Revisiting Privacy Policies and Practices in Light of Delaware Law

Dorsey & Whitney LLP
Contact

The Delaware Online Privacy and Protection Act (the "Act") addresses privacy policy, marketing or advertising to Delaware residents under age 18 and digital book service information disclosure requirements. The Act goes into effect on January 1, 2016.

Companies should revisit their privacy policies and practices in light of the Act and similar laws, including the California Online Privacy Protection Act [see Revisiting Privacy Policies in Light of California Law (October 2013) and Privacy Rights for California Minors (September 2013).] The Delaware Department of Justice’s Consumer Protection Unit has enforcement authority and may investigate and prosecute violations of the Act. [Del. Code tit. 6, § 1203C.]

Privacy Policy Requirements

The Act requires an operator of a commercial Internet service (i.e., any service, system, website, application, or program, or portion thereof that accesses the Internet or provides a user with access to the Internet) that collects personally identifiable information through the Internet about Delaware resident users who use or visit the operator's commercial Internet service to make its privacy policy conspicuously available on its Internet service. An operator that fails to make its privacy policy conspicuously available on its Internet service within 30 days after being notified of noncompliance will be in violation of the Act. [Del. Code tit. 6, § 1205C(a).]

"Conspicuously available" means making the privacy policy available to an individual via the Internet by any of the following means:

  • A Web page on which the actual privacy policy is posted if the Web page is the home page or first significant page after entering the website.
  • An icon that hyperlinks to a Web page on which the actual privacy policy is posted, if the icon is located on the home page or the first significant page after entering the website, and if the icon contains the word "privacy." The icon must use a color that contrasts with the background color of the Web page or is otherwise distinguishable.
  • A text link that hyperlinks to a Web page on which the actual privacy policy is posted, if the text link is located on the home page or first significant page after entering the website, and, if the text link includes the word "privacy," it must be written in capital letters equal to or greater in size than the surrounding text, or be written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
  • Any other functional hyperlink that is displayed such that a reasonable individual would notice it.
  • For an Internet service that is not a website, any other reasonably accessible and visible means of making the privacy policy available for users of the Internet service. [Del. Code tit. 6, § 1202C(7).]

"Personally identifiable information" means any information about an individual that, individually or together with other information, can be used to distinguish or trace the identity of the individual, including the individual’s name (in whole or in part), signature, physical characteristics or description, residential, school, or other physical address, telephone number, online contact information (i.e., an e-mail address or other substantially similar identifier that permits direct contact with an individual online, including without limitation, an instant messaging user identifier, a voice over internet protocol (VOIP) identifier, or a video chat use identifier), Social Security number, passport number, driver’s license number, state identification card number, alien registration number, insurance policy number, education history, employment history, bank account number, credit card number, debit card number, or any other financial information, geolocation data (i.e., information that is, in whole or part, generated by, derived from, or obtained by the operation of an electronic device that can be use to identify the past, present, or future location of an electronic device, an individual, or both), DNA or other genetic material, medical information, or health insurance information, excluding information that is publicly available that is lawfully made available to the general public from federal, state, or local government records. [Del. Code tit. 6, §§ 1202C(9), (16) and (18).]

An operator of a commercial Internet service that collects personally identifiable information through the Internet service from Delaware resident users of its Internet service will be in violation of the Act if the operator fails to comply with the Act or with the provisions of the operator’s posted privacy policy either (i) knowingly and willfully or (ii) negligently and materially. [Del. Code tit. 6, § 1205C(c).]

Privacy Policy Disclosure Items

The Act requires the privacy policy do all of the following:

  1. Identify the categories of personally identifiable information that the operator collects through the Internet service about users of its commercial Internet service and the categories of third-party persons with whom the operator may share that personally identifiable information.
  2. Provide a description of any process the operator maintains for a user of the Internet service to review and request changes to any of that user’s personally identifiable information that is collected through the Internet service.
  3. Describe the process by which the operator notifies users of its commercial Internet service of material changes to the operator's privacy policy for that Internet service.
  4. Identify the effective date of the privacy policy.
  5. Disclose how the operator responds to Web browser "do not track" signals or other mechanisms that provide users the ability to exercise choice regarding the collection of personally identifiable information about a user’s online activities over time and across third-party Internet services, if the operator engages in that collection. To satisfy this requirement, an operator may provide a clear and conspicuous hyperlink in the operator's privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the user that choice.
  6. Disclose whether other parties may collect personally identifiable information about a user’s online activities over time and across different Internet services when a user uses the operator's Internet service. [Del. Code tit. 6, § 1205C(b).]

Marketing or Advertising Requirements

The Act prohibits an operator of an Internet service directed to children who are Delaware residents under the age of 18 from marketing or advertising a product or service listed below (each a "specified product or service") on its Internet service:

  • Alcoholic liquor
  • Firearms, ammunition for firearms, or BB guns
  • Firearm training course
  • Tobacco products, smokeless tobacco products, or moist snuff
  • Tobacco substitutes
  • Fireworks
  • Tanning equipment or device, or tanning facility
  • Dietary supplement products containing ephedrine group alkaloids
  • Lottery, Internet lottery, Internet table games, Internet ticket games, Internet video lottery, sports lottery, table game, video lottery, or video lottery facility
  • Salvia divinorum, Salvinorin A, or any substance or material containing Salvia divinorum or Salvinorin A
  • Branding
  • Tattoos
  • Body piercing
  • Tongue splitting
  • Drug paraphernalia
  • Electronic control devices
  • Sexually oriented material [Del. Code tit. 6, §§ 1202C(6) and 1204C(a) and (f).]

