Delaware

Can your organization confirm processing of a consumer's personal data and provide access to it upon request, while safeguarding trade secrets?

Does your organization provide a mechanism for consumers to request corrections to inaccuracies in their personal data?

Can your organization effectively delete a consumer's personal data upon request, and do you retain only the minimum data necessary to ensure deletion from your records without using it for other purposes?

Can your organization provide consumers with a copy of their personal data processed by automated means in a portable and readily usable format, without revealing trade secrets?

Does your organization provide clear and accessible mechanisms for consumers to opt out of targeted advertising, the sale of their personal data, and profiling for significant decisions?

Does your organization have a documented process to respond to consumer rights requests within 45 days, and to inform consumers of any necessary 45-day extensions within the initial period?

Does your organization provide requested information free of charge at least once annually, and do you have a documented policy for managing and justifying fees or denials for "manifestly unfounded, excessive, or repetitive" requests?

Is there a conspicuously available appeal process for consumers whose requests are denied, with a 60-day response timeframe, a written explanation for the decision, and clear instructions for contacting the Department of Justice upon appeal denial?

Does your organization recognize and comply with opt-out requests received from authorized agents, including those conveyed via universal opt-out mechanisms (like browser settings), after verifying the consumer's identity and the agent's authority?

Are your personal data collection practices limited to what is adequate, relevant, and reasonably necessary for the disclosed processing purposes, and do you obtain consent for any new or incompatible processing purposes?

Does your organization maintain reasonable and appropriate administrative, technical, and physical data security practices for the personal data it processes?

Do you obtain explicit consumer consent before processing sensitive data, and for known children, do you obtain parental/guardian consent and comply with relevant child privacy laws?

Is the process for revoking consent as easy as the process for giving it, and does your organization cease data processing within 15 days of receiving a revocation request?

If your organization has actual knowledge or willfully disregards that a consumer is between 13 and 17 years old, do you refrain from processing their data for targeted advertising or selling it without their consent?

Does your organization ensure that consumers are not discriminated against for exercising their privacy rights, apart from legitimate differences related to voluntary loyalty or rewards programs?

Is your privacy notice clear, accessible, and comprehensive, detailing data categories, processing purposes, consumer rights (including appeals), third-party sharing, and accurate contact information?

Do you provide secure and reliable means for consumers to submit rights requests, including a clear website link for opting out, and will you honor consumer opt-out preference signals from platforms/technologies by the specified deadline?

As a processor, does your organization strictly adhere to controller instructions and provide necessary assistance for fulfilling consumer rights requests, ensuring data security, and managing breach notifications?

Are your contracts with controllers (as a processor) or with processors (as a controller) comprehensive and compliant with all specified requirements regarding data processing instructions, confidentiality, data handling upon termination, provision of compliance information, subcontractor engagement, and assessment cooperation?

As a processor, does your organization allow and cooperate with controller assessments, or do you arrange for independent assessments and provide the reports to controllers upon request?

If your organization processes data of at least 100,000 consumers, do you conduct and document regular data protection assessments for all processing activities identified as presenting a heightened risk of harm to consumers (e.g., targeted advertising, sale of data, sensitive data processing)?

Do your data protection assessments thoroughly identify and weigh the benefits against the potential risks to consumer rights, taking into account mitigation strategies, the use of de-identified data, and consumer expectations?

Are your data protection assessments maintained in a retrievable format and ready to be provided to the Attorney General upon request, with an understanding of their confidential but enforceable nature?

Do you ensure that data protection assessments are conducted for all new or significantly modified processing activities that meet the heightened risk criteria, created or generated after the specified assessment applicability date?

Does your organization operate under the understanding that it is not required to re-identify de-identified or pseudonymous data, or maintain data in identifiable form solely for the purpose of responding to consumer requests?

If your organization processes pseudonymous data, is the information needed to identify the consumer kept separately and under effective technical and organizational controls to prevent access by the controller, thereby limiting certain consumer rights applications?

Are any of your data processing activities relying on the general exclusions?

If your organization processes data for internal use (e.g., research, product improvement), is it reasonably necessary, proportionate, adequate, relevant, and limited to the specified purposes, and subject to appropriate security measures as required by the Act?