New Delaware Law Requiring Destruction Of Consumer Information

A new Delaware law will require businesses to dispose of consumer personal information “no longer to be retained by the commercial entity.” A post by Blank Rome attorneys Steven Caponi and Elizabeth Sloan summarizes the law and points to a number of ambiguities, including what constitutes information no longer “retained” and whether the law applies only to entities doing business in Delaware or if it will apply to companies incorporated in Delaware but doing business elsewhere. The law is clear regarding its definition of personally identifiable information, however, and the fact that many organizations are exempt, namely financial institutions subject to Gramm-Leach-Bliley; healthcare organizations subject to HIPAA, and consumer reporting agencies subject to the Federal Credit Reporting; and government agencies or facilities. The law goes into effect January 1, 2015.