Delaware’s New Privacy Policy Requirements

Effective January 1, 2016, Delaware became the second state in the U.S., joining California, to require operators of commercial websites that collect personally identifiable information to post online privacy policies. The Delaware Online Privacy and Protection Act (DOPPA) applies to anyone who operates a “commercial internet website, online or cloud computing service, online application, or mobile application.”

Before this Delaware law was passed, California was the only state to have enacted a law requiring operators to post a privacy policy.¹ As a result, most privacy policies were developed according to the California requirements. California’s law applies to an operator of a commercial website or online service. On October 30, 2012, the California Attorney General announced in a press release that it considers mobile apps to be a form of “online service,” thus making California’s privacy policy requirements applicable to mobile apps.² Delaware’s law codifies the understanding that privacy policy laws apply to mobile apps. Given that 40% of top selling mobile apps still do not have a privacy policy,³ Delaware’s new law could provide the needed certainty to many companies. Companies should review their privacy policies to ensure they meet Delaware’s new requirements.

Top Three Differences between California and Delaware Privacy Policy Laws

1. Persons protected:
a. California: Protects "consumers," defined as any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes.
b. Delaware: Protects "users," defined as any individual that uses an internet website, online or cloud computing service, online application, or mobile application.

2. Services covered:
a. California: Covers commercial website or online service.
b. Delaware: Covers commercial internet website, online or cloud computing service, online application, or mobile application.

3. Definition of “Operators” to whom the law applies:
a. California: Applies to any person or entity that owns a website or online service that collects and maintains personally identifiable information from consumers residing in California.
b. Delaware: Applies to any “person who owns an internet website, online or cloud computing service, online application, or mobile application” that collects personally identifiable  information through the internet about individual users residing in Delaware.

[1] Cal. Bus. & Prof. Code §§ 22575-11579.
[2] Attorney General Kamala D. Harris Notifies Mobile App Developers of Non-Compliance with California Privacy Law (Oct. 30, 2012), available at: http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-notifies-mobile-app-developers-non-compliance. 
[3] John Koetsier, 40% of Top-selling Smartphone Apps Have No Privacy Policy, FORBES (Mar. 24, 2016), http://www.forbes.com/sites/johnkoetsier/2016/03/24/40-of-top-selling-smartphone-apps-have-no-privacy-policy/#5aece1c55005.