Law: The Delaware Online Privacy and Protection Act ('DOPPA')

Regulator: Consumer Protection Unit of Delaware's Department of Justice

Summary: Delaware combines common law torts of privacy with general and sector-specific laws guaranteeing privacy protections. In addition, with the enactment of DOPPA, Delaware became just the second State in the US along with California to require operators of commercial websites that collect personally identifiable information ('PII') to post online privacy policies. Furthermore, Delaware has enacted a number of sector-specific laws governing, among other things, student data privacy, employee privacy, health privacy, and data security in the insurance sector. As is the case with DOPAA, the Student Data Privacy and Protection Act is modelled after California's legislation and requires Delaware's Department of Education to promulgate extensive rules to protect the privacy of student data, mandates limits on transfer of student PII, and creates online restriction regarding PII and child marketing. Finally, on 17 August 2017, Delaware Governor signed into law an Act amending the Delaware Code ('the Act') as it relates to security breaches involving personal information. Specifically, the Act revised the definition of what constitutes a security breach and expanded data breach notification requirements, in addition to creating a new requirement for businesses in Delaware to implement and maintain reasonable security safeguards to protect personal information.

You can follow legislative developments in US States through the USA State Law Tracker.