On Sunday, July 26, 2015, The News Journal® published an article titled, “Some still unaware of identity-theft bill.” Mordock, J., (2015, July 26), The News Journal, p.1E.
The News Journal article highlighted passage by the Delaware legislature in 2014 of House Bill 295, now codified as 6 Del. C. §5001C et seq.: Safe Destruction of Records Containing Personal Identifying Information. Much of the article, however, focused on the fact that, despite the law going effective in January 2015, businesses either do not know about the law or do not know what they might need to do to comply.
As Governor Markell is anticipated to sign into law two additional pieces of privacy related legislation on Friday, August 7, 2015, this article provides a summary of the currently in-effect Safe Destruction law and the two that will be signed imminently: the Delaware Online Privacy Protection Act, primarily applicable to businesses with websites, and the Student Data Privacy Protection Act, which seeks to regulate the activities of operators of websites and applications designed and marketed for K-12 public school purposes, or those who collect, maintain or use student data in digital or electronic form for K-12 public school purposes.
1. Safe Destruction of Records Containing Personal Identifying Information
The law relating to safe destruction of records that was the topic of The News Journal piece provides that a commercial entity (corporation, business trust, partnership or limited partnership, estate, trust, LLC, LLP, association, organization or other legal entity, whether or not for profit) seeking to permanently dispose of records containing consumer’s personal identifying information (PII), “shall take reasonable steps to destroy or arrange for the destruction of each such record by shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it unreadable or indecipherable.”
The law defines “Personal identifying information” as “a consumer’s first name or first initial and last name, in combination with any 1 of the following data elements that relate to the consumer, when either the name or the data elements are not encrypted: Social Security number; passport number; driver’s license or state identification card number; insurance policy number; financial services account number; bank account number; credit card number; debit card number; tax or payroll information or confidential health-care information including all information relating to a patient’s health-care history; diagnosis condition, treatment, or evaluation obtained from a health-care provider who has treated the patient which explicitly or by implication identifies a particular patient.”
A “record” includes information in virtually any tangible, electronic or other medium, but does not include any publicly available directories or sources of information that a customer has consented to have publicly available.
Entities transacting business in Delaware should be aware of this law. While a civil suit may be brought against an entity only for reckless or intentional (but not negligent) violation of the law, one doesn’t want to be the source of a data breach resulting from the improper keeping or destruction of records. And with technology changing rapidly from day to day, what might constitute “reasonable steps to destroy” today, might not be reasonable tomorrow.
Since the law requires an entity to “take reasonable steps to destroy or arrange for the destruction of” such records, businesses should carefully control and monitor those steps. If an entity contracts with a third-party for such destruction, careful review of the contract and an understanding about how the third-party protects such information is paramount. Indeed, reasonableness might require adherence to a chain of custody with the third-party ultimately certifying to the destruction of such records. One has to be sure that when the physical records, computer hard drives, thumb drives, CD’s, copier hard-drives, etc. are sent to third-party for destruction that they are actually being destroyed in a manner which renders them “unreadable or undecipherable.”
As with many of the privacy laws being enacted in Delaware and around the country, the law provides an encryption safe harbor. If the data is encrypted, then, by definition, it does not constitute “Personal identifying information” under the law, and the law would not require specialized destruction of encrypted data.
2. Delaware Online Privacy Protection Act
DOPP defines PII differently than the safe document destruction law. DOPPA defines PII as “any personally identifiable information about a user of a commercial Internet website, online or cloud computing service, online application, or mobile application that is collected online by the operator of that commercial internet website, online service, online application, or mobile application from the that user and maintained by the operator in an accessible form, including a first and last name, a physical address, an e-mail address, a telephone number, a social security number, or any other identifier that permits the physical or online contacting of the user, and any other information concerning the user collected by the operator of the commercial Internet website, online service, online application, or mobile application from the user and maintained in personally identifiable form in combination with any identifier described in this paragraph. SeeDOPPA at § 1202C(15) (emphasis added).