"Internet service directed to children" means any Internet service that is targeted or intended to reach an audience that is composed predominantly of children. An Internet service is not deemed directed to children solely because it refers or links to another Internet service directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link. In determining whether an Internet service is directed to children, the subject matter, visual or audio content, age of models, language, or other characteristics of the Internet service are relevant, as well as whether advertising promoting or appearing on the Internet service is directed to children, together with any competent and reliable empirical evidence regarding audience composition and intended audience of the Internet service. [Del. Code tit. 6, § 1202C(13).]

"Market or advertise" or "marketing or advertising" means making a communication or arranging for a communication to be made, in exchange for compensation, about a product or service the primary purpose of which is to encourage recipients of the communication to purchase or use the product or service. [Del. Code tit. 6, § 1202C(15).]

An operator of an Internet service directed to children or an operator of an Internet service who has actual knowledge that a child is using its Internet service must not knowingly use, disclose, or compile, or allow another person to use, disclose, or compile, directly or indirectly, the child’s personally identifiable information if that person has actual knowledge that the child’s personally identifiable information will be used for the purpose of marketing or advertising to the child a specified product or service. [Del. Code tit. 6, § 1204C(c).]

Also, an operator of an Internet service who has actual knowledge that a child is using its Internet service may not market or advertise a specified product or service to that child, if the marketing or advertising is directed to the child based on the child’s personally identifiable information. The operator is deemed to comply with these requirements if the operator takes reasonable actions in good faith designed to avoid marketing or advertising a specified product or service. [Del. Code tit. 6, § 1204C(b).]

In addition, an operator of an Internet service directed to children, in which marketing or advertising is provided by an advertising service, must notify the advertising service, in a manner directed by the advertising service, that the Internet service is directed to children. An advertising service that provides marketing or advertising for an Internet service directed to children, and which has received such notice, may not market or advertise on the Internet service a specified product or service. [Del. Code tit. 6, § 1204C(d)–(e).]

These requirements are not to be construed to require an operator of an Internet service to collect age information about users. [Del. Code tit. 6, § 1204C(g).]

Digital Book Service Information Disclosure Requirements

A book service provider (i.e., any commercial entity offering a book service to the public, except for a commercial entity that sells a variety of consumer products if its book service sales do not exceed 2 percent of that entity’s total annual gross sales of consumer products sold in the United States) must not knowingly disclose, or be compelled to disclose, any book service information about a user to any person, except to law enforcement or to a governmental entity under certain circumstances, or to a person under certain conditions or where the user has given informed, affirmative consent in writing to the specific disclosure to the specific person for a particular purpose. [Del. Code tit. 6, §§ 1202C(5) and 1206C(a).]

"Book" means paginated or similarly organized content in digital, electronic, printed, audio, or other format, including fiction, nonfiction, academic, or other works of the type normally published in a volume or finite number of volumes, excluding serial publications such as a magazine or newspaper. [Del. Code tit. 6, § 1202C(2).]

"Book service" means a service by which an entity, as its primary purpose, provides individuals with the ability to rent, purchase, borrow, browse, or view books electronically or via the Internet. [Del. Code tit. 6, § 1202C(3).]

"Book service information" means all of the following:

  • A user’s personally identifiable information.
  • A unique identifier or Internet Protocol address, when that identifier or address is used to identify, relate to, describe or be associated with a particular user or book, in whole or in partial form.
  • Any information that relates to, or is capable of being associated with, a particular user’s access to or use of a book service or a book, in whole or in partial form. [Del. Code tit. 6, § 1202C(4).]

Unless disclosure of information pertaining to a particular request or set of requests is specifically prohibited by law, a book service provider must prepare a report regarding disclosure of book service information, to the extent it can be reasonably determined. [Del. Code tit. 6, § 1206C(e)(1).] However, a book service provider is exempt from this requirement if it has not disclosed book service information related to the access or use of a book service or book of more than 30 total users consisting of users located in Delaware or users whose location is unknown and cannot be determined, or of both types of users. [Del. Code tit. 6, § 1206C(e)(2).]

The report must be made publicly available in an online, searchable format on the book service provider’s website before March 31 of each year. If the book service provider does not have a website, the book service provider must post the report prominently on its premises or send the report in both paper and electronic format to the Delaware Department of Justice’s Consumer Protection Unit on or before March 31 of each year. [Del. Code tit. 6, § 1206C(e)(4).]

On or before March 1 of each year, a book service provider subject to the privacy policy requirements of the Act must complete one of the following actions:

  • Create a prominent hyperlink to its latest report prepared pursuant to the reporting requirement of the Act in the disclosure section of its privacy policy applicable to its book service; or
  • Post the report prepared pursuant to the reporting requirement on its website explaining the way in which a user’s book service information and privacy issues related to its book service are addressed; or
  • State on its website in one of the areas described in a. and b. above that no report is available because the book service provider is exempt from the reporting requirement because it has not disclosed book service information related to the access or use of a book service or book of more than 30 total users consisting of users located in Delaware or users whose location is unknown and cannot be determined or of both types of users. [Del. Code tit. 6, § 1206C(e)(5).]

This article was first published on IRMI.com and is reproduced with permission. Copyright 2015, International Risk Management Institute, Inc.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dorsey & Whitney LLP | Attorney Advertising

Written by:

Dorsey & Whitney LLP
Contact
more
less

Dorsey & Whitney LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide