Delaware Attorney General Matt Denn is serious about online privacy, and aims to make Delaware “the safest state in America for kids to use the internet.” This August, Delaware Governor Jack Markell signed into law four online privacy bills drafted by the Attorney General, the most substantial of which is the Delaware Online Privacy and Protection Act.

DOPPA goes further than its federal cousin, the Children’s Online Privacy Protection Act and resulting COPPA Rule, in a number of areas. As we have blogged about previously, COPPA is primarily concerned with proper parental notification and consent regarding the collection of personal information about children. DOPPA builds on some of these procedural requirements but also places additional substantive limits on how data about children can be used. DOPPA prohibits internet service operators and advertisers from using the internet to market certain kinds of services to children, ranging from alcohol and tobacco to fireworks, tanning, and tattoos.

These restrictions apply to any “internet service directed to children.” Similarly to how the FTC examines a variety of factors to determine whether an internet service is “directed to children under 13” for COPPA purposes, DOPPA embraces several potentially relevant factors, such as “the subject matter, age of models, language or other characteristics of the Internet service,” along with “competent and reliable empirical evidence regarding audience composition.”

The restriction can also apply to internet services not directed at children, if the operator of the internet service has “actual knowledge that a child is using its internet service” and the marketing is “directed to the child based upon the child’s personally identifiable information.” Nor can such an operator “knowingly use, disclose, or compile” personally identifiable information to facilitate marketing of the restricted services to children, nor provide information to others to do so.

Internet service operators and advertisers should take note that “children” in the context of DOPPA means individuals under the age of 18 who are residents of Delaware, so the restrictions can potentially apply to an out-of-state entity, if that entity directs its services to Delaware.

The other three bills signed into law embrace a broad array of other issues, including the data privacy of students, online protections for victims of domestic violence, sexual assault, and stalking, and restrictions on the ability of employers to view the personal social media accounts of employees. These bills are a reminder that the data privacy space is wide open for legislating and that state attorneys general are not just enforcing data privacy laws, but taking a role in drafting them as well.