Owners of commercial websites directed at children will need to make sure that their sites are not marketing any of the prohibited items listed in section 1204C(f) of the new law. For example, websites directed to children may not market or advertise alcoholic beverages, tobacco products, firearms, fireworks, tanning equipment, lotteries, body piercing, branding, tattoos, drug paraphernalia and tongue splitting. See DOPPA at §1204C(f)(1) – (15). Such websites also may not advertise or market “any material . . . which predominantly appeals to the prurient, shameful, or morbid interest of minors, is patently offensive to prevailing standards in the adult community as a whole with respect to what is suitable materials for minors, and taken as a whole lacks serious literary, artistic, political, social, or scientific value for minors.” DOPPA at § 1204C(f)(16).
Finally, the law proscribes the circumstances in which a “book service” (defined as “an entity, [which] as its primary purpose, provides individuals with the ability to rent, purchase, borrow, browse, or view books electronically or via the Internet”) may disclose information about the users of their services to “to any person, private entity or government entity.” Generally, proper legal process and/or court order will be required as will notice to both the user and/or book service provider sufficient to permit the user or book service provide to timely appear and quash the request or contest issuance of any court order. In the case of a user of such services, a minimum of 35 days advance notice is required.
Website operators will need to carefully review their websites and privacy policies to be sure that they will be in compliance with the new law. And they should not wait until the Delaware law goes into effect to do so. Indeed, although DOPPA will not become effective until January 1, 2016, many other states have already enacted similar statutes to protect their own residents. If a website is collecting information from those states’ residents, a website operator may already be in violation of those others states’ laws.
3. Student Data Privacy Protection Act
With the continuing push for more prolific and creative use of technology in Kindergarten through 12th grade classrooms, student data has become more valuable, and the protection of that data of greater concern. In the face of the perceived need for greater protection of student data, the Delaware General Assembly, on June 25, 2015, approved SS1 for SB 79, slated to be codified as 14 Del. C. § 8101A et seq. (the “Student Data Privacy Protection Act” or “SDPPA”). Expressly modeled on California’s Student Online Personal Information Privacy Act, the SDPPA is designed to prohibit educational technology service providers from selling student data, using student data to engage in targeted advertising to students and their families, or creating student profiles for non-educational purposes.
When the law goes effective, the SDPPA will regulate the activities of operators of websites and applications designed and marketed for K-12 public school purposes, or those who collect, maintain or use student data in digital or electronic form for K-12 public school purposes. In particular, operators must provide reasonable security to prevent unauthorized access to, destruction of, use, modification or disclosure of student data. Operators must also delete a student’s data within a reasonable period (not to exceed 45 days) following a school or school district’s request for such deletion.
Operators also must not engage in targeted advertising using student data or state-assigned student identifiers where the data or student identifiers have been obtained as a result of use of a website, online or cloud computing service, online application or mobile application. Such data also may not be used to create a student profile except in furtherance of K-12 public school purposes. Student data may not be sold – except in instances of sale, merger or acquisition of an operator by another entity, and provided that the operator and/or successor entity continues to be subject to the SDPPA with respect to previously acquired student data. Operators also must not disclose student data except in certain specified instances, including responding to judicial process, to protect the security of the operator’s website or application, and protecting the safety of users of a website or application. Operators, however, may disclose student data when another provision of federal or state law requires disclosure, or for other legitimate research purposes. Finally, operators may use student data when supporting, evaluating or diagnosing the operator’s website, and may also use student data or de-identified student data to develop and improve an operator’s website or application, or to demonstrate the effectiveness of an operator’s products or services.
In addition to the proscriptions on the use and disclosure of student data, the SDPPA establishes a Student Privacy Task Force to “study and make findings and recommendations regarding the development and implementation of a comprehensive framework to govern the privacy, protection, accessibility, and use of student data within and as part of the State’s public education system.” SDPPA at Section 3. The act also gives to the Consumer Protection Unit of the Delaware Department of Justice the power to enforce the new law.
When the SDPPA is signed into law, the proscriptions applicable to operators will not take effect until August 1 of the first full year following the act’s enactment into law, with all other provisions taking effect immediately upon the Governor’s signature. SDPPA at Section 5.