The Delaware Attorney General’s office, led by Deputy Attorney General John Eakins, is playing a pivotal role in enforcing the new state regulations under the Delaware Personal Data Privacy Act (DPDPA), which came into effect on Jan. 1. Once a major breach is reported by an organization operating in Delaware, Eakins’ office reaches out to investigate the extent of the harm caused and assess if the breach can be rectified.
Data breach notifications have become a common occurrence in the corporate world, with Delaware being one of twenty states to have enacted data privacy regulations as of 2025. Despite the existence of federal laws that could address such breaches, states are taking the initiative to penalize organizations that fail to uphold data security standards. The presence of in-house expertise hired with allocated funds is aiding regulators in pursuing enforcement actions against non-compliant entities.
Texas and New York are among the states that have been stringent in holding organizations accountable for data mishandling. Texas Attorney General’s office has filed lawsuits against companies like General Motors and Allstate for unlawfully collecting and using consumer data without adhering to the Texas Data Privacy Act (TDPSA). On the other hand, New York has fined companies like GEICO, Travelers insurance, and healthcare providers for failing to safeguard sensitive data.
In Delaware, the focus is on regulating geolocational data abuse and ensuring the security of emerging artificial intelligence (AI) technologies, according to Deputy AG Eakins. Consumer advocates, however, argue that more stringent measures need to be put in place to safeguard personal information. Advocacy groups like the Electronic Frontier Foundation (EFF) and the Electronic Privacy Information Center (EPIC) have criticized existing state privacy laws for falling short in protecting consumer data adequately.
Despite the criticisms, there seems to be a positive shift in the data privacy landscape, with states like Delaware ramping up efforts to enhance enforcement mechanisms. Increased funding and the hiring of specialized personnel, such as computer scientists, indicate a proactive approach in dealing with data breaches. Attorney Andreas Kaltsounis emphasizes the importance of organizations having a compelling narrative to present to regulators, showcasing their commitment to data security through proactive measures like data audits and limited data collection practices.
Looking ahead, there is a growing emphasis on incorporating data privacy as a core business principle. Companies are advised to streamline their data management processes, conduct privacy impact assessments, and integrate privacy engineering practices to fortify their data protection framework. As states compete to showcase robust data protection measures, organizations need to be prepared to engage with regulators effectively and demonstrate their dedication to safeguarding sensitive information.
In conclusion, the evolving data privacy landscape underscores the importance of proactive compliance measures to mitigate the risk of penalties and reputational harm. With state regulators becoming more assertive in enforcing data privacy laws, organizations must prioritize data protection efforts to navigate the complex regulatory environment successfully. The onus is on businesses to proactively address data privacy risks and establish a robust framework that aligns with evolving state regulations.