Wednesday, January 6, 2016

Privacy - Delaware Online Privacy Protection Act

     On January 1, 2016, the Delaware Online Privacy Protection Act (DelOPPA), 6 Del. C. 1201C-06C, came into force.  The Delaware law was modeled after two California laws, the California Online Privacy Protection Act (CalOPPA), Cal. Bus. & Prof. Code §§ 22575-79, and a portion of the Privacy Rights for California Minors in the Digital World, Cal. Bus. & Prof. Code §§ 22580-82. The Delaware law also contains a section to protect e-book users privacy.

     This post only examines the section related to the privacy policy requirement.


     Privacy Policy.


     DelOPPA is similar to CalOPPA.  It requires operators of "commercial Internet services that collect personally identifiable information (PII) about users residing in Delaware who use or visit the operator's commercial Internet service" to "conspicuously" post a "privacy policy".  6 Del. C. 1205C(a).


     The privacy policy must (1) identify the types of PII collected and the types of third-party persons with whom the operator may share the PII; (2) if the operator has a process for a user to review and request changes to the user's PII, describe that process; (3) describe how the operator will notify users of changes to the privacy policy; (4) identify the effective date of the privacy policy; (5) disclose how the operator responds to "do not track" signals or similar mechanisms; and (6) disclose whether use of the operator's service may permit other parties to collect a user's PII across different services.  6 Del. C. 1205C(b).


     Building on CalOPPA, DelOPPA expands the list of identified types of information that qualifies as PII.  6 Del. C. 1202C(18).  And like CalOPPA, this is not an exclusive list of PII.

means any information about an individual that, individually or in combination with other information, can be used to distinguish or trace the identity of the individual, including the individual’s name (in whole or in part), signature, physical characteristics or description, residential, school, or other physical address, telephone number, online contact information, social security number, passport number, driver’s license number, state identification card number, alien registration number, insurance policy number, education history, employment history, bank account number, credit card number, debit card number, or any other financial information, geolocation data, DNA or other genetic material, medical information, or health insurance information, except that it does not include information that is publicly available that is lawfully made available to the general public from federal, state, or local government records.
     The law additionally describes several methods to meet the conspicuous posting requirement.  6 Del. C. 1202C(7).  The methods could be summed up as: (1) having an icon, on the homepage or first significant page after entering the website, containing the word "privacy" that is distinguishable from the webpage's background that hyperlinks to a webpage on which the privacy policy is posted, (2) having a text link, on the homepage or first significant page after entering the website, containing the word "privacy" that is distinguishable from the webpage's background that hyperlinks to a webpage on which the privacy policy is posted, or (3) using any other functional hyperlink that is displayed that a reasonable person would notice it.

     Going forward, all Internet based services would be wise to ensure compliance with both CalOPPA and DelOPPA because these laws apply to any service, regardless of where they are based, that collects PII from a California or Delaware based user.  In particular, all such service should pay attention to the types of PII identified by DelOPPA.


- Henry Park

No comments:

Post a Comment