/resource"}],"about":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/types\/resource"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/media\/1686"}],"wp:attachment":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/media?parent=4350"}],"wp:term":[{"taxonomy":"topic-resource","embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/topic-resource?post=4350"},{"taxonomy":"type-resource","embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/type-resource?post=4350"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}