The State of Delaware New Regulations Management System is coming soon in 2024 More Info

Delaware.gov logo

Authenticated PDF Version

DEPARTMENT OF JUSTICE

Fraud and Consumer Protection Division

Consumer Protection Unit

Statutory Authority: 29 Delaware Code, Section 2521 (29 Del.C. §2521)

FINAL

REGULATORY IMPLEMENTING ORDER

104 Privacy Policies For Commercial Online Sites, Services, and Applications

I. SUMMARY OF THE EVIDENCE AND INFORMATION SUBMITTED

The Director of the Consumer Protection Unit of the Department of Justice intends to adopt 6 DE Admin. Code 104 Privacy Policies for Commercial Online Sites, Services, and Applications. This regulation is being adopted to set forth optional "safe harbor" language that operators may, but are not required to, use in their privacy policies that the Consumer Protection Unit has determined will comply with the disclosure requirements of 6 Del.C. §1205C(b), to declare that the Consumer Protection Unit will treat privacy policies which comply with the disclosure requirements of the California Online Privacy Protection Act (CalOPPA), Cal. Bus. & Prof. Code §§ 22575-22579, as also complying with the requirements of 6 Del.C. §1205C, and to declare that operators are not foreclosed from using other language and formats of their own choosing to comply with 6 Del.C. §1205C(b).

Notice of the proposed regulation was published in the January 2016 Register of Regulations. The notice stated that the Consumer Protection Unit would not hold a public hearing on the proposed regulation, and directed that any person who wished to submit suggestions, compilations of data, testimony, briefs or other written materials concerning the proposed regulation must do so no later than 4:30 p.m. EST, Monday, February 2, 2016.

Timely written comments were received from two industry associations representing large companies operating in the internet and technology/communications/media/retail fields. Both commenters expressed their belief that the safe harbor language was too detailed, would be too burdensome, was inconsistent with California law, and urged that the proposed regulations be revised to make clear that generalized disclosures meet the requirements of 6 Del.C. §1205C(b). One of the commenters also criticized the proposed regulation creating a safe harbor only for privacy policies that comply with the disclosure requirements of the California Online Privacy Protection Act (CalOPPA), Cal. Bus. & Prof. Code §§ 22575-22579, and suggested that the proposed regulation should instead preemptively grant safe harbor status to other similar laws that might be enacted by other jurisdictions at some point in the future.

II. FINDINGS OF FACT

The Director of the Consumer Protection Unit finds that it is appropriate to adopt 6 DE Admin. Code 104 Privacy Policies for Commercial Online Sites, Services, and Applications, in order to (1) provide operators of commercial sites, services, and applications with optional "safe harbor" language that they may, but are not required to, use in their privacy policies in order to be deemed by the Consumer Protection Unit to be in compliance with the disclosure requirements of 6 Del.C. §1205C(b); (2) declare that the Consumer Protection Unit will treat privacy policies which comply with the disclosure requirements of the California Online Privacy Protection Act (CalOPPA), Cal. Bus. & Prof. Code §§ 22575-22579, as also complying with the requirements of 6 Del.C. §1205C; and (3) declare that operators are not foreclosed from using other language and formats of their own choosing to comply with 6 Del.C. §1205C(b). The Director of the Consumer Protection Unit finds that the optional "safe harbor" language is consistent with the requirements of 6 Del.C. §1205C(b). The Director of the Consumer Protection Unit also finds that the "general disclosures" of the type urged by the commenters as being current good practice do not appear to be consistent with the requirements of 6 Del.C. §1205C(b) and also appear to be contrary to the best practices recommendations of the California Attorney General's Office, which, among other things, urges that privacy policies be "reasonably specific in describing the kind of personal information" collected by operators. The Director of the Consumer Protection Unit also finds that it is unnecessary and inappropriate to grant preemptive safe harbor status to the privacy policy laws of other states before such laws have actually been enacted and their specific language is known and can be compared to the requirements of 6 Del.C. §1205C(b). Finally, the Director of the Consumer Protection Unit finds that it is appropriate to make minor, non-substantive changes to the text of the proposed regulation to promote greater consistency of terminology in the optional "safe harbor" language.

III. DECISION TO ADOPT THE REGULATION

For the foregoing reasons, the Director of the Consumer Protection Unit concludes that it is appropriate to adopt 6 DE Admin. Code 104 Privacy Policies for Commercial Online Sites, Services, and Applications. Therefore, pursuant to 29 Del.C. §2521, 6 DE Admin. Code 104 Privacy Policies for Commercial Online Sites, Services, and Applications, attached hereto as Exhibit A, is hereby adopted.

IV. TEXT AND CITATION

The text of 6 DE Admin. Code 104 Privacy Policies for Commercial Online Sites, Services, and Applications adopted hereby shall be in the form attached hereto as Exhibit A, and said regulation shall be cited as 6 DE Admin. Code 104 Privacy Policies for Commercial Online Sites, Services, and Applications in the Administrative Code of Regulations for the Consumer Protection Unit of the Department of Justice.

V. EFFECTIVE DATE OF ORDER

The actions hereinabove referred to were taken by the Director of the Consumer Protection Unit pursuant to 29 Del.C. §2521 on May 27, 2016. The effective date of this Order shall be ten (10) days from the date this Order is published in the Delaware Register of Regulations.

IT IS SO ORDERED, this 27th day of May, 2016.

Christian Douglas Wright, Director

Consumer Protection Unit, Department of Justice

Approved this 27th day of May, 2016.

