Delaware.gov logo

Authenticated PDF Version

DEPARTMENT OF JUSTICE

Fraud and Consumer Protection Division

Securities Unit

Statutory Authority: 29 Delaware Code, Section 2521 (29 Del.C. §2521)

proposed

PUBLIC NOTICE

104 Privacy Policies For Commercial Online Sites, Services, and Applications

The Consumer Protection Unit of the Department of Justice hereby gives notice of proposed Consumer Protection Unit Regulation 104 relating to Privacy Policies For Commercial Online Sites, Services, and Applications.

Senate Substitute No. 1 for Senate Bill No. 68, as amended by Senate Amendment Nos. 1, 2, and 3, of the 148th General Assembly requires operators of commercial Internet websites, online or cloud computing services, online applications, or mobile applications that collect personally identifiable information through the Internet about individual users residing in Delaware who use or visit the operator's commercial internet website, online or cloud computing service, online application, or mobile application to make their privacy policies conspicuously available on their internet website, online or cloud computing service, online application, or mobile application as of January 1, 2016. The applicable legislation is now found in Chapter 12C, Title 6 of the Delaware Code.

The proposed regulation sets forth optional “safe harbor” language that operators may, but are not required to, use in their privacy policies that the Consumer Protection Unit has determined will comply with the disclosure requirements of 6 Del.C. §1205C(b). The proposed regulation also declares that the Consumer Protection Unit will treat privacy policies which comply with the disclosure requirements of the California Online Privacy Protection Act (CalOPPA), Cal. Bus. & Prof. Code §§22575–22579, as also complying with the requirements of 6 Del.C. §1205C. The proposed regulation does not foreclose operators from using other language and formats of their own choosing to comply with 6 Del.C. §1205C(b). The Delaware Code authority for this proposed regulation is 29 Del.C. §2521.

The Consumer Protection Unit will not hold a public hearing on the proposed regulation. The proposed regulation appears below. Any person who wishes to submit suggestions, compilations of data, testimony, briefs or other written materials concerning the proposed regulation must submit the same by USPS Mail or email no later than 4:30 p.m. EST, Monday, February 1, 2016. Submissions by email should include “Privacy Policies For Commercial Online Sites, Services, and Applications” in the subject line of the email. Submissions must be directed to:

Christian Douglas Wright

Director, Consumer Protection Unit

Delaware Department of Justice

820 N. French Street

Wilmington, DE 19801

email: christian.wright@state.de.us

104 Privacy Policies For Commercial Online Sites, Services, and Applications

1.0 Introduction and Purpose

The purpose of this regulation is to provide operators of commercial Internet websites, online or cloud computing services, online applications, or mobile applications with optional “safe harbor” language that they may, but are not required to, use in their privacy policies that the Consumer Protection Unit has determined will comply with the disclosure requirements of 6 Del.C. §1205C(b).

2.0 Effective Date

The effective date of this regulation is Monday, March 14, 2016.

3.0 Definitions

3.1 The following terms are defined in 6 Del.C. §1202C and have the same meaning when used in this regulation:

Content

Internet

Operator

Personally identifiable information

Post

User

3.2 For purposes of this regulation, the term “site, service, or application” means an Internet website, online or cloud computing service, online application, or mobile application.

4.0 Optional Safe Harbor Language for Privacy Policies

4.1 Use of the language and format in this Section 4.0 is not mandatory. Operators are free to use alternative language and formats of their choosing that comply with 6 Del.C. §1205C(b).

4.2 Identification of the Categories of Personally Identifiable Information Collected and the Third-Party Persons to Whom Such Information May Be Disclosed

4.2.1 Under 6 Del.C. §1205C(b)(1), an operator of a commercial site, service, or application is required to identify in its privacy policy the categories of personally identifiable information it collects from users of its site, service, or application, and the categories of third-party persons to whom such information may be disclosed.

