Delaware Enacts Comprehensive Online Privacy Protection Law: Is Your Business Compliant?

The Delaware Online Privacy and Protection Act (“DOPPA”) became effective on January 1, 2016. This new law requires compliance in three major areas: (1) conspicuous posting of a compliant privacy policy; (2) advertising and marketing to children; and (3) enhancing the privacy protections of users of digital books (“e-books”).

Why should a business be concerned with a Delaware law if it is not based in Delaware?

DOPPA is applicable to all websites and mobile applications (“applications”) that are accessible to Delaware consumers. Because of the nature of the Internet, all domestic and international websites and applications can potentially (and many likely do) reach Delaware consumers.

Who is covered by DOPPA?

DOPPA apples to every “operator” of an “Internet service,” which means the owner of  “any service, system, website, application or program, or portion thereof, which accesses the Internet or provides a user with access to the Internet.” Accordingly, DOPPA is applicable to all website owners and application owners, among others.

What are the relevant definitions under DOPPA?

Under DOPPA, “personally identifiable information” (“PII”) is defined as “any information about an individual that, individually or in combination with other information, can be used to distinguish or trace the identity of the individual.” PII includes an individual’s name, signature, physical characteristics or description (including a photograph), street address, phone number, social security number, school or education history, passport number, and other similar information.

DOPPA defines “marketing or advertising” as “making a communication or arranging for a communication to be made, in exchange for compensation, about a product or service the primary purpose of which is to encourage recipients of the communication to purchase or use the product or service.” Thus, if a website or application is selling goods or marketing the goods of others, including through any form of paid advertising on the website or application, it would meet this definition.

What are the new privacy policy requirements?

DOPPA requires a website or application’s privacy policy to be conspicuously available. The new law specifies that a privacy policy is “conspicuously available” when it satisfies one of the following criteria: (1) it is the home page or the first significant page after entering the website; (2) it is accessible via a distinguishable icon that hyperlinks to the web page on which the privacy policy is posted, so long as the icon is located on the home page or the first significant page after entering the website, and if the icon contains the word “privacy”; (3) it is accessible via a text link that hyperlinks to a web page on which the actual privacy policy is posted, if the text link is located on the home page or first significant page after entering the website, and if the text link includes the word “privacy,” and has other characteristics that that call attention to the link; (4) it is accessible via any other functional hyperlink that is displayed such that a reasonable individual would notice it; or (5) with respect to an Internet service that is not a website, it is otherwise reasonably accessible and visible to users of such Internet service.

The privacy policy must: (1) identify the categories of PII that it collects and the types of third parties with which the PII will be shared, (2) describe how the website or application operator notifies its users of any changes to the privacy policy, (3) identify the effective date of the current policy, and (4) disclose how the operator responds to “do not track” signals from web browsers, including whether third parties can track a user's activities over time and across different websites and/or applications when the user visits the websites and/or applications covered by the policy. In addition, if the website or application operator has a process by which its users can review and request changes to their PII, the privacy policy must describe that process.

What are the New Marketing and Advertising Requirements With Respect to Children?

DOPPA prohibits websites and applications that are directed to children from advertising or marketing certain products and services, including alcohol, tobacco, firearms, dietary supplements and sexually-oriented material. Unlike the current restrictions in the federal Children's Online Privacy Protection Act that regulate online content directed to those under the age of 13, DOPPA defines children as anyone under the age of 18, thereby casting a significantly wider net.

Additionally, to ensure that children are not exposed to inappropriate advertising content, even websites and applications that are not directed to children, but which have “actual knowledge” that children access the website or application, must refrain from engaging in targeted advertising of any of the prohibited products or services if the marketing or advertisement is based on the child's PII. Furthermore, the operator of such a website or application must not disclose or compile a child's PII if the operator knows that the child's PII will be used to market or advertise any of the prohibited products or services.

What are the New Digital Book Service Information Disclosure Requirements?

DOPPA also imposes numerous restrictions on the disclosure of PII and other personal information by providers of e-books and other digital book services. These restrictions prohibit the disclosure of personal information regarding the users of digital book services to law enforcement entities, governmental entities and other third parties, except in certain limited circumstances.

Disclosure of a user’s personal information to law enforcement agencies is permitted if it is pursuant to any lawful method by which the agency is permitted to obtain such information, including in instances where there is imminent danger of death or serious injury. However, disclosure to government agencies and other third parties generally require the digital book service provider to give the user whose information will be disclosed an opportunity to contest the disclosure.

In addition, absent certain limited exemptions, DOPPA requires digital book service providers to post online an annual report that sets forth information about the provider's disclosures of its users' personal information.

What are the consequences for failing to comply with these new requirements?

If a company fails to comply with DOPPA, the Attorney General of the Department of Justice has specific statutory authority to prosecute violations, successful prosecution of which will result in the imposition of civil and criminal penalties, including fines.  - Angelina Bruno-Metzger