Beginning January 1, 2016, the recently-enacted “Delaware Online Privacy and Protection Act”¹ (DOPPA) will take effect and will impact all companies with online services used by Delaware residents. DOPPA consists of three separate online privacy laws: (1) a law prohibiting certain types of online marketing or advertising to minors;² (2) a law requiring commercial websites and online services to post privacy policies;³ and (3) a law restricting government access to user records kept by online book service providers.⁴ The laws are substantively similar to online privacy laws already in effect in other states, and are particularly similar to laws in effect in California. The Consumer Protection Unit of the Delaware Department of Justice can enforce DOPPA’s three laws under the same provisions that it enforces other state consumer protection laws.⁵ DOPPA does not create a private right of action for any of the three laws.⁶

The Delaware Online Privacy and Protection Act

DOPPA’s prohibition on certain types of online marketing or advertising to minors mirrors the prohibitions in California Business & Professions Code Section 22580.⁷ As under California law, DOPPA prohibits operators of websites, online or cloud computing services, online applications, or mobile applications “directed to children”⁸ from marketing or advertising certain specified categories of products and services that minors would not legally be able to purchase, and prevents them from “knowingly” using, disclosing, or compiling minors’ personal information for such marketing or advertising, or allowing a third party to do so.⁹ The prohibited products and services largely overlap with those listed in the California law. The differences include graffiti-related products and e-cigarettes,¹⁰ which are only listed in the California law, and body piercing and tongue-splitting services,¹¹ which are only listed in the Delaware law. The Delaware law suffers from the same vagueness issues as the California law. For example, whether a site is directed to children under 18 is a much more difficult analysis than whether a site is directed to children under 13, and while the law provides an exception for the “incidental placement” of products in content that is not distributed “primarily for the purposes of marketing and advertising,”¹² those concepts leave significant room for interpretation.

Similarly, DOPPA’s requirement that commercial websites and online services post privacy policies is virtually identical to the California Online Privacy Protection Act (CalOPPA),¹³ including CalOPPA’s “Do Not Track” disclosure requirements.¹⁴ Both laws require an operator of a website or online service that collects personally identifiable information (broadly defined) to conspicuously post a privacy policy disclosing what categories of information the operator collects and with whom that information is shared, among other requirements. The only notable difference between the two laws is that DOPPA expressly includes “cloud computing service[s], online application[s], [and] mobile application[s],” while those categories are not specifically listed in CalOPPA (although the California Attorney General would presumably argue that CalOPPA applies to those services as types of “online services.”¹⁵ Thus, companies complying with a broad interpretation of CalOPPA should also be in compliance with DOPPA’s privacy policy requirements. As with CalOPPA, operators under DOPPA will not be in violation of the privacy policy requirements unless they fail to remediate any noncompliance issues within 30 days of being notified of those issues by the state.¹⁶

Finally, DOPPA’s restriction on government access to user records kept by online book service providers¹⁷ is essentially a scaled-back version of California’s Reader Privacy Act.¹⁸ Both acts consist of two key sections: (1) a section that prohibits book service providers from disclosing user information to state law enforcement or other state government entities, and from being compelled to provide user information to other individuals, except under certain defined circumstances;¹⁹ and (2) a section imposing certain public reporting requirements on book service providers regarding the number and types of requests for user information received by the provider.²⁰ There are, however, some key distinctions between the two acts that make Delaware’s restrictions more limited. First, Delaware’s requirements only apply to online book sales or services, not brick-and-mortar book retailers that do not have an online presence, while California’s requirements apply to all stores.²¹ Both states’ requirements only apply if the retailer’s sales from books or book services exceed two percent of the retailer’s gross annual sales of all consumer products.²² Second, Delaware does not impose any civil penalties for violations of the requirements, while California allows for civil penalties up to $500 per violation and includes a private right of action.²³ Finally, Delaware imposes substantively less stringent requirements on law enforcement and government agencies seeking access to user information from book service providers. For example, Delaware’s law only requires that a law enforcement entity use “any lawful method or process by which a law enforcement entity is permitted to obtain such information,” while California’s law requires the law enforcement entity to obtain a court order with probable cause and other strict requirements.²⁴

Implications

Ultimately, DOPPA’s three laws should hold few surprises for businesses already complying with California’s “Eraser” bill, CalOPPA, and California’s Reader Privacy Act. Businesses marketing products and services to minors will want to add Delaware’s new restricted products to their list of items to block for compliance purposes. Similarly, online booksellers and book service providers will want to update their required Reader Privacy Act reports to include information relevant to Delaware.

¹ Del. Code tit. 6, §§ 1201C-1206C (eff. Jan 1, 2016).

² Id. § 1204C.

³ Id. § 1205C.

⁴ Id. § 1206C.

⁵ Id. § 1203C.

⁶ Similar state laws are sometimes sought to be enforced privately as part of other state consumer protection statutes, or create a private right of action expressly. See, e.g., California’s Reader Privacy Act, Cal. Civ. Code § 1798.90-1798.90.05, discussed infra.

⁷ Cal. Bus. & Prof. Code § 22580 is the first half of what is commonly known as the “Eraser” bill. Delaware’s law does not contain the “eraser” provisions of Cal. Bus. & Prof. Code § 22581.

⁸ The Act defines a “child” or “children” to be one or more Delaware residents under the age of 18. Id. § 1202C(6).

⁹ Id. § 1203C(a).

¹⁰ Cal. Bus. & Prof. Code § 22580(i)(5), (6), (17).

¹¹ Del. Code tit. 6, § 1204C(f)(11), (15).

¹² Id. § 1204C(h).

¹³ Cal. Bus. & Prof. Code § 22575-79.

¹⁴ Compare id. § 22575(b)(5), with Del. Code tit. 6, § 1205C(b)(5).

¹⁵ See California Department of Justice, Making Your Privacy Practices Public: Recommendations on Developing a Meaningful Privacy Policy 6 (2014) (“[CalOPPA] does not define ‘online service,’ although the Attorney General has stated that a mobile application is one type of online service.”), https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf.

¹⁶ Del. Code tit. 6, § 1205C(a).

¹⁷ A “book service provider” under DOPPA is “any commercial entity offering a book service to the public, except that a commercial entity that sells a variety of consumer products is not a book service provider if its book service sales do not exceed 2 percent of the entity’s total annual gross sales of consumer products sold in the United States.” Id. § 1202C(5). A “book service” is “a service by which an entity, as its primary purpose, provides individuals with the ability to rent, purchase, borrow, browse, or view books electronically or via the Internet.” Id. § 1202C(3). A “book” is “paginated or similarly organized content in digital, electronic, printed, audio, or other format, including fiction, nonfiction, academic, or other works of the type normally published in a volume or finite number of volumes, excluding serial publications such as a magazine or newspaper.” Id. § 1202C(2).

¹⁸ Cal. Civ. Code § 1798.90-1798.90.05.

¹⁹ Del. Code tit. 6, § 1206C(a); Cal. Civ. Code § 1798.90(c).

²⁰ Del. Code tit. 6, § 1206C(e); Cal. Civ. Code § 1798.90(i)-(k).

²¹ Compare Del. Code tit. 6, § 1202C(3), (5), with Cal. Civ. Code § 1798.90(b)(2).

²² Del. Code tit. 6, § 1202C(5); Cal. Civ. Code § 1798.90(b)(2).

²³ Compare Del. Code tit. 6, § 1206C(d), with Cal. Civ. Code § 1798.90(g).

²⁴ Compare Del. Code tit. 6, § 1206C(a)(1), with Cal. Civ. Code § 1798.90(c)(1).