Peekaboo: How To Continue Preparations for Brave New (Data Privacy) World

 |  Share

On September 12, 2023, Delaware became the 13th state to adopt a consumer data privacy act, joining Florida, another state to recently adopt consumer privacy laws, and others in providing resident consumers with rights regarding their personal information. Delaware’s Personal Data Privacy Act (the “PDPA”) goes into effect on January 1, 2025, but businesses should be careful not to be lulled into a false sense of time security — the Delaware Department of Justice will begin a public outreach campaign beginning July 1, 2024, to educate consumers of their rights. Businesses should expect residents of Delaware to know their data privacy rights and how to exercise them.

Additionally, the PDPA may apply to a larger number of businesses compared to other data privacy acts. Not only is Delaware a popular state for forming a business — businesses often enjoy certain tax benefits there — but the threshold to be subject to the PDPA is low compared to other data privacy acts. Businesses that service residents of Delaware or operate in Delaware and either (1) control or process the personal data of 35,000 or more residents; or (2) control or process the personal data of 10,000 or more residents and derive more than 20% of its gross revenue from the sale of personal data, are subject to the PDPA.[1] Compared to the California Consumer Privacy Act (“CCPA”), which applies to businesses operating in California that (1) have a gross annual revenue more than $25 million; (2) handle the personal information of 100,000 or more residents; and (3) derive at least 50% of their annual revenue from selling or sharing that personal data, the PDPA is more likely to apply to more businesses.

Data Privacy Moves Among Key Companies, Business Sectors

Not only are new consumer data privacy acts, like the PDPA, contributing to the complex web of data privacy laws, businesses should also consider how new technologies are increasingly changing the ways data is collected, used, and shared. Increasingly, collected data isn’t limited to what we share through our computer screens or even related to the services or products being used. Understanding how and why data will be collected in the future will help guide your policies and procedures regarding consumer data.

In recent news, X, formerly Twitter, disclosed that it intends to collect more data from users, such as biometric data, employment history, and search history. The social media platform announced changes to its privacy policy that would take effect on September 29, 2023, but a deeper review of the terms revealed the extent of X’s intent to capture more personal data.[2] Although casting a wide net for consumer data isn’t uncommon, the focus on personal data like employment history and search history is — especially for a social media platform like X.

In other news, the Mozilla Foundation, a nonprofit organization researching compliance with privacy standards, surveyed car manufacturers’ privacy practices.[3] The report found that car manufacturers were collecting data sets from their drivers that were not necessarily related or necessary to operating a vehicle, such as calendar information, personal photos, generic information, and immigration status. Further, the report claims that 84% of manufacturers surveyed shared collected data with third parties and data brokers, and 76% of the surveyed manufacturers claimed the right to sell personal data collected.

In addition to the trend of over-collecting data beyond what is necessary or relevant to the service or product being used, there has also been a shift toward feeding collected data to artificial intelligence. X intends to use data collected under its updated privacy policy to train its proprietary machine learning of artificial intelligence models.[4]  Similarly, Zoom updated its terms of service to permit the remote conference service to use data collected from users to train or test artificial intelligence or machine learning.[5] Interestingly, after media coverage and public backlash, Zoom clarified that it would not use a user’s audio, video or chat data to train its models without customer consent.


More than ever, businesses need to maintain a comprehensive and current privacy policy to navigate the increasingly complex state of data collection. Any business utilizing modern web design tools (like cookies and web beacons), sharing user data with third parties (like payment processors), or collecting data beyond the obvious scope of the service or product being provided is likely collecting more user data than they realize. Not only does a privacy policy explain to users how and why a business collects and/or shares their data, but it also helps businesses comply with data privacy acts like the PDPA by housing required disclosures and statements regarding consumer rights.

Finally, businesses should regularly monitor how and why data is collected and/or used by other companies, including their peers, competitors, and service providers — not only to be knowledgeable on competitive practices but also to anticipate how new technologies could violate data privacy laws. Often, the fine line between what is acceptable and unacceptable continues to be blurred.


This DarrowEverett Insight should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This Insight is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal question you may have. We are working diligently to remain well informed and up to date on information and advisements as they become available. As such, please reach out to us if you need help addressing any of the issues discussed in this Insight, or any other issues or concerns you may have relating to your business. We are ready to help guide you through these challenging times.

Unless expressly provided, this Insight does not constitute written tax advice as described in 31 C.F.R. §10, et seq. and is not intended or written by us to be used and/or relied on as written tax advice for any purpose including, without limitation, the marketing of any transaction addressed herein. Any U.S. federal tax advice rendered by DarrowEverett LLP shall be conspicuously labeled as such, shall include a discussion of all relevant facts and circumstances, as well as of any representations, statements, findings, or agreements (including projections, financial forecasts, or appraisals) upon which we rely, applicable to transactions discussed therein in compliance with 31 C.F.R. §10.37, shall relate the applicable law and authorities to the facts, and shall set forth any applicable limits on the use of such advice.