The Delaware Online Privacy and Protection Act (DOPPA) has been in effect since January 1, 2016. This is the second state law regarding online privacy, which appears to suggest a trend where other U.S. states will pass their own privacy acts and regulations.
It is similar to the California Online Privacy Protection Act (CalOPPA) but not identical. Although, if you already comply with CalOPPA, it is likely that you'll by default comply with most DOPPA requirements, too.
Here is a review of this law and recommended steps to assure compliance.
What is DOPPA?
DOPPA covers more subject matter than other privacy laws. Its main tenants include:
- Website operators who collect personally identifiable information from Delaware residents,
- Limiting the online marketing of certain products to children, and
- Protecting the identity of users who access electronic books
The act adopts the standard definition of personally identifiable information (PII) meaning any data that can reveal the identity of a user. This includes full names, email addresses, telephone numbers, social security numbers, and physical contact information, like street addresses.
- Identifies the information collected,
- Offers users an opportunity to review and change data,
- Identifies third parties to the information, and
- Includes an effective date
Clear text hyperlinks and logos satisfy the requirement for being conspicuous.
If a website or app collects PII from children, it must already comply with Children's Online Privacy Protection Act (COPPA). With the addition of the Delaware law, your website or app must also avoid using the PII to market alcohol, tobacco products, fireworks, tattoos, body piercing services, and dietary supplements to children.
If you focus primarily on adult products such as those listed above, it is a good idea to review the complete list under Section 1204C of DOPPA.
Finally, DOPPA addresses user protection for book services, meaning websites or apps that distribute electronic books.
If a private or government entity requests information on a user's reading habits, you can only disclose that under limited circumstances. There are timeframes for objecting to a subpoena in case there is no compelling reason. The only time you must disclose without question is if a law enforcement agency issues a search warrant.
If you violate the act, you have 30 days to fix your shortcomings. Failure to follow through with an attorney general's request results in further penalties, including fines. While the act does not directly authorize civil liability against you it does not prohibit it either. That makes lawsuits a possibility if you mishandle a user's PII.
Differences from CalOPPA
Due to their similar names and overlapping subject matter, it is only natural that DOPPA is compared with its California counterpart. Being a newer law, it approaches privacy slightly differently.
The three primary differences between the laws include:
- Protected persons: CalOPPA is specific to "consumers" meaning anyone who seeks to purchase goods or services or apply for credit online. DOPPA protects "users" which is anyone who uses a website or app--even if they are merely playing a game or performing research without making a purchase.
- Covered services: Since it passed before mobile apps were wildly popular, CalOPPA is limited to commercial websites and apps. DOPPA covers websites, cloud computer services, online apps, and mobile apps.
- Definite of "operators": CalOPPA applies to any person or entity who runs a website or online service that collects PII. DOPPA examples its definition of "operators" to include entities and individuals who run websites, but also cloud services, online apps, and mobile apps.
You can almost consider DOPPA an updated version of CalOPPA. Since its definitions are more broad, you can likely comply with DOPPA by expanding on your CalOPPA compliance practices.
Complying with DOPPA
If you operate in the U.S., it is impossible to avoid interacting with Delaware residents. For that reason, err on the side of DOPPA compliance.
While many developers post separate CalOPPA provisions in their Privacy Policies, the same practice has not extended to DOPPA - at least not yet. Even if you do not post separate provisions for either law, your general practices can still comply with both.
Categories of information
Most Privacy Policies start with the categories of PII collected from users. If you skipped this section or hid it in the middle of your agreement, consider moving it to the top.
U-Haul provides a good example of a clear information categories section. Notice the use of bullets for readability:
If your section is nonexistent or tends to run the categories of information together in one paragraph, consider editing it to produce a list so users can see this better.
Process for users to request changes to information
Providing an email address, telephone number or account login process for changing data is essential to DOPPA and CalOPPA. This does not have to complex provision but it must be complete.
ABC Financial invites corrections and provides a telephone number:
If you decide to process information change requests yourself, keep it accessible. Do not direct users to a telephone number that is never answered or a mostly-ignored email box.
You want to address these change requests not only for legal compliance but to keep your users happy.
There are no requirements to where you place this date. You can put it at the end of your policy if you prefer. However, rather than use "last revised" consider presenting the date as "effective as of" to stay consistent with the language in DOPPA.
Handling of "Do Not Track" signals
This provision will be similar to the CalOPPA notices in some Privacy Policies. Since many operators do not want the extra work of consistently reviewing "Do Not Track" requests, this notice often states that specifically.
Pandora takes that approach in its CalOPPA provisions. This would also work for DOPPA:
Third party disclosure must also be addressed. This includes who may receive data, which U-Haul addresses in a well-presented list:
If third parties use their own tracking software and cookies to customize advertising, that must also be disclosed.
Pandora's provision addresses these third party advertisers:
Make it conspicuous
Link on homepage
Links in footers are familiar to users and meet the requirements under DOPPA. U-Haul offers an example here:
Icons containing the word "privacy"
This announcement of a previous Microsoft update contains two effective logos--one with the lock and the purple button with white text. Both include the word "privacy":
If your website or app tends to be more graphically focused, this an effective approach that also meets the requirements under DOPPA.
Clear text links
Basically, if your website has a black background, do not make your text links dark blue so users cannot easily find them.
Offer a link at sign-up
The New Statesman Tech offers an excellent example of this approach:
This is a good idea if you handle large amounts of PII. It allows users to make an informed decision and helps you meet the conspicuous placement requirements better.
Be careful with children's information
As mentioned, DOPPA restricts using children's PII to market certain products to them. This is different subject matter than with the Children's Online Privacy Protection Act and expands on your responsibilities already implemented in that law.
If you sell items like firearms, fireworks, alcohol, piercing services or other restricted goods and services, your best approach is to restrict your website to users over 18. This reduces the chances of children accessing your site or app and gives you reasonable grounds to believe children are not among your users.
To violate this section, you have to be aware of children using your site, so those who sneak past your restriction methods will not expose you to liability.
If your website or app is designed primarily to children, take action to assure that third party advertisers do not post ads leading to restricting services products and services.
Protect book service data
If you distribute electronic books, understand that you only need to release user data under very limited circumstances. In fact, you are not allowed to release this data except when it is reasonable.
A discovery request, criminal summons or other formal request is usually appropriate. Before releasing this information, you must give the user 35 days advance notice. If the user objects or you find the order particularly uncompelling, you can object. The liability is on you if you disclose book service information inappropriately, so you will need a review and disclosure process to handle these requests in case you receive one.
However, if a law enforcement agency requests the information because there is an imminent threat or danger, you must comply in a timely manner. If you receive this request verbally or it appears inappropriate, you may request a search warrant which must be provided within 48 hours. Once that appears, comply immediately.