DEPARTMENT OF JUSTICE
Fraud and Consumer Protection Division
Securities Unit
proposed
PUBLIC NOTICE
104 Privacy Policies For Commercial Online Sites, Services, and Applications
The Consumer Protection Unit of the Department of Justice hereby gives notice of proposed Consumer Protection Unit Regulation 104 relating to Privacy Policies For Commercial Online Sites, Services, and Applications.
Senate Substitute No. 1 for Senate Bill No. 68, as amended by Senate Amendment Nos. 1, 2, and 3, of the 148th General Assembly requires operators of commercial Internet websites, online or cloud computing services, online applications, or mobile applications that collect personally identifiable information through the Internet about individual users residing in Delaware who use or visit the operator's commercial internet website, online or cloud computing service, online application, or mobile application to make their privacy policies conspicuously available on their internet website, online or cloud computing service, online application, or mobile application as of January 1, 2016. The applicable legislation is now found in Chapter 12C, Title 6 of the Delaware Code.
The proposed regulation sets forth optional “safe harbor” language that operators may, but are not required to, use in their privacy policies that the Consumer Protection Unit has determined will comply with the disclosure requirements of 6 Del.C. §1205C(b). The proposed regulation also declares that the Consumer Protection Unit will treat privacy policies which comply with the disclosure requirements of the California Online Privacy Protection Act (CalOPPA), Cal. Bus. & Prof. Code §§22575–22579, as also complying with the requirements of 6 Del.C. §1205C. The proposed regulation does not foreclose operators from using other language and formats of their own choosing to comply with 6 Del.C. §1205C(b). The Delaware Code authority for this proposed regulation is 29 Del.C. §2521.
The Consumer Protection Unit will not hold a public hearing on the proposed regulation. The proposed regulation appears below. Any person who wishes to submit suggestions, compilations of data, testimony, briefs or other written materials concerning the proposed regulation must submit the same by USPS Mail or email no later than 4:30 p.m. EST, Monday, February 1, 2016. Submissions by email should include “Privacy Policies For Commercial Online Sites, Services, and Applications” in the subject line of the email. Submissions must be directed to:
Christian Douglas Wright
Director, Consumer Protection Unit
Delaware Department of Justice
820 N. French Street
Wilmington, DE 19801
email: christian.wright@state.de.us
104 Privacy Policies For Commercial Online Sites, Services, and Applications
The purpose of this regulation is to provide operators of commercial Internet websites, online or cloud computing services, online applications, or mobile applications with optional “safe harbor” language that they may, but are not required to, use in their privacy policies that the Consumer Protection Unit has determined will comply with the disclosure requirements of 6 Del.C. §1205C(b).
The effective date of this regulation is Monday, March 14, 2016.
3.1 The following terms are defined in 6 Del.C. §1202C and have the same meaning when used in this regulation:
“Content”
“Internet”
“Operator”
“Personally identifiable information”
“Post”
“User”
3.2 For purposes of this regulation, the term “site, service, or application” means an Internet website, online or cloud computing service, online application, or mobile application.
4.1 Use of the language and format in this Section 4.0 is not mandatory. Operators are free to use alternative language and formats of their choosing that comply with 6 Del.C. §1205C(b).
4.2 Identification of the Categories of Personally Identifiable Information Collected and the Third-Party Persons to Whom Such Information May Be Disclosed
4.2.1 Under 6 Del.C. §1205C(b)(1), an operator of a commercial site, service, or application is required to identify in its privacy policy the categories of personally identifiable information it collects from users of its site, service, or application, and the categories of third-party persons to whom such information may be disclosed.
4.2.2 An operator shall be deemed to have identified “the categories of personally identifiable information” required by 6 Del.C. §1205C(b)(1), when the operator provides the following disclosures in its privacy policy, if the operator collects, stores, or uses the specified kind of personal information:
Collecting Personally Identifiable Information
We may collect, store, and use the following kinds of personal information:
4.2.3 An operator shall be deemed to have identified “the categories of third-party persons” required by 6 Del.C. §1205C(b)(1), when the operator provides the following disclosures in its privacy policy, if the operator shares a user’s personally identifiable information with the specified third-party persons:
Disclosing Personally Identifiable Information With Third Parties
We may disclose personally identifiable information we collect from you to the following third parties, for the purposes specified:
4.3 Description of Process to Review and Request Changes to Personally Identifiable Information Collected
4.3.1 Under 6 Del.C. §1205C(b)(2), an operator of a commercial site, service, or application is required to describe in its privacy policy whether it maintains a process that allows users of the site, service, or application to request changes to their personally identifiable information collected by the operator through the site, service, or application, and, if it maintains such a process, the operator must also describe that process.
