Businesses that run websites, online services, apps, or offer book services that are accessible to Delaware residents may be required to comply with the Delaware Online Privacy and Protection Act (DOPPA).

This article explains what DOPPA is, who it applies to, how to comply with the law, and what happens if you don't comply with DOPPA.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What Is the Delaware Online Privacy and Protection Act (DOPPA)?

DOPPA is a privacy law that was designed to fulfill the following purposes:

  • Protect children from potentially harmful advertising
  • Inform Delaware consumers when online businesses collect their personal information for commercial purposes
  • Limit when businesses can disclose online book service users' information

Personal information is information that can be used to identify an individual, such as first and last names, email addresses, and telephone numbers.

Who Does the Delaware Online Privacy and Protection Act (DOPPA) Apply To?

DOPPA is broken into three sections. The first and second sections apply to operators of websites, online or cloud computing services, and online or mobile applications. The law defines an operator as the owner of a website, computing service, or application.

Third parties that operate, host, or manage (but don't own) a website, computing service, or application on behalf of the owner or process information for the owner are not considered operators.

The third section of DOPPA applies to book service providers. Book service providers are defined as commercial entities that have the primary purpose of enabling users to rent, buy, borrow, browse, or view books digitally or online. Businesses that sell products other than book services and whose book service sales are less than 2% of their total annual gross sales in the U.S. do not need to comply with DOPPA's requirements for book service providers.

How to Comply With the Delaware Online Privacy and Protection Act (DOPPA)

There are a few steps you can take to comply with DOPPA, including refraining from marketing or advertising certain products or services to children, maintaining an accessible Privacy Policy, and protecting book service users' information.

Let's take a closer look at how to comply with each section of DOPPA.

Avoid Marketing or Advertising Certain Products or Services to Children

An operator whose website, computing service, or application targets children cannot use their service to market or advertise the following products or services:

  • Alcohol
  • Tobacco products (including smokeless tobacco and moist snuff) and substitutes
  • Firearms and ammunition
  • Electronic control devices (such as Tasers)
  • Fireworks
  • Tanning equipment, devices, or facilities
  • Dietary supplements that contain ephedrine group alkaloids
  • Lottery games and facilities
  • Salvia divinorum or Salvinorin A
  • Body-piercing, branding, or tattoos
  • Drug paraphernalia
  • Tongue-splitting
  • Certain sexually-oriented materials
  • Projectile weapons

If an operator has knowledge that a child is using their service and can identify which user the child is, they cannot market or advertise any of the prohibited products or services listed above to the child.

If an operator knows that a child has access to their service and can identify the child, they cannot use the child's profile, activity, address, or location to advertise or market prohibited products or services to the child.

As long as the operator takes "reasonable actions in good faith" to avoid marketing or advertising the prohibited products or services, they will be considered to be in compliance with this subsection of the law.

An operator of a service that is directed at children or who knows that a child uses its service cannot collect, use, or disclose (or allow another party to collect, use, or disclose) a child's personal information for the purpose of marketing or advertising prohibited products or services to the child.

An operator of a service that is designed for children and uses a third-party advertising service is required to notify the advertising service that their service is directed to children. Upon receiving notification, advertising services must refrain from marketing or advertising the prohibited products or services.

Section 1204C (f) of DOPPA lists the products and services that operators cannot market or advertise to children, including alcohol, tobacco, and firearms:

DOPPA Section 1204C f

Maintain a Privacy Policy

A Privacy Policy is a legal document that describes how a business collects, processes (uses), or shares consumers' personal information and outlines how users can exercise their privacy rights.

DOPPA requires operators of commercial websites, computing services, or apps who collect Delaware residents' personal information to maintain an accessible Privacy Policy.

Users should be able to access the Privacy Policy from the operator's website, computing service, or app.

The Privacy Policy must include the following information:

  • The types of personal information the operator collects from users
  • The categories of third parties the operator shares personal information with
  • A description of how users can review and request changes to their personal information
  • An explanation of how the operator will notify users of changes made to the Privacy Policy
  • The effective date of the Privacy Policy
  • How the operator responds to “do not track” signals or similar mechanisms that enable users to choose how personal information about their online behavior is collected
  • Whether third parties can collect personal information about a user's online activities over time and across other websites, apps, or online services

Section 1205C (b) of DOPPA lists the clauses a DOPPA-compliant Privacy Policy should contain, including the types of personal information the operator collects and the third parties they share personal information with:

DOPPA Section 1205C b

Protect Book Service Users' Information

DOPPA requires digital book service providers to protect users' book service information. The law defines book service information as any information that identifies, relates to, describes, or is associated with a user. It can include unique identifiers and IP addresses.

Book service providers cannot disclose users' book service information to individuals or private or government entities unless they receive a request by law enforcement or court order, or if the user has consented to disclosing the information to an individual.

Book service providers that disclose book service information of more than 30 users (located in Delaware and/or whose location is unknown) each year must prepare a report about any warrants, subpoenas, or court orders seeking disclosure of a user's book service information.

