DEPARTMENT OF JUSTICE
Fraud and Consumer Protection Division
FINAL
ORDER
104 Privacy Policies for Commercial Online Sites, Services, and Applications
Background and Findings of Fact
The Consumer Protection Unit of the Delaware Department of Justice ("the Consumer Protection Unit") has the authority to enforce and publish regulations with respect to the Online and Personal Privacy Protection Act (6 Del.C. § 1201C et seq.) pursuant to 6 Del.C. § 1203C and 29 Del.C. § 2521.
Regulation 104 Privacy Policies for Commercial Online Sites, Services, and Applications was adopted on July 1, 2016 (the "Regulation") shortly after the adoption of the Online and Personal Privacy Protection Act (6 Del.C. § 1201C et seq.) (the "Online Act"). The Online Act mandated certain online businesses post a privacy policy with specified information. The purpose of the Regulation was to provide operators of commercial Internet websites, online or cloud computing services, online applications, or mobile applications with optional "safe harbor" language that they may, but are not required to, use in their privacy policies that the Consumer Protection Unit would comply with the disclosure requirements of 6 Del.C. §1205C(b) at that time. The Delaware Personal Data Privacy Act was adopted in 2023 (6 Del.C. § 12D-101 et seq.) (the "DPDPA") and requires certain business include "reasonably accessible, clear, and meaningful privacy notice" with additional information compared to the Online Act. The "safe harbor" language in the Regulation may not satisfy the DPDPA requirements in certain circumstances and risks causing confusion for businesses about their privacy notice obligations. Accordingly, the Consumer Protection Unit has determined that the "safe harbor" language in the Regulation is no longer appropriate under the Online Act or the DPDPA and has proposed repealing the Regulation.
The Consumer Protection Unit proposed repeal of Regulation 104 on October 1, 2024, and requested public comment by November 1, 2024. No public comments were received.
The Consumer Protection Unit has reviewed the proposed repeal of the regulation as required by 29 Del.C. §10118(b)(3) and has determined that any assessment of the impact of the proposed repeal of the regulation on the achievement of the State's greenhouse gas emission reduction targets or on the State's resiliency to climate change is not practical in view of the nature of the proposed repeal.
Decision to Repeal the Regulation and Effective Date
THEREFORE, IT IS ORDERED, that the proposed repeal of Regulation to the Online and Personal Privacy Protection Act is adopted and shall be final effective December 11, 2024.
November 15, 2024 John Allen Eakins
Date of signature Deputy Attorney General
Designee of the Director of the Division
of Fraud and Consumer Protection
104 Privacy Policies for Commercial Online Sites, Services, and Applications
The purpose of this regulation is to provide operators of commercial Internet websites, online or cloud computing services, online applications, or mobile applications with optional “safe harbor” language that they may, but are not required to, use in their privacy policies that the Consumer Protection Unit has determined will comply with the disclosure requirements of 6 Del.C. §1205C(b).
The effective date of this regulation is Friday, July 15, 2016.
3.1 The following terms are defined in 6 Del.C. §1202C and have the same meaning when used in this regulation:
“Content”
“Internet”
“Operator”
“Personally identifiable information”
“Post”
“User”
3.2 For purposes of this regulation, the term “site, service, or application” means an Internet website, online or cloud computing service, online application, or mobile application.
4.1 Use of the language and format in this Section 4.0 is not mandatory. Operators are free to use alternative language and formats of their choosing that comply with 6 Del.C. §1205C(b).
4.2 Identification of the Categories of Personally Identifiable Information Collected and the Third-Party Persons to Whom Such Information May Be Disclosed
4.2.1 Under 6 Del.C. §1205C(b)(1), an operator of a commercial site, service, or application is required to identify in its privacy policy the categories of personally identifiable information it collects from users of its site, service, or application, and the categories of third-party persons to whom such information may be disclosed.
4.2.2 An operator shall be deemed to have identified “the categories of personally identifiable information” required by 6 Del.C. §1205C(b)(1), when the operator provides the following disclosures in its privacy policy, if the operator collects, stores, or uses the specified kind of personal information:
Collecting Personally Identifiable Information
We may collect, store, and use the following kinds of personal information:
4.2.3 An operator shall be deemed to have identified “the categories of third-party persons” required by 6 Del.C. §1205C(b)(1), when the operator provides the following disclosures in its privacy policy, if the operator shares a user’s personally identifiable information with the specified third-party persons:
Disclosing Personally Identifiable Information With Third Parties
We may disclose personally identifiable information we collect from you to the following third parties, for the purposes specified:
4.3 Description of Process to Review and Request Changes to Personally Identifiable Information Collected
4.3.1 Under 6 Del.C. §1205C(b)(2), an operator of a commercial site, service, or application is required to describe in its privacy policy whether it maintains a process that allows users of the site, service, or application to request changes to their personally identifiable information collected by the operator through the site, service, or application, and, if it maintains such a process, the operator must also describe that process.