4.2.2 An operator shall be deemed to have identified “the categories of personally identifiable information” required by 6 Del.C. §1205C(b)(1), when the operator provides the following disclosures in its privacy policy, if the operator collects, stores, or uses the specified kind of personal information:

Collecting Personally Identifiable Information

We may collect, store, and use the following kinds of personal information:

Information you provide to us when your register with our [site/service/application], including your [specify the personal information provided by the user upon registration that you collect, store, and use—examples might include first and last names, e-mail address, physical address, telephone number, social security number].
Information you provide when completing a profile on our [site/service/application], including your [specify the personal information provided by the user upon registration that you collect, store, and use—examples might include first and last names, gender, age, date of birth, education status, employment status, relationship status, hobbies and other interests].
Information you provide when you subscribe to a newsletter or other periodic report or notification that we provide, including [specify the personal information provided by the user when they subscribe that you collect, store, and use—such as first and last names and an email address].
Information about your device or computer, including [your IP address, geolocation, browser type, browser version, device type, operating system, referring [site/service/application]].
Information about your visits to and use of the [site/service/application], including how you use the [site/service/application], such as [specify the type of information—examples might include the timing, length, frequency, and pattern of use, and the pages, screens, or other displays of information looked at by the user].
Information relating to any purchases you make of our [goods/services] or any other transactions that you enter into through our [site/service/application], including [specify the information—examples might include first and last names, e-mail address, physical address, telephone number, and payment card information].
Information that you post to our [site/service/application] for publication on the Internet, including [specify the information—examples might include first and last names, user names, profile pictures, and the actual content of what a user posts].
Information contained in or relating to any communication that you send to us or send through our [site/service/application], including [specify the information—examples might include the content of the communication and metadata associated with it].
[Identify and describe any other any other personal information that collected by the site, service, or application, including when or how the operator collects it.]

4.2.3 An operator shall be deemed to have identified “the categories of third-party persons” required by 6 Del.C. §1205C(b)(1), when the operator provides the following disclosures in its privacy policy, if the operator shares a user’s personally identifiable information with the specified third-party persons:

Disclosing Personally Identifiable Information With Third Parties

We may disclose personally identifiable information we collect from you to the following third parties, for the purposes specified:

Agents. [Describe any agents to whom the operator may disclose the information, why the operator may disclose it to them, and whether the agents can retain, store, or use the information for any other purposes—examples might include an outside shipping company used to fulfill and deliver orders, or a credit card company that processes sales transactions].
Service Providers. We use third parties to provide [specify the services provided] on our [site/service/application]. If [or When] you sign up for [specified services], we will share [specify the information that will be shared] to the extent necessary in order for the third party to provide that service. [Specify whether the service providers can retain, store, or use the information for any other purposes.]
Affiliates. We may disclose your personal information to our affiliates, including [the operator’s employees, officers, and directors, the operator’s subsidiaries, the operator’s ultimate parent company, and any other subsidiary of the operator’s ultimate parent company, as appropriate], in order to [specify why the operator might disclose the information to affiliates, and whether the affiliates can retain, store, or use the information for any other purposes].
Other Third Parties. We may disclose to [identify any other third parties to whom the operator may disclose a user’s personal information] your [identify what information is disclosed], in order to [specify why the operator may disclose the information to these other third parties, and whether these other third parties can retain, store, or use the information for any other purposes].
Other Disclosures. We may also disclose personally identifiable information we collect from you when we are required to do so by law, or when we believe that disclosure is necessary to protect our rights or to comply with a judicial proceeding, court order, or legal process served on our [site/service/application].

4.3 Description of Process to Review and Request Changes to Personally Identifiable Information Collected

4.3.1 Under 6 Del.C. §1205C(b)(2), an operator of a commercial site, service, or application is required to describe in its privacy policy whether it maintains a process that allows users of the site, service, or application to request changes to their personally identifiable information collected by the operator through the site, service, or application, and, if it maintains such a process, the operator must also describe that process.

4.3.2 An operator that maintains a process that allows users of its site, service, or application to request changes to their personally identifiable information collected by the operator through the site, service, or application, shall be deemed to have made disclosure required by 6 Del.C. §1205C(b)(2) when the operator provides the following disclosure in its privacy policy:

Making Changes To Your Information

This [site/service/application] permits you to review and make changes to the personally identifiable information we collect from you. You can make changes by [describe process for a user to review and make changes—examples of such processes could include logging in to the site, service, or application and using available tools, contacting customer support, or by contacting the operator by specified telephone, postal mail, or email].

