A new privacy law requires companies to make specific statements about what information is collected on its website. Like California, it also requires that companies state in writing whether they respect “Do Not Track” requests.

Delaware has passed the Delaware Online Privacy and Protection Act that requires online operators (e.g. website, online or cloud computing service, or mobile app) to conspicuously post a privacy policy identifying the personally identifiable information (PII) it collects on users and how it responds to “Do not track” signals.

The broad new law impacts not just Delaware-based businesses, but any company that collects PII about a Delaware resident—in other words, virtually any company that transacts business online. The Delaware Online Privacy and Protection Act goes into effect January 1st, 2016.

The law provides companies with a number of ways to post a privacy policy. But the posted policy must be readily available to users and must:

  • Identify what type of information is being collected;
  • List the categories of third parties with whom the information is shared;
  •  Describe how users can review and change their collected information;
  •  Detail how the company notifies users of changes to the privacy policy;
  •  List the effective date of the privacy policy;
  •  Disclose how the company responds to “Do not track” signals; and
  •  Divulge whether or not third parties can collect PII about a user’s online activities from the company’s website or Internet services.

California already has a similar law in place, so clients may not need to change existing privacy policies. However, the new Delaware law does provide a timely opportunity to review such policies to ensure that privacy-related language is up-to-date.

The Delaware Online Privacy and Protection Act also prohibits companies from marketing certain products (alcohol, tobacco, firearms, fireworks, etc.) to minors via online channels. Finally, the Act prohibits book service providers from disclosing personal information about its users without written consent.