4.3.2 An operator that maintains a process that allows users of its site, service, or application to request changes to their personally identifiable information collected by the operator through the site, service, or application, shall be deemed to have made disclosure required by 6 Del.C. §1205C(b)(2) when the operator provides the following disclosure in its privacy policy:
Making Changes To Your Information
This [site/service/application] permits you to review and make changes to the personally identifiable information we collect from you. You can make changes by [describe process for a user to review and make changes—examples of such processes could include logging in to the site, service, or application and using available tools, contacting customer support, or by contacting the operator by specified telephone, postal mail, or email].
4.3.3 An operator that does not maintain a process that allows users of its site, service, or application to request changes to their personally identifiable information collected by the operator through the site, service, or application, shall be deemed to have made disclosure required by 6 Del.C. §1205C(b)(2) when the operator provides the following disclosure in its privacy policy:
Making Changes To Your Information
This [site/service/application] does not maintain a process by which you can review and make changes to the personally identifiable information we collect from you.
4.4 Description of Process for Notifying Users of Material Changes
4.4.1 Under 6 Del.C. §1205C(b)(3), an operator of a commercial site, service, or application is required to describe in its privacy policy how it notifies users of its site, service, or application of material changes to its privacy policy.
4.4.2 An operator shall be deemed to have made the disclosure required by 6 Del.C. §1205C(b)(3) when the operator provides the following disclosure in its privacy policy:
We may modify this privacy policy at any time. If we do, we will [post the revised version here/notify you via email/describe other method of notifying users]. You should periodically check here for the most up-to-date version of this privacy policy. Any changes to the privacy policy will not be retroactively applied and will not alter how we handle personally identifiable information we previously collected from you.
4.5 Identification of the Effective Date
4.5.1 Under 6 Del.C. §1205C(b)(4), an operator of a commercial site, service, or application is required to identify the effective date of its privacy policy.
4.5.2 An operator shall be deemed to have made the disclosure required by 6 Del.C. §1205C(b)(4) when the operator provides the following disclosure in its privacy policy:
This privacy policy is effective as of [month day, year].
4.6 Description of Response to Web Browser “Do Not Track” Signals
4.6.1 Under 6 Del.C. §1205C(b)(5), an operator of a commercial site, service, or application is required to disclose how the site, service, or application responds to web browser “do not track” signals or other mechanisms that are intended to give users the ability to exercise choice regarding the collection of personally identifiable information about a user’s activities, through the use of persistent identifiers such as “cookies,” “pixel tags,” and “web beacons,” over time and across third-party sites, services, or applications. This applies to all persistent identifiers used on the operator’s site, service, or application, regardless of whether those persistent identifiers are placed on the site, service, or application by the operator or a third party such as an advertising service.
4.6.2 An operator shall be deemed to have made the disclosure required by 6 Del.C. §1205C(b)(5) when the operator provides the following disclosure in its privacy policy:
Certain web browsers may provide an option by which you may have the browser inform websites or internet services you visit that you do not wish to have personally identifiable information about your activities tracked by cookies or other persistent identifiers across time and across third-party Internet websites, online or cloud computing services, online applications, or mobile applications. These are commonly called “do not track” signals. Our [site/service/application] responds to such signals by [if the site, service, or application takes action in response to such signals, describe the action taken and explain the basis for it; if the site, service, or application is unable to take action, state so and explain why; if the site, service, or application is able to take action but does not take action, state so and explain why].
4.7 Disclosure of Third Party Collection of Personally Identifiable Information
4.7.1 Under 6 Del.C. §1205C(b)(6), an operator of a commercial site, service, or application is required to disclose in its privacy policy whether anyone other than the operator may collect personally identifiable information about a user’s online activities, over time and across different sites, services, and applications, when a user uses the operator’s site, service, or application.
4.7.2 An operator shall be deemed to have made the disclosure required by 6 Del.C. §1205C(b)(6) when the operator provides the following disclosure in its privacy policy:
We [do not allow/may allow] allow third parties to collect personally identifiable information about a user’s online activities, over time and across different sites, services, and applications, when that user uses our site, service, or application. [If “may allow,” the operator must describe the kinds of third parties who may be permitted to engage in such collection, the purpose for permitting such collection, and what those third parties may do with the information collected—such as, for example, collection of a user’s personally identifiable information by an advertising service for the purpose of directing targeted advertising to the user while using the operator’s or a third-party’s site, service, or application.]
An operator of a commercial site, service, or application shall be deemed to have made the disclosures required by 6 Del.C. §1205C(b) if the operator has a privacy policy that complies with the requirements of the California Online Privacy Protection Act (CalOPPA), Cal. Bus. & Prof. Code §§22575–22579.