State Comprehensive Privacy Laws – The “First State” Officially Becomes the Thirteenth State with a Comprehensive Data Privacy Law

After some delay, Delaware’s governor has at last signed into law the thirteenth state comprehensive privacy law. This is the seventh law passed in 2023, joining IowaIndianaTennesseeMontanaFlorida, and Oregon. The law takes effect on January 1, 2025. The bill was passed by Delaware’s congress at the end of June and was sent to the governor’s office for signature on June 30, 2023. He did not sign it, though, until this week.

Like other states, Delaware’s law does not contain a private right of action. The Delaware Department of Justice has sole enforcement power. The law provides a 60-day cure period for violations until December 31, 2025. If a violation is not cured, the Department of Justice may bring an enforcement proceeding under state UDAAP laws. Since Delaware already has an existing online privacy law (though less stringent than this law), entities should consider both in their compliance plans.

Key provisions include:

Putting it Into Practice: By now, many of these state privacy laws may be feeling familiar. However, privacy remains a space where “one-size-fits-all” policies still won’t hit the mark. Companies should continue to take a flexible approach to their privacy program in order to customize where necessary. As more states follow suit, differences will become harder to accommodate with one uniform policy or practice.


Listen to this post

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.
National Law Review, Volumess XIII, Number 256