4.3.2 An operator that maintains a process that allows users of its site, service, or application to request changes to their personally identifiable information collected by the operator through the site, service, or application, shall be deemed to have made disclosure required by 6 Del.C. §1205C(b)(2) when the operator provides the following disclosure in its privacy policy:
Making Changes To Your Information
This [site/service/application] permits you to review and make changes to the personally identifiable information we collect from you. You can make changes by [describe process for a user to review and make changes—examples of such processes could include logging in to the site, service, or application and using available tools, contacting customer support, or by contacting the operator by specified telephone, postal mail, or email].
4.3.3 An operator that does not maintain a process that allows users of its site, service, or application to request changes to their personally identifiable information collected by the operator through the site, service, or application, shall be deemed to have made disclosure required by 6 Del.C. §1205C(b)(2) when the operator provides the following disclosure in its privacy policy:
Making Changes To Your Information
This [site/service/application] does not maintain a process by which you can review and make changes to the personally identifiable information we collect from you.
4.4 Description of Process for Notifying Users of Material Changes
4.4.1 Under 6 Del.C. §1205C(b)(3), an operator of a commercial site, service, or application is required to describe in its privacy policy how it notifies users of its site, service, or application of material changes to its privacy policy.
4.4.2 An operator shall be deemed to have made the disclosure required by 6 Del.C. §1205C(b)(3) when the operator provides the following disclosure in its privacy policy:
We may modify this privacy policy at any time. If we do, we will [post the revised version here/notify you via email/describe other method of notifying users]. You should periodically check here for the most up-to-date version of this privacy policy. Any changes to the privacy policy will not be retroactively applied and will not alter how we handle personally identifiable information we previously collected from you.
4.5 Identification of the Effective Date
4.5.1 Under 6 Del.C. §1205C(b)(4), an operator of a commercial site, service, or application is required to identify the effective date of its privacy policy.
4.5.2 An operator shall be deemed to have made the disclosure required by 6 Del.C. §1205C(b)(4) when the operator provides the following disclosure in its privacy policy:
This privacy policy is effective as of [month day, year].
4.6 Description of Response to Web Browser “Do Not Track” Signals
4.6.1 Under 6 Del.C. §1205C(b)(5), an operator of a commercial site, service, or application is required to disclose how the site, service, or application responds to web browser “do not track” signals or other mechanisms that are intended to give users the ability to exercise choice regarding the collection of personally identifiable information about a user’s activities, through the use of persistent identifiers such as “cookies,” “pixel tags,” and “web beacons,” over time and across third-party sites, services, or applications. This applies to all persistent identifiers used on the operator’s site, service, or application, regardless of whether those persistent identifiers are placed on the site, service, or application by the operator or a third party such as an advertising service.
4.6.2 An operator shall be deemed to have made the disclosure required by 6 Del.C. §1205C(b)(5) when the operator provides the following disclosure in its privacy policy:
Certain web browsers may provide an option by which you may have the browser inform websites or internet services you visit that you do not wish to have personally identifiable information about your activities tracked by cookies or other persistent identifiers across time and across third-party Internet websites, online or cloud computing services, online applications, or mobile applications. These are commonly called “do not track” signals. Our [site/service/application] responds to such signals by [if the site, service, or application takes action in response to such signals, describe the action taken and explain the basis for it; if the site, service, or application is unable to take action, state so and explain why; if the site, service, or application is able to take action but does not take action, state so and explain why].
4.7 Disclosure of Third Party Collection of Personally Identifiable Information
4.7.1 Under 6 Del.C. §1205C(b)(6), an operator of a commercial site, service, or application is required to disclose in its privacy policy whether anyone other than the operator may collect personally identifiable information about a user’s online activities, over time and across different sites, services, and applications, when a user uses the operator’s site, service, or application.
4.7.2 An operator shall be deemed to have made the disclosure required by 6 Del.C. §1205C(b)(6) when the operator provides the following disclosure in its privacy policy:
We [do not allow/may allow] allow third parties to collect personally identifiable information about a user’s online activities, over time and across different sites, services, and applications, when that user uses our site, service, or application. [If “may allow,” the operator must describe the kinds of third parties who may be permitted to engage in such collection, the purpose for permitting such collection, and what those third parties may do with the information collected—such as, for example, collection of a user’s personally identifiable information by an advertising service for the purpose of directing targeted advertising to the user while using the operator’s or a third-party’s site, service, or application.]
An operator of a commercial site, service, or application shall be deemed to have made the disclosures required by 6 Del.C. §1205C(b) if the operator has a privacy policy that complies with the requirements of the California Online Privacy Protection Act (CalOPPA), Cal. Bus. & Prof. Code §§22575–22579.