The report should include the number of requests for information received that the user consented to. It should be made available to the public online on the book service provider's website before March 31 each year.

On or before March 1 of each year, book service providers must do one of the following:

  • Create a conspicuous link to their latest report and post it in a book service disclosure section of their Privacy Policy.
  • Post the disclosure report on their website to explain how they handle users' book service information and related privacy issues.
  • Post a statement on their website that they are exempt from DOPPA's reporting requirements.

Section 1206C (6e) of DOPPA lists the reporting requirements for book service providers, including listing the number of warrants, subpoenas, and court orders they receive seeking users' book service information:

DOPPA Section 1206C 6e

How to Write a DOPPA-Compliant Privacy Policy

Your DOPPA Privacy Policy should be clearly written, up to date, accessible, and contain required information.

Let's take a look at some examples of the clauses your DOPPA Privacy Policy needs to include.

What Personal Information You Collect

This clause describes the types of personal information you collect online, such as email addresses, telephone numbers, and Social Security numbers.

Delaware.gov's Privacy Policy explains that it collects personal information from website visitors, including email addresses, IP addresses, and information about users' online behavior:

Delaware gov Privacy Policy Information collected clause

Types of Third Parties You Share Personal Information With

Your Privacy Policy should list the categories of third parties you share users' personal information with, such as service providers or affiliates.

Johnson Controls' Privacy Notice explains that it may share users' personal information with third-party service providers, law enforcement, and affiliates:

Johnson Controls Privacy Policy Third party clause

How Users Can Exercise Their Privacy Rights

This part of your Privacy Policy explains how users can review or make changes to the personal information you collect.

Nestlé's Privacy Notice lets users know that they have the right to request access to their data or ask for their data to be modified or deleted and can exercise their rights by contacting the company:

Nestle Privacy Policy excerpt

How Users Are Notified of Privacy Policy Updates

This clause lets users know how they will be notified about any material changes made to your Privacy Policy.

Johnson Controls' Privacy Notice lets users know that it will notify users of any changes made to its Privacy Notice via a notice on its Privacy Notice page:

Johnson Controls Privacy Policy Modifications clause

Privacy Policy Effective Date

Your Privacy Policy should include its effective date.

Child Care Services Association posts the effective date at the top of its Privacy Policy:

Child Care Services Association Privacy Policy effective date

How You Respond to Users' Privacy Choices Concerning Their Online Activities

This section of your Privacy Policy lets users know how you respond to mechanisms that signal their privacy choices, such as "do not track" signals.

DuPont's Privacy Statement lets users know that it does not respond to do not track signals:

Dupont Privacy Policy Track and security excerpt

Whether Other Parties Can Collect Personal Information About Users' Online Activities

This clause lets users know whether third parties are able to collect information about users' online behavior over time and across other websites, apps, or online services, such as through the use of cookies or other tracking technology.

AstraZeneca's Privacy Notice explains that it may provide performance cookies to third-party service providers for analytics purposes. It lets users know that it may share users' information with its third-party marketing and advertising partners for targeted advertising purposes and explains that third-party apps, tools, widgets, and plug-ins may collect users' information automatically:

AstraZeneca Privacy Policy Cookies clause

Where to Display a DOPPA-Compliant Privacy Policy

You can display your DOPPA Privacy Policy by putting a link to the Privacy Policy on your website, computing service, or app. The link should be clearly labeled and easy to find.

Common places to put a Privacy Policy link include:

  • Website footer
  • In-app menu
  • Account sign-up or login page
  • Checkout page
  • Pop-up box

DuPont maintains a link to its Privacy Statement along with links to its legal notices and Terms of Use agreement within its website footer:

DuPont website footer privacy link

Penalties for Noncompliance With the Delaware Online Privacy and Protection Act (DOPPA)

Anyone found to be in willful violation of DOPPA can face a civil penalty of up to $10,000 per violation.

The Department of Justice's Consumer Protection Unit is responsible for investigating violations and enforcing DOPPA in accordance with subchapter II of Chapter 25 of Title 29 of the Delaware Code.

Section 2522 of Title 29 of the Delaware Code lists the law's judicial remedies, including civil penalties of up to $10,000 per violation.

Summary

DOPPA is a privacy law that was designed to protect children from harmful marketing and advertising practices, inform Delaware residents about how their personal information is used, and protect book service users' information.

DOPPA applies to:

  • Operators of websites, online and cloud computing services, and online or mobile applications
  • Book service providers

You can comply with DOPPA by avoiding marketing or advertising prohibited products or services to children, maintaining a Privacy Policy, and protecting book service users' information.

A DOPPA-compliant Privacy Policy should contain the following clauses:

  • What personal information you collect
  • The categories of third parties you share users' personal information with
  • How users can review their data and request modifications be made to their data
  • How you will notify users of material changes made to the Privacy Policy
  • The Privacy Policy's effective date
  • How you respond to do not track signals or similar mechanisms
  • Whether third parties can collect personal information about a user's online behavior over time and across other websites, apps, or online services

Anyone who violates DOPPA may have to pay a civil penalty of up to $10,000 per violation.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy