Joining the collection of states with online privacy laws, Delaware has enacted a package of statutes governing the collection, storage and use of the personal information of Delaware residents by websites, Internet and cloud service providers, and Internet and mobile applications. While the statutes incorporate provisions that are already in effect under other states’ privacy laws — notably those in California — they add to the regulatory burden of operators of any website, Internet service or app that might reach Delaware residents.
The act also includes specific prohibitions against the advertisement and marketing of age-restricted products — alcoholic beverages, tobacco, firearms, pornography, dietary supplements, and tattooing and piercing, among others — on websites and mobile apps directed at children. The prohibition also applies to third-party marketing services that provide advertising to sites. The act requires that the operators provide notice to any third-party advertising services that the site is directed to children. Once a third-party advertising service has received the notice, the act’s prohibitions apply to the advertising service directly. The statute specifically defines a website, service or app directed at children as one that is “targeted or intended to reach an audience that is composed predominantly of children.” The relevant determining factors include the subject matter of the site, visual or audio content, age of models, language, or other characteristics of the site or app, whether advertising promoting or appearing on the site or app is directed to children, and “any competent and reliable empirical evidence regarding audience composition and intended audience” of the site or app. More than simply referencing or linking to another site, service or app that is directed to children is required in order for a site to be considered directed to children.
While the statute does not require operators to age-screen visitors to their site, actual knowledge that a child is using the site does trigger obligations under the statute. If an operator has actual knowledge that a child is using the site, the operator is prohibited from using the child’s personally identifiable information to market or advertise the prohibited products or services. The operator also may not disclose the child’s personally identifiable information to others that it has actual knowledge will use the child’s information for prohibited marketing or advertising purposes. Separately, the statute prevents e-book purveyors from sharing users’ reading histories, without a court order or warrant. The act goes into effect on Jan. 1, 2016.
Delaware also enacted its Student Data Privacy and Protection Act limiting access to student online data. The law prohibits education technology service providers from collecting data for noneducational purposes, from using collected data to target advertising to students and their families, and from selling student data to third parties. It also requires that these providers implement “reasonable procedures and practices for ensuring the security of student data they collect or maintain,” and that they must delete the student data if requested by a school district.
Like many of the other states’ privacy legislation, Delaware’s new statutes apply not only to Delaware business, but to any business with a web-based site, service or app that reaches Delaware consumers.