Can I use third-party email marketing tools that collect personal information in Delaware? What are the requirements?

Using Third-Party Email Marketing Tools that Collect Personal Information in Delaware

Delaware has laws in place to protect personal information, including health information and information collected by state agencies and book service providers. However, there is no specific law in Delaware that addresses the use of third-party email marketing tools that collect personal information.

Requirements for Businesses

Businesses that collect personal information in the regular course of business are required to implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information ^[1.1]. Therefore, if you plan to use third-party email marketing tools that collect personal information, you should ensure that you have implemented reasonable procedures and practices to protect that information. This may include obtaining consent from individuals to collect and use their personal information, implementing security measures to prevent unauthorized access to that information, and ensuring that the third-party email marketing tool provider has appropriate security measures in place.

Prohibition on Disclosure of Personal Information

No state agency shall disclose personal information concerning a user to any person, firm, partnership, corporation, limited liability company, or other entity, including internal staff who do not need the information in the performance of their official duties, unless such user has consented to the disclosure of such personal information ^[2.1]. For the purposes of this section, the voluntary disclosure of personal information to a state agency by a user through a state agency website, whether solicited or unsolicited, shall constitute consent to the disclosure of the information by the state agency for the specific purposes for which the user disclosed it to the state agency.

Security Breach Notice Requirements

Any person who conducts business in Delaware and who owns or licenses computerized data that includes personal information shall provide notice of any breach of security following determination of the breach of security to any resident of Delaware whose personal information was breached or is reasonably believed to have been breached ^[1.3]. Notice required by this section must be made without unreasonable delay but not later than 60 days after determination of the breach of security, except in certain situations ^[1.3].

Posting of Privacy Policy

An operator of a commercial internet website, online or cloud computing service, online application, or mobile application that collects personally identifiable information through the Internet about individual users residing in Delaware who use or visit the operator’s commercial internet website, online or cloud computing service, online application, or mobile application shall make its privacy policy conspicuously available on its internet website, online or cloud computing service, online application, or mobile application ^[4.2]. The privacy policy required by this section shall identify the categories of personally identifiable information that the operator collects through the internet website, online or cloud computing service, online application, or mobile application about users of its commercial internet website, online or cloud computing service, online application, or mobile application and the categories of third-party persons with whom the operator may share that personally identifiable information ^[4.2].

In summary, while there is no specific law in Delaware that addresses the use of third-party email marketing tools that collect personal information, businesses are required to implement reasonable procedures and practices to protect personal information. If you plan to use such tools, you should ensure that you have implemented reasonable procedures and practices to protect that information. Additionally, businesses must comply with the prohibition on disclosure of personal information and the security breach notice requirements. Finally, operators of commercial internet websites, online or cloud computing services, online applications, or mobile applications that collect personally identifiable information through the Internet about individual users residing in Delaware must make their privacy policy conspicuously available on their internet website, online or cloud computing service, online application, or mobile application.

Source(s):

• [1.1] Protection of personal information.
• [2.1] Prohibition on disclosure of personal information.
• [4.2] Posting of privacy policy by operators of commercial online sites and services.
• [1.3] Disclosure of breach of security; notice.

Jurisdiction

Delaware

• Privacy