Online businesses take note. Delaware may finally have an online privacy law. On June 25, 2015, the Delaware General Assembly passed SS1 for SB68, known as the “Delaware Online Privacy and Protection Act.” If signed by the governor, DOPPA will go into effect on January 1, 2016.

DOPPA three stated purposes: (i) to prohibit the operator of an internet service directed at children from marketing or advertising certain products or services on a website that are deemed harmful to children; (ii) to require an operator of an internet service to conspicuously post its privacy policy, if the internet service collects personally identifiable information (PII) from Delaware residents for commercial purposes; and (iii) to protect the personal information of users of digital book services by prohibiting a provider of book services from disclosing personal information regarding users of book services to law enforcement entities, governmental entities or other parties except under specified circumstances.

Operators of commercial websites that collect PII from Delaware residents will need to review the law and their website privacy policies carefully to ensure compliance.

The law identifies PII very broadly. PII now includes “any personally identifiable information about a user of a commercial Internet website, online or cloud computing service, online application, or mobile application that is collected online by the operator of that commercial internet website, online service, online application, or mobile application from the that user and maintained by the operator in an accessible form, including a first and last name, a physical address, an e-mail address, a telephone number, a social security number, or any other identifier that permits the physical or online contacting of the user, and any other information concerning the user collected by the operator of the commercial Internet website, online service, online application, or mobile application from the user and maintained in personally identifiable form in combination with any identifier described in this paragraph. See DOPPA at § 1202C(15).

Owners of commercial websites directed at children will need to make sure that their sites are not marketing any of the prohibited items listed in section 1204C(f) of the new law. For example, websites directed to children may not market or advertise alcoholic beverages, tobacco products, firearms, fireworks, tanning equipment, lotteries, body piercing, branding, tattoos, drug paraphernalia and tongue splitting. See DOPPA at §1204C(f)(1) – (15). Such websites also may not advertise or market “any material . . . which predominantly appeals to the prurient, shameful, or morbid interest of minors, is patently offensive to prevailing standards in the adult community as a whole with respect to what is suitable materials for minors, and taken as a whole lacks serious literary, artistic, political, social, or scientific value for minors.” DOPPA at § 1204C(f)(16).

The law also mandates that a website’s privacy policy either be conspicuously available on a website, or that a link to the privacy policy be conspicuous.  It also specifies certain types of information that must be disclosed in such a policy, including what information a website gathers, how it responds to “do not track” signals, the effective date of the privacy policy, and whether the operator of a website maintains a process for the user to review and request changes to that user’s PII, and a description of that process.  The law specifies that a website operator will only be in violation of the privacy policy posting requirements only if the operator fails to make its privacy policy conspicuously available within 30 days after being notified that it is noncompliant.

 Finally, the law proscribes the circumstances in which a “book service” (defined as “an entity, [which] as its primary purpose, provides individuals with the ability to rent, purchase, borrow, browse, or view books electronically or via the Internet”) may disclose information about the users of their services to “to any person, private entity or government entity.”  Generally, proper legal process and/or court order will be required as will notice to both the user and/or book service provider sufficient to permit the user or book service provide to timely appear and quash the request or contest issuance of any court order.  In the case of a user of such services, a minimum of 35 days advance notice is required.

 Website operators will need to carefully review their websites and privacy policies to be sure that they will be in compliance with the new law.  They should not wait until the Delaware law goes into effect to do so.  Indeed, although the law in Delaware is not yet effective, many other states have already enacted similar statutes to protect their own residents.  If a website is collecting information from those states’ residents, a website operator may already be in violation of those others states’ laws.