DELAWARE ONLINE PRIVACY PROTECTION ACT

courthouse

Image of courthouse pillars

A Delaware business client recently asked me to review his commercial privacy policy to see if his website complied with current online privacy protection requirements.  Not surprisingly in this fast pace and constantly changing digital landscape – the website failed because it did not clearly provide a link to its privacy policy on the home page.  And this is putting aside the May 25, 2018 GDPR compliance deadline that is fast approaching and its severe financial consequences for noncompliance.  The Delaware Online Privacy Protection Act has three stated goals but for purposes of this alert, I will focus on only on the commercial purpose.  Operators of an internet service must  conspicuously post its “privacy policy” if it collects personally identifiable information of Delaware residents.  To better understand this, let’s break this down into its component parts.

Operators of an Internet Service

The Act defines operators of an internet service in a straightforward manner.  An operator is defined as a person who owns an internet website, online or cloud computing service, online application, or mobile application. (Going forward I will refer to all of these platforms as a “web site”).  It does not however include a third party who manages or hosts your site.  This distinction is important because it places the responsibility on the “owner” of the site and not the person or entity who is actively managing the site on a day to day basis.  This means for the business owner you are responsible and it is not a defense to argue that you hired a company to manage your web site.  Internet service is defined broadly to encompass everything internet related regarding communication  of information by wire, radio or other methods of transmission.

Personally Identifiable Information

Personally identifiable information (“PII”) is defined as data that allows a user to contact an individual through the collected PII either online or directly.  Examples of PII include, first and last name, a physical address, an e-mail address, a telephone number, a social security number, or any other identifiers that would allow direct or online contact.

The Privacy Policy Must Be Conspicuously Posted

A conspicuously posted privacy policy can be satisfied in several ways but the main two options are as follows:

  • Home Page  – The privacy policy is posted on the home page or the first significant page after you enter the site; or
  • Hyperlink – A hyperlink on the first web page links to the actual privacy policy.  The hyperlink must contain the word “Privacy” in all caps and in the same or larger font than the rest of the font on that specific page.  Alternatively, the hyperlink must be displayed in such a manner that any reasonable person would notice it.

The Privacy Policy Must Include

  • The categorizes of PII that are being collected and if such information is being shared
  • If the operator of the website maintains a method for the user to update or review its PII, this process must be disclosed to the user
  • A description of the process by which material changes to the Privacy Policy will be made available to the users of the website
  • Disclose how the operator responds to web browser “do not track” signals or other mechanisms that provide users the ability to exercise choice regarding the collection of personally identifiable information
  • The effective Date of the Privacy Policy

Take Away – Review Your Website

The key takeaway here is that your PRIVACY POLICY must be clearly stated on the first meaningful page of your web site.  Failure to do so can result in up to a $10,000 fine imposed by the Delaware Attorney General.  Remember, what is great about a web site, not being tied to a specific location like the typical brick and mortar store, can also lead to greater exposure.  You need to be cognizant of privacy policies for each state and in some instances an even broader  GDPR approach (please click here.) may be required.  Having said this, we recognize a state by state analysis may not be practical for your situation but there certainly is an approach that can be implemented.  If you have any questions regarding this or any other aspect of your business, please feel free to contact Doug Leavitt at Danziger Shapiro & Leavitt, P.C.

This entry is presented for informational purposes only and is not intended to constitute legal advice.

Contact Information