Online businesses take note. Delaware may finally have an online privacy law. On June 25, 2015, the Delaware General Assembly passed SS1 for SB68, known as the “Delaware Online Privacy and Protection Act.” If signed by the governor, DOPPA will go into effect on January 1, 2016.
Operators of commercial websites that collect PII from Delaware residents will need to review the law and their website privacy policies carefully to ensure compliance.
The law identifies PII very broadly. PII now includes “any personally identifiable information about a user of a commercial Internet website, online or cloud computing service, online application, or mobile application that is collected online by the operator of that commercial internet website, online service, online application, or mobile application from the that user and maintained by the operator in an accessible form, including a first and last name, a physical address, an e-mail address, a telephone number, a social security number, or any other identifier that permits the physical or online contacting of the user, and any other information concerning the user collected by the operator of the commercial Internet website, online service, online application, or mobile application from the user and maintained in personally identifiable form in combination with any identifier described in this paragraph. See DOPPA at § 1202C(15).
Owners of commercial websites directed at children will need to make sure that their sites are not marketing any of the prohibited items listed in section 1204C(f) of the new law. For example, websites directed to children may not market or advertise alcoholic beverages, tobacco products, firearms, fireworks, tanning equipment, lotteries, body piercing, branding, tattoos, drug paraphernalia and tongue splitting. See DOPPA at §1204C(f)(1) – (15). Such websites also may not advertise or market “any material . . . which predominantly appeals to the prurient, shameful, or morbid interest of minors, is patently offensive to prevailing standards in the adult community as a whole with respect to what is suitable materials for minors, and taken as a whole lacks serious literary, artistic, political, social, or scientific value for minors.” DOPPA at § 1204C(f)(16).
Finally, the law proscribes the circumstances in which a “book service” (defined as “an entity, [which] as its primary purpose, provides individuals with the ability to rent, purchase, borrow, browse, or view books electronically or via the Internet”) may disclose information about the users of their services to “to any person, private entity or government entity.” Generally, proper legal process and/or court order will be required as will notice to both the user and/or book service provider sufficient to permit the user or book service provide to timely appear and quash the request or contest issuance of any court order. In the case of a user of such services, a minimum of 35 days advance notice is required.
Website operators will need to carefully review their websites and privacy policies to be sure that they will be in compliance with the new law. They should not wait until the Delaware law goes into effect to do so. Indeed, although the law in Delaware is not yet effective, many other states have already enacted similar statutes to protect their own residents. If a website is collecting information from those states’ residents, a website operator may already be in violation of those others states’ laws.
Please visit our website, the Morris James Data Privacy and Information Governance Group, or follow us on Twitter for more information.