Jordan Burgh
Staff Editor, Delaware Journal of Corporate Law, Volume 50
Introduction
In a system where marketing is built upon personal information, where is the line between efficiency and privacy? For several years, companies such as Meta, Apple, and Amazon have tracked, collected and sold their consumers’ online activity without thought to the privacy of the individual. This blog will discuss the troubling data collection practices of these companies, the Delaware laws put in place to combat these practices, and how these changes may effect personal data collection in the future.
How Your Data is Packaged For Sale
For several years, businesses have collected, used, and sold consumer information to third-party businesses to improve targeted advertisements.[1] This information includes a consumer’s precise location and online activity.[2] Typical businesses use cookies to identify consumers, allowing businesses to track consumers for an indefinite amount of time across several websites.[3] This information is used to create a “consumer score”.[4] These scores are used by businesses, hospitals, and universities to predict consumer behavior and use those predictions to encourage consumers to purchase a product or service.[5] Unfortunately, consumer scores can create bias as businesses treat consumers unfairly based on the business’s limited knowledge of the consumers identity.[6] This intrusive collection of personal data has gone unchecked for occasionally due to gaps in federal law regarding data privacy.[7]
How Companies Breach Your Data Privacy
As federal laws lag behind advancements in technology and consumer tracking, consumers are left vulnerable to the intrusive practices of businesses. In recent years, several major companies such as Meta (Facebook) and Apple received scrutiny for intrusive consumer tracking without the consumer’s knowledge.[8] In 2019, Facebook received backlash when they admitted to accessing and storing email contacts from 1.5 million of its users.[9] Facebook gained access to these accounts by coaxing users to verify their email addresses by providing the password to their account which automatically imported a user’s contact list.[10] Facebook claimed this was an “unintentional upload,” however, this verification method was contrary to standard practices.[11]
Another instance of unauthorized data collection occurred in January of 2025 in a settlement with Apple.[12] In this settlement, the claimants alleged that their Apple device’s Siri was activated and used to listen to customers without their permission.[13] Apple allegedly sold this information, along with voice recordings, to advertisers.[14] Despite denying the claims, Apple settled the case for $95 million to avoid litigation.[15] These instances highlight the need for more comprehensive internet privacy laws to govern the collection, use, or sale of consumer data.
Delaware Law and the Future of Your Data
With the lack of comprehensive federal laws for data privacy, the states were left to protect their citizens. This shift to protect data privacy began with a proposed Consumer Privacy Act on the 2018 California ballot.[16] The California Consumer Privacy Act (“CCPA”) of 2018 was the most comprehensive law for consumer privacy at the time, introducing six new privacy rights to regulate the collection of consumer data.[17] The CCPA prompted several states, including Delaware, to pass their own state privacy laws mirroring the coverage of the CCPA.[18] The Delaware Personal Data Privacy Act (“DPDPA”) was passed in 2023 and will took effect in January of 2024.[19]
In the DPDPA, Personal data is defined as “any information that is linked or reasonably linkable to an identified or identifiable individual.”[20] Personal data includes sensitive data such as: (1) genetic data of an individual; (2) precise geolocation of an individual; and (3) sensitive data such as racial, ethnic origin, religious beliefs, mental or physical health, diagnosis (including pregnancy), sex life, sexual orientation, gender status as transgender or non-binary, and citizenship status of an individual.[21] To protect this data, the act provides the following rights to consumers: (1) the right to request an entity disclose when they collect personal information; (2) the right to correct inaccuracies in collected personal data; (3) the right to request personal data be deleted; (4) the right to obtain a copy of the collected personal data; (5) the right to request a list of third parties that received the consumer’s personal data; and (6) the right to opt-out of the collection and sale of personal data for targeted advertisements.[22] These new rights within Delaware and other states have been highlighted as issues of foreign data collection and have surfaced in current media, with cases likely to begin to develop.
