The Delaware Online Privacy and Protection Act takes a broad approach to the collection and disclosure of personally identifiable information.

Delaware Governor Jack Markell recently signed the Delaware Online Privacy and Protection Act (DOPPA), Delaware’s first online privacy law, which will take effect on January 1, 2016. DOPPA places restrictions on online marketing and advertising to Delaware children and restricts the online collection and disclosure of personal information from Delaware residents.

Background

DOPPA has three stated purposes: (1) to prohibit the operator of an Internet service directed to children from marketing or advertising certain products or services deemed harmful to children, (2) to require the operator of an Internet service to make its privacy policy available on its website if it collects personal information from Delaware residents for commercial purposes, and (3) to protect the personal information of users’ digital book services and technologies by limiting the circumstances under which a commercial entity can disclose personal information regarding such users.

Marketing and Advertising to Children

Under the new law, websites and apps “directed at children” cannot advertise or market certain prohibited items, including alcohol, tobacco products, firearms, fireworks, tanning equipment, dietary supplements, lotteries, body piercings, tattoos, drug paraphernalia, and pornography. In addition, websites or apps not expressly “directed at children” may not advertise the prohibited items to children where that advertising is based on a child’s profile, activity, address, or location sufficient to establish contact with the child.

For websites or apps that use advertising services, DOPPA requires only that websites notify the advertising service that the property is directed at children. In that case, the advertising service will be responsible for compliance.

In addition, DOPPA limits websites’ and apps’ use of personal information from children, forbidding online properties directed at children from using children’s personal information to advertise and from disclosing it to others for purposes of advertising.

DOPPA defines the term “directed at children” much like it is defined in connection with the federal Children’s Online Privacy Protection Act (COPPA), including Internet services “targeted or intended to reach an audience that is composed predominantly of children,” as determined by factors such as subject matter, visual or audit content, age of the models, and language or other characteristics, together with empirical evidence regarding audience composition. Unlike COPPA, however, which applies only to children under age 13, DOPPA applies all those under 18.

Privacy Policy Must Be Available Online

DOPPA also includes an express requirement that operators of websites and apps that collect personally identifying information about Delaware residents post a privacy policy. This provision of DOPPA is substantially identical to the provisions of the California Online Privacy Protection Act. DOPPA defines “personal information broadly” to include first and last name, physical address, email address, telephone number, Social Security number, or any other identifier that permits the physical or online contacting of the user. It also includes “any other information concerning the user,” which is collected and maintained “in combination with any personal identifier” described in the law. DOPPA requires that a privacy policy address certain specific issues, including profiling a list of the categories of personal information collected and third parties with whom the operator may share that information. The privacy policy must be “conspicuously available,” which means that it must be actually posted or contained in a hyperlink with the word “privacy” on a website’s home page or first significant page after entering the website.

Digital Book Services and Technologies

DOPPA also has certain requirements that apply to any “book service,” which is defined as “an entity [that] as its primary purpose, provides individuals with the ability to rent, purchase, borrow, browse, or view books electronically or via the Internet.” It prohibits book services from disclosing information about users of their services to “any person, private entity, or government entity,” except in limited circumstances. These circumstances require proper legal process and/or court order to both the user and/or the book service provider. DOPPA also requires sufficient notice (i.e., 35 days) to permit a user to timely appear and quash the request or contest the court order.

Practical Implications

Companies that have a significant audience among children under 18 should carefully review their operations and advertising programs in response to DOPPA. Importantly, because the law applies to a much broader group than does COPPA, current restrictions in place that comply with the federal law may not be sufficient. Regarding the privacy policy requirements, as a practical matter, companies that comply with the requirements of California law likely meet the privacy policy requirements. However, the law is a good reminder and opportunity to revisit and ensure that companies’ privacy policies comply with applicable laws and changing business needs.