Delaware has joined California in requiring the posting of privacy policies on commercial websites that collect personally identifiable information (PII). Delaware’s Online Privacy and Protection Act (DOPPA) went into force on January 1, 2016. DOPPA requires the operator to conspicuously post its privacy policy on its website. The policy must describe the categories of PII the company collects from users and the categories of third parties with whom the PII may be shared. The policy must also address how the company handles browser-based “do not track” requests. Differing from the requirements contained in the California’s law, DOPPA requires that the policy also explain how users will be informed of any material changes to the policy.

In addition, DOPPA prohibits operators of websites directed to children under the age of 18 from marketing products like alcohol, tobacco, and firearms. DOPPA further requires operators who have actual knowledge that children use their services to take reasonable actions to avoid marketing or advertising these products to children. Both types of operators are prohibited from disclosing children’s PII with actual knowledge that others will use the PII to market these products to children. Finally, DOPPA generally prohibits a book service provider from knowingly disclosing a user’s PII or related information, but allows for some exceptions, including to law enforcement under certain circumstances.

TIP: Given the broad accessibility of online sites, this law is a reminder that companies that collect information online should have a privacy policy describing their activities. Not only do California and Delaware require it, the FTC expects it as well.