Since 2024, headlines discussing the fear of foreign-based apps such as Tik Tok collecting and sharing user data, has prompted a level of scrutiny for the collection of user data.[23] However, as we question the protections provided by foreign entities, we must also question how companies based in the United States are collecting our personal data. As we have seen in the last decade, American based companies, have abused their ability to collect personal data by using intrusive methods of collection, disregarding the consent of consumers. In response, several states have adjusted their data privacy laws to provide consumers with more control and agency in the collection of their data. [24] These state laws have forced social media companies, such as Meta, to adopt mirroring privacy policies for all Meta products.[25]
As extra rights are produced by these data privacy laws, a new industry has emerged to ease consumers ability to request their personal information be deleted. Companies such as Incogni or DeleteMe remove personal data from online sources on a subscription basis.[26] The development of the data privacy industry can be seen as a possible signal that consumers are seeking more agency with their personal data. Further, it indicates that, while laws can lag behind the innovations of technology, maybe the law has caught up enough to properly protect consumers going forward.
About the Author
Jordan is a third-year law student at Widener University Delaware School of Law and is a Staff Editor of Volume 50 of the Delaware Journal of Corporate Law. She graduated from Syracuse University in 2019, earning her bachelor’s degree in English. While in Law School, Jordan currently is an extern for the Chambers of the Honorable Arlene M. Coppadge of the Delaware Family Court. In the Fall of 2025, Jordan will join WhitbeckBeglis as an associate attorney. At WhitbeckBeglis, Jordan will practice family law. Jordan is excited for the opportunity to advocate for families, spouses, and children with the Delaware Family Court.
[1] Consumer Data: Increasing Use Poses Risks to Privacy, U.S. Gov’t Accountability Off. (Sept. 13, 2022), https://www.gao.gov/products/gao-22-106096.
[2] Id.
[3] How Websites and Apps Collect and Use Your Information, Fed. Trade Comm’n Consumer Advice, https://consumer.ftc.gov/articles/how-websites-and-apps-collect-and-use-your-information#:~:text=Websites%20may%20track%20your%20online,settings%20to%20track%20your%20activity (last visited Apr. 12, 2025).
[4] Chris Warren, Your Secret Consumer Score, and Why It Matters, Synchrony (Feb. 19, 2025), https://www.synchrony.com/blog/banking/your-secret-consumer-score.
[5] U.S. Gov’t Accountability Off., supra note 1.
[6] Id.
[7] Id.
[8] Steve Mast, Data Collection: The Good, the Bad and the Ugly, Forbes Tech. Council (June 24, 2020, 8:20 AM), https://www.forbes.com/councils/forbestechcouncil/2020/06/24/data-collection-the-good-the-bad-and-the-ugly/.
[9] Jan Porter, Facebook Admits Harvesting 1.5 Million People’s Email Contacts Without Consent, The Verge (Apr. 18, 2019, 1:00 PM), https://www.theverge.com/2019/4/18/18485089/facebook-email-password-contacts-upload-1-5-million-security-cybersecurity.
[10] Id.
[11] Id. Standard practices include verifying accounts by sending a link sent to the user’s email address. Id.
[12] Imran Rahman-Jones, Apple to Pay $95 Million to Settle Siri ‘Listening’ Lawsuit, BBC (Jan. 7, 2025), https://www.bbc.com/news/articles/cr4rvr495rgo.
[13] Id.
[14] Id.
[15] Id.
[16] Sanford Shatz & Susan E. Chylik, The California Consumer Privacy Act of 2018: A Sea Change in the Protection of California Consumers’ Personal Information, 75 Bus. Law. 1917 (2020).
[17] Id.
[18] Id.
[19] AG Jennings Announces New Data Privacy Rights Available to Delawareans, Del. Dept. of Just. (Jan. 6, 2025), https://news.delaware.gov/2025/01/06/ag-jennings-announces-new-data-privacy-rights-available-to-delawareans/.
[20] Del. Code Ann. tit. 6, § 12D-102 (2025).
[21] Id.
[22] Id.
[23] Sapna Maheshwari & Ryan Mac, Driver’s Licenses, Addresses, Photos: Inside How TikTok Shares User Data, N.Y. Times (May 24, 2023), https://www.nytimes.com/2023/05/24/technology/inside-how-tiktok-shares-user-data-lark.html.
[24] Thirteen states have passed comprehensive state privacy laws between 2020 and 2022 such as California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. U.S. Gov’t Accountability Off., supra note 1.
[25] United States Regional Privacy Notice About this Notice, Meta (Jan. 1, 2025), https://www.facebook.com/privacy/policies/uso/.
[26] Pricing, Incogni, https://incogni.com/pricing (last visited Apr. 9, 2025); see also DeleteMe, https://joindeleteme.com/ (last visited Apr. 9, 2025).
Leave a Reply