A new privacy law requires companies to make specific statements about what information is collected on its website. Like California, it also requires that companies state in writing whether they respect “Do Not Track” requests.

Delaware has passed the Delaware Online Privacy and Protection Act that requires online operators (e.g. website, online or cloud computing service, or mobile app) to conspicuously post a privacy policy identifying the personally identifiable information (PII) it collects on users and how it responds to “Do not track” signals.

The broad new law impacts not just Delaware-based businesses, but any company that collects PII about a Delaware resident—in other words, virtually any company that transacts business online. The Delaware Online Privacy and Protection Act goes into effect January 1st, 2016.

The law provides companies with a number of ways to post a privacy policy. But the posted policy must be readily available to users and must:

  • Identify what type of information is being collected;
  • List the categories of third parties with whom the information is shared;
  •  Describe how users can review and change their collected information;
  •  Detail how the company notifies users of changes to the privacy policy;
  •  List the effective date of the privacy policy;
  •  Disclose how the company responds to “Do not track” signals; and
  •  Divulge whether or not third parties can collect PII about a user’s online activities from the company’s website or Internet services.