4.3.3 An operator that does not maintain a process that allows users of its site, service, or application to request changes to their personally identifiable information collected by the operator through the site, service, or application, shall be deemed to have made disclosure required by 6 Del.C. §1205C(b)(2) when the operator provides the following disclosure in its privacy policy:

Making Changes To Your Information

This [site/service/application] does not maintain a process by which you can review and make changes to the personally identifiable information we collect from you.

4.4 Description of Process for Notifying Users of Material Changes

4.4.1 Under 6 Del.C. §1205C(b)(3), an operator of a commercial site, service, or application is required to describe in its privacy policy how it notifies users of its site, service, or application of material changes to its privacy policy.

4.4.2 An operator shall be deemed to have made the disclosure required by 6 Del.C. §1205C(b)(3) when the operator provides the following disclosure in its privacy policy:

We may modify this privacy policy at any time. If we do, we will [post the revised version here/notify you via email/describe other method of notifying users]. You should periodically check here for the most up-to-date version of this privacy policy. Any changes to the privacy policy will not be retroactively applied and will not alter how we handle personally identifiable information we previously collected from you.

4.5 Identification of the Effective Date

4.5.1 Under 6 Del.C. §1205C(b)(4), an operator of a commercial site, service, or application is required to identify the effective date of its privacy policy.

4.5.2 An operator shall be deemed to have made the disclosure required by 6 Del.C. §1205C(b)(4) when the operator provides the following disclosure in its privacy policy:

This privacy policy is effective as of [month day, year].

4.6 Description of Response to Web Browser “Do Not Track” Signals

4.6.1 Under 6 Del.C. §1205C(b)(5), an operator of a commercial site, service, or application is required to disclose how the site, service, or application responds to web browser “do not track” signals or other mechanisms that are intended to give users the ability to exercise choice regarding the collection of personally identifiable information about a user’s activities, through the use of persistent identifiers such as “cookies,” “pixel tags,” and “web beacons,” over time and across third-party sites, services, or applications. This applies to all persistent identifiers used on the operator’s site, service, or application, regardless of whether those persistent identifiers are placed on the site, service, or application by the operator or a third party such as an advertising service.

4.6.2 An operator shall be deemed to have made the disclosure required by 6 Del.C. §1205C(b)(5) when the operator provides the following disclosure in its privacy policy:

Certain web browsers may provide an option by which you may have the browser inform websites or internet services you visit that you do not wish to have personally identifiable information about your activities tracked by cookies or other persistent identifiers across time and across third-party Internet websites, online or cloud computing services, online applications, or mobile applications. These are commonly called “do not track” signals. Our [site/service/application] responds to such signals by [if the site, service, or application takes action in response to such signals, describe the action taken and explain the basis for it; if the site, service, or application is unable to take action, state so and explain why; if the site, service, or application is able to take action but does not take action, state so and explain why].

4.7 Disclosure of Third Party Collection of Personally Identifiable Information

4.7.1 Under 6 Del.C. §1205C(b)(6), an operator of a commercial site, service, or application is required to disclose in its privacy policy whether anyone other than the operator may collect personally identifiable information about a user’s online activities, over time and across different sites, services, and applications, when a user uses the operator’s site, service, or application.

4.7.2 An operator shall be deemed to have made the disclosure required by 6 Del.C. §1205C(b)(6) when the operator provides the following disclosure in its privacy policy:

We [do not allow/may allow] allow third parties to collect personally identifiable information about a user’s online activities, over time and across different sites, services, and applications, when that user uses our site, service, or application. [If “may allow,” the operator must describe the kinds of third parties who may be permitted to engage in such collection, the purpose for permitting such collection, and what those third parties may do with the information collected—such as, for example, collection of a user’s personally identifiable information by an advertising service for the purpose of directing targeted advertising to the user while using the operator’s or a third-party’s site, service, or application.]

5.0 Alternative Safe Harbor to Comply with the Content Requirements of 6 Del.C. §1205C(b)

An operator of a commercial site, service, or application shall be deemed to have made the disclosures required by 6 Del.C. §1205C(b) if the operator has a privacy policy that complies with the requirements of the California Online Privacy Protection Act (CalOPPA), Cal. Bus. & Prof. Code §§22575–22579.

19 DE Reg. 578 (01/01/16) (Prop.)
 
+