Delaware compliance for cloud businesses

Research steps and summary: I searched official Delaware sources, state statutes, Attorney General guidance, Division of Corporations guidance, federal BOI guidance (FinCEN), and Delaware state contracting/cloud security requirements.

Key authoritative sources reviewed: the text and legislative synopsis for the Delaware Personal Data Privacy Act (DPDPA), the Delaware Department of Justice personal data privacy portal and AG guidance, Delaware Code (computer security breaches chapter), Division of Corporations guidance on entity taxes and filings, FinCEN BOI guidance and interim rule updates, and Delaware state cloud contracting terms for security controls.

Concise guidance for US business owners and LLC founders operating cloud businesses in Delaware (practical, state-specific): 1) Data privacy: Delaware Personal Data Privacy Act (DPDPA) - Effective date and applicability: DPDPA was enacted and applies beginning January 1, 2025.

Applicability thresholds: controllers/processors that control or process personal data of at least 35,000 Delaware residents annually, or those that control/process data of at least 10,000 Delaware residents and derive >20% of gross revenue from selling personal data. (Check your volumes and revenue to confirm applicability.) - Core obligations: provide a clear privacy notice; enable consumer rights (access, correction, deletion, portability, opt-out of targeted advertising/data sales and profiling); obtain opt-in consent for sensitive personal data; maintain data inventories and reasonable security; implement accountability measures and designate contact means; use binding data processing agreements with cloud processors. - Enforcement and penalties: enforcement by the Delaware Department of Justice (Attorney General).

The law provides a cure period in early enforcement phase and civil penalties are possible (see AG portal for enforcement details). Businesses should prepare to respond to consumer requests within the statutory timeframes and maintain records of compliance. 2) Data breach/incident notification (Delaware Code, Chapter 12B) - Duty to implement reasonable security practices to protect personal information. - Breach notice required after determination that a breach occurred unless, after investigation, the breach is unlikely to result in harm. - If the number of Delaware residents affected exceeds 500, the business must also notify the Attorney General when sending notice to residents. - Special rules: encrypted data is not treated as a breach unless encryption key is compromised; breaches involving SSNs require offering one year of credit monitoring for affected residents. - Timing: notice after determination of the breach; businesses may follow established internal procedures consistent with statutory timing. 3) Entity-level compliance (Delaware filing and tax rules) - LLCs/LPs/GPs (domestic and foreign) formed or registered in Delaware must pay an annual tax of $300.00 due on or before June 1 each year.

There is a $200 late penalty plus interest (1.5% per month) for late payments. (LLCs do not file an annual report with the Division of Corporations, but tax payment is required.) - Corporations have separate annual report and franchise tax filing requirements (deadlines and methods differ; check the Division of Corporations portal for corporation-specific deadlines and calculation methods). - Maintain a registered agent in Delaware and stay current on filings to preserve good standing. 4) Beneficial Ownership Information (BOI) reporting (FinCEN) - FinCEN issued an interim final rule (March 26, 2025) removing the requirement for U.S. companies and U.S. persons to report BOI to FinCEN under the Corporate Transparency Act; foreign entities still may be subject to filing.

This area remains subject to regulatory updates—monitor FinCEN guidance and consult counsel for entity-specific obligations.

Research steps and summary: I searched official Delaware sources, state statutes, Attorney General guidance, Division of Corporations guidance, federal BOI guidance (FinCEN), and Delaware state contracting/cloud security requirements.

Key authoritative sources reviewed: the text and legislative synopsis for the Delaware Personal Data Privacy Act (DPDPA), the Delaware Department of Justice personal data privacy portal and AG guidance, Delaware Code (computer security breaches chapter), Division of Corporations guidance on entity taxes and filings, FinCEN BOI guidance and interim rule updates, and Delaware state cloud contracting terms for security controls.

Concise guidance for US business owners and LLC founders operating cloud businesses in Delaware (practical, state-specific): 1) Data privacy: Delaware Personal Data Privacy Act (DPDPA) - Effective date and applicability: DPDPA was enacted and applies beginning January 1, 2025.

Applicability thresholds: controllers/processors that control or process personal data of at least 35,000 Delaware residents annually, or those that control/process data of at least 10,000 Delaware residents and derive >20% of gross revenue from selling personal data. (Check your volumes and revenue to confirm applicability.)

2) Data breach/incident notification (Delaware Code, Chapter 12B)

- If the number of Delaware residents affected exceeds 500, the business must also notify the Attorney General when sending notice to residents.

3) Entity-level compliance (Delaware filing and tax rules) - LLCs/LPs/GPs (domestic and foreign) formed or registered in Delaware must pay an annual tax of $300.00 due on or before June 1 each year. There is a $200 late penalty plus interest (1.5% per month) for late payments. (LLCs do not file an annual report with the Division of Corporations, but tax payment is required.)

