McCarter & English, LLP | Contents of this website may contain attorney advertising. | Results may vary depending on your particular facts and legal circumstances.

Share

Alternative Dispute Resolution & Mediation
Artificial Intelligence
Bankruptcy, Restructuring & Litigation
Blockchain, Smart Contracts & Digital Currencies
Business Litigation
Cannabis
Corporate
Crisis Management
Cybersecurity & Data Privacy
Delaware Corporate, LLC & Partnership Law
Design, Fashion & Luxury
E-Discovery & Records Management
Energy & Utilities
Environment & Energy
Financial Institutions
Food & Beverage
Government Affairs
Government Contracts & Global Trade
Government Investigations & White Collar Defense
Healthcare
Hospitality
Immigration
Impact Investing
Insurance Recovery, Litigation & Counseling
Intellectual Property
Labor & Employment
Latin America
Life Sciences
Manufacturing
Products Liability, Mass Torts & Consumer Class Actions
Public Finance
Real Estate
Renewable Energy
Sports & Entertainment
Tax & Employee Benefits
Technology Transactions
Transportation, Logistics & Supply Chain Management
Trusts, Estates & Private Clients
Venture Capital & Emerging Growth Companies
Search By:

11.21.2025

During a recent gathering of data privacy and security experts, regulators from the Maryland and Delaware Offices of Attorney General provided their insights regarding priorities for state privacy enforcement and recommendations for how to interact with their offices. Maryland’s data privacy law went into effect October 1, 2025, but Delaware’s has been in force since January 1, 2025.

Maryland’s enforcement strategy will initially focus on companies that exhibit a pattern or practice of noncompliance with statutory requirements or disregard for consumer privacy.

Delaware is prioritizing easily identifiable violations of its comprehensive privacy law as a way to flag companies for closer scrutiny. For example, if a privacy notice lists particular states with privacy rights, does it list Delaware? Another red flag: outdated notices. If a policy has not been updated in several years, Delaware will take notice. Delaware’s deputy attorney general also highlighted that the office’s enforcement team is leveraging experts, including an internal technologist, to conduct deeper reviews of privacy practices. In particular, Delaware is looking closely at connected televisions (TVs that connect to the Internet for streaming digital content).

Delaware and Maryland are united in describing how the various states are working together on privacy enforcement, emphasizing the need for companies to have consistency in the messages they communicate to each state. For example, if a company receives a letter or notice of potential deficiency from the state regulators, the company should engage early in conversation with the Attorney General’s Office. The regulators also suggested tips for interactions with their offices—what is and isn’t required, overall demeanor, and helpful strategies—as well as explained why they generally ask for documents instead of posing questions to answer.

These regulators provided valuable insights into how their offices operate. If your company finds itself in receipt of a letter from a state data privacy regulator, it is important to engage quickly and amicably with them. Ignoring the letter or delaying your response could have a detrimental impact on the review by a state regulator, causing them to look more closely at your company or creating animosity. Your initial response sets the tone for all coming interactions with not only regulators in that state but likely those in other states as well. Importantly, you should contact counsel who are well-versed in privacy laws to help with your response.