On June 25, 2015, the Delaware state legislature passed two bills addressing the issue of privacy: the Delaware Online Privacy and Protection Act, and the Student Data Privacy Protection Act. If signed into law, the Delaware Online Privacy and Protection Act (“DOPPA”) would prohibit the marketing or advertising of certain products and services on Internet services directed to children.6 The law’s restrictions would apply to alcohol, tobacco, firearms, fireworks, tanning equipment, lotteries, drug paraphernalia, and certain types of body modifications, among others products and services. Operators of online services directed to children or operators who have actual knowledge that a child is using their service would be prohibited from using, disclosing, or compiling the child’s personal information or allow others to do so, if the operator had actual knowledge the personally identifiable information (“PII”) will be used for marketing or advertising the restricted products.
The bill would define PII to include a user’s first and last name, physical address, e-mail address, telephone number, social security number, and any other identifier that “permits the physical or online contacting of the user.” Operators who used an advertising service may shift compliance responsibility to the advertising service by notifying the advertising service that the operator’s service is directed to children. DOPPA also would require operators who collect PII about users who reside in Delaware to conspicuously post their privacy policies and make certain disclosures. The law would direct the Consumer Protection Unit (“CPU”) of the Delaware Department of Justice to promulgate rules regarding what information privacy policies must contain, and to provide sample language. The CPU would be required to make uniformity with other similar state laws a primary consideration when drafting such rules.
DOPPA also contains provisions applicable to the book information of book service users. A “book service” under the statute is a service allowing individuals “to rent, purchase, borrow, browse or view books electronically or via the Internet.” The law would prohibit book service providers from disclosing a user’s book service information to the government, absent certain delineated circumstances. Book service providers would also have to compile and post reports regarding the number of times book service information has been requested by the government and how many times the provider has disclosed it, among other data. The bill awaits action by the Governor of Delaware. If signed by the Governor, the bill would take effect on January 1, 2016.
The Delaware Student Privacy Protection Act (“DSPPA”) is directed to operators (other than schools and school districts) of online services that are designed, marketed, and used primarily for K-12 school purposes.7 The bill would require Operators to maintain reasonable security procedures and practices to protect student data and to delete student data within 45 days of a request from a school district or school. The security standards would, at a minimum, be required to comply with the Delaware Department of Technology and Information’s Cloud and Offsite Hosting Policy. Under DSPPA, operators could not knowingly engage in targeted advertising based on student data, create student profiles based on information they collect, sell student data, or disclose student data absent an applicable exception. Operators would be permitted to use student data for maintaining, delivering, supporting, evaluating, or diagnosing their own services or for “[a]daptive learning or customized learning purposes,” and would be able to use aggregate or de-identified data for their own marketing purposes.
SDPPA also awaits action by the Governor. If the bill is signed into law, the provisions restricting the actions of operators would take effect on the August 1 of the first full year following the act’s enactment into law. All other provisions would be implemented immediately upon the Governor’s signature.