4) Beneficial Ownership Information (BOI) reporting (FinCEN) - FinCEN issued an interim final rule (March 26, 2025) removing the requirement for U.S. companies and U.S. persons to report BOI to FinCEN under the Corporate Transparency Act; foreign entities still may be subject to filing.

This area remains subject to regulatory updates—monitor FinCEN guidance and consult counsel for entity-specific obligations.

• Core obligations: provide a clear privacy notice; enable consumer rights (access, correction, deletion, portability, opt-out of targeted advertising/data sales and profiling); obtain opt-in consent for sensitive personal data; maintain data inventories and reasonable security; implement accountability measures and designate contact means; use binding data processing agreements with cloud processors.
• Enforcement and penalties: enforcement by the Delaware Department of Justice (Attorney General). The law provides a cure period in early enforcement phase and civil penalties are possible (see AG portal for enforcement details). Businesses should prepare to respond to consumer requests within the statutory timeframes and maintain records of compliance.
• Duty to implement reasonable security practices to protect personal information.
• Breach notice required after determination that a breach occurred unless, after investigation, the breach is unlikely to result in harm.
• Special rules: encrypted data is not treated as a breach unless encryption key is compromised; breaches involving SSNs require offering one year of credit monitoring for affected residents.
• Timing: notice after determination of the breach; businesses may follow established internal procedures consistent with statutory timing.
• Corporations have separate annual report and franchise tax filing requirements (deadlines and methods differ; check the Division of Corporations portal for corporation-specific deadlines and calculation methods).
• Maintain a registered agent in Delaware and stay current on filings to preserve good standing.

State contracting and cloud-provider security expectations - For state contracts, Delaware requires encryption in transit and encryption at rest for PII (or cyber liability insurance if encryption at rest cannot be provided), use of validated cryptography standards (e.g., NIST/FIPS), and other contractually mandated security measures and insurance. Cloud vendors working with government or holding state data should expect strict contractual security and incident reporting requirements.

Overlap with federal and other-state rules - Sector-specific federal laws (HIPAA, GLBA) and FTC enforcement can apply if you handle health, financial, or other regulated data; those laws and regulator guidance may preempt or satisfy certain state breach-notice rules. If you process data of residents of other states (e.g., California), those states’ privacy laws (CPRA/CCPA) may also apply—design privacy and compliance programs for the broadest set of applicable requirements.

Practical compliance checklist for cloud businesses in Delaware (recommended actions) - Determine whether DPDPA applies to your business (35,000/10,000 + revenue thresholds). Document your assessment. - Map personal data flows, including cloud processors and third-party services; keep a data inventory. - Update privacy notice to meet DPDPA transparency requirements; implement mechanisms for consumer rights (access, delete, opt-out, portability). - Put binding data processing agreements (DPAs) in place with cloud providers. Ensure DPAs include security, subcontractor controls, breach notification obligations, data location/transfer provisions (if applicable), audit/cooperation language, and liability/indemnity terms. - Implement written security program

encryption in transit and at rest for PII, MFA for administrative access, logging/monitoring, vulnerability management, patching, least privilege, backups, and tested incident response plan aligned to Delaware breach-notice rules. - Prepare breach response playbook with templates and timelines for Delaware notice obligations (including AG notice when >500 residents affected) and credit monitoring triggers for SSN exposures. - For state contracts or state data, ensure compliance with Delaware DT&I terms (FIPS/NIST encryption, cyber liability insurance where required) and contractually required reporting/controls. - Maintain entity compliance: file/pay the $300 LLC annual tax by June 1; keep registered agent and entity status current; corporations must file annual reports and pay franchise taxes by their deadlines. - Monitor FinCEN and federal guidance on BOI/reporting and retain ownership records even if filing requirements have changed. - Obtain appropriate cyber insurance coverage and coordinate insurer notice/claim processes with your breach response plan. - Train staff and vendors on privacy/security obligations and document compliance efforts (policies, DPIAs or risk assessments where useful). Next steps and resources: - Review the DPDPA text and AG guidance (privacy.delaware.gov) and subscribe to DOJ updates. - Use Division of Corporations portals to pay taxes and confirm entity filing requirements (June 1 for LLC tax). - Monitor FinCEN for any further rule changes on BOI reporting. - Consult privacy and cybersecurity counsel to tailor DPAs, incident response, and applicable scope for sector-specific laws (HIPAA/GLBA) and interstate consumer privacy obligations. If you want, I will now: (a) generate a full-length blog post (1,200–1,800 words) optimized for your slug and metadata with the above content, (b) create a short newsletter summary using your provided newsletter_subject and template, and (c) produce a compliance checklist printable for your audience.