On January 1, 2016, the Delaware Online Privacy and Protection Act (“DOPPA”) will go into force, a law that provides strong online privacy protection for its residents.  The new law targets three areas of compliance: (1) advertising to children; (2) conspicuous posting of a compliant privacy policy; and (3) enhancing the privacy protections of users of digital books (“e-books”).  The law grants the state’s Consumer Protection Unit of the Department of Justice the authority to investigate and prosecute violations of the law. This new Delaware law is substantially similar to three existing California laws that regulate the same practices. Given the similarities in language, DOPPA was clearly drafted with the California laws in mind.

Advertising Directed to Children Strictly Regulated

Under DOPPA, website and app operators that direct their services to children must ensure that they do not advertise or market certain enumerated content that are considered by the law to be inappropriate for children’s viewing, such as alcohol, tobacco, firearms, pornography, and a host of other categories delineated by the law.  In seeking to regulate sites that are directed to children, the Delaware law compliments the federal Children’s Online Privacy Protection Act (“COPPA”).  However, DOPPA has a wider reach, as it defines children as anyone under the age of 18, while the federal law regulates online content directed to those under 13.

Additionally, to ensure that children are not exposed to inappropriate advertising content, even websites (and apps) that are not directed to children but which have “actual knowledge” that children access the site must refrain from engaging in targeted advertising of adult content by using their personally identifiable information.

Privacy Policies Must be Conspicuously Posted

DOPPA also mandates that operators of websites and apps that collect personally identifiable information of Delaware residents (of any age) conspicuously post a comprehensive privacy policy—and comply with the contents of the posted policy.  However, companies will only be found to be in violation of the law if they fail to post a compliant policy within 30 days of being notified that they are not in compliance with the law.  The law also mandates that certain enumerated topics are addressed in the privacy policy, such as how “do not track” requests transmitted by web browsing software are handled and whether third parties may obtain users’ personally identifiable information from a user’s visit to the website or app.   Among other obligations, companies also must explain to users how they will be informed of any material changes to the privacy policy.

While in most ways, the Delaware law is the same as the California law from which is was apparently modeled, while the California law only applies to websites that collect personally identifiable information about “consumers”, the Delaware law applies more broadly to online properties that collect personal information from “users”, and thus appears to cast a wider net.

Restrictions on Disclosure of E-Book information

Acknowledging that third parties do not have a right to know the viewing habits of e-book users without their informed consent absent special compelling circumstances, DOPPA prohibits e-book services from disclosing the personally identifiable information of readers to third parties unless certain exceptions apply.  One exception is a disclosure to a law enforcement entity “pursuant to any lawful method or process by which a law enforcement entity is permitted to obtain information.” Further, a law enforcement agency can also obtain e-book reader information under the law when an imminent danger of death or serious injury is present.

Another exception is disclosure to a government entity other than a law enforcement entity, which may be obtained via a court order and timely notice to the user so that the user has the opportunity to quash the order and object to the proposed disclosure.

Third parties other than government agencies can obtain a user’s book service information only through a court order where the court issuing the order has found that the person seeking the disclosure has a “compelling interest” in obtaining the book information sought, which cannot be obtained by less intrusive means and again, where the user has the opportunity to contest the court order.

However, e-book providers are required to preserve the personally identifiable information of readers that they collect if asked to do so by a law enforcement agency.  Of particular note, e-book providers are required to annually post a summary of, among other things, the requests for e-book users’ personally identifiable information by law enforcement and the nature of the disclosure, if any.

Given the DOPPA’s wide reach and regulation of a broad array of commercial internet activities, companies would be well advised to promptly examine their advertising and marketing practices, as well as the content of their online privacy policies, to ensure compliance with the new law by January 1, 2016.