104 Privacy Policies For Commercial Online Sites, Services, and Applications

1.0 Introduction and Purpose

The purpose of this regulation is to provide operators of commercial Internet websites, online or cloud computing services, online applications, or mobile applications with optional “safe harbor” language that they may, but are not required to, use in their privacy policies that the Consumer Protection Unit has determined will comply with the disclosure requirements of 6 Del.C. §1205C(b).

2.0 Effective Date

The effective date of this regulation is [Monday, March 14, 2016 Friday, July 15, 2016].

3.0 Definitions

3.1 The following terms are defined in 6 Del.C. §1202C and have the same meaning when used in this regulation:

Content

Internet

Operator

Personally identifiable information

Post

User

3.2 For purposes of this regulation, the term “site, service, or application” means an Internet website, online or cloud computing service, online application, or mobile application.

4.0 Optional Safe Harbor Language for Privacy Policies

4.1 Use of the language and format in this Section 4.0 is not mandatory. Operators are free to use alternative language and formats of their choosing that comply with 6 Del.C. §1205C(b).

4.2 Identification of the Categories of Personally Identifiable Information Collected and the Third-Party Persons to Whom Such Information May Be Disclosed

4.2.1 Under 6 Del.C. §1205C(b)(1), an operator of a commercial site, service, or application is required to identify in its privacy policy the categories of personally identifiable information it collects from users of its site, service, or application, and the categories of third-party persons to whom such information may be disclosed.

4.2.2 An operator shall be deemed to have identified “the categories of personally identifiable information” required by 6 Del.C. §1205C(b)(1), when the operator provides the following disclosures in its privacy policy, if the operator collects, stores, or uses the specified kind of personal information:

Collecting Personally Identifiable Information

We may collect, store, and use the following kinds of personal information:

Information you provide to us when your register with our [site/service/application], including your [[specify describe] the personal information provided by the user upon registration that you collect, store, and use—examples might include first and last names, e-mail address, physical address, telephone number, social security number].
Information you provide when completing a profile on our [site/service/application], including your [[specify describe] the personal information provided by the user upon registration that you collect, store, and use—examples might include first and last names, gender, age, date of birth, education status, employment status, relationship status, hobbies and other interests].
Information you provide when you subscribe to a newsletter or other periodic report or notification that we provide, including [[specify describe] the personal information provided by the user when they subscribe that you collect, store, and use—such as first and last names and an email address].
Information about your device or computer, including [your IP address, geolocation, browser type, browser version, device type, operating system, referring [site/service/application]].
Information about your visits to and use of the [site/service/application], including how you use the [site/service/application], such as [[specify describe] the type of information—examples might include the timing, length, frequency, and pattern of use, and the pages, screens, or other displays of information looked at by the user].
Information relating to any purchases you make of our [goods/services] or any other transactions that you enter into through our [site/service/application], including [[specify describe] the information—examples might include first and last names, e-mail address, physical address, telephone number, and payment card information].
Information that you post to our [site/service/application] for publication on the Internet, including [[specify describe] the information—examples might include first and last names, user names, profile pictures, and the actual content of what a user posts].
Information contained in or relating to any communication that you send to us or send through our [site/service/application], including [[specify describe] the information—examples might include the content of the communication and metadata associated with it].
[Identify and describe any other any other personal information that [is] collected by the site, service, or application, including when or how the operator collects it.]

4.2.3 An operator shall be deemed to have identified “the categories of third-party persons” required by 6 Del.C. §1205C(b)(1), when the operator provides the following disclosures in its privacy policy, if the operator shares a user’s personally identifiable information with the specified third-party persons:

Disclosing Personally Identifiable Information With Third Parties

We may disclose personally identifiable information we collect from you to the following third parties, for the purposes specified:

Agents. [Describe [any the types of] agents to whom the operator may disclose the information, why the operator may disclose it to them, and whether [the those] agents can retain, store, or use the information for any other purposes—examples might include an outside shipping company used to fulfill and deliver orders, or a credit card company that processes sales transactions].
Service Providers. We use third parties to provide [[specify describe] the services provided] on our [site/service/application]. If [or When] you sign up for [specified services], we will share [[specify describe] the information that will be shared] to the extent necessary in order for the third party to provide that service. [[Specify State] whether the service providers can retain, store, or use the information for any other purposes.]
Affiliates. We may disclose your personal information to our affiliates, including [[describe the types of affiliates, such as] the operator’s employees, officers, and directors, the operator’s subsidiaries, the operator’s ultimate parent company, and any other subsidiary of the operator’s ultimate parent company, as appropriate], in order to [[specify describe] why the operator might disclose the information to affiliates, and whether the affiliates can retain, store, or use the information for any other purposes].
Other Third Parties. We may disclose to [[identify describe] any other [types of] third parties to whom the operator may disclose a user’s personal information] your [[identify describe] what information is disclosed], in order to [[specify describe] why the operator may disclose the information to these other [types of] third parties, and whether these other third parties can retain, store, or use the information for any other purposes].
Other Disclosures. We may also disclose personally identifiable information we collect from you when we are required to do so by law, or when we believe that disclosure is necessary to protect our rights or to comply with a judicial proceeding, court order, or legal process served on our [site/service/application].

4.3 Description of Process to Review and Request Changes to Personally Identifiable Information Collected

4.3.1 Under 6 Del.C. §1205C(b)(2), an operator of a commercial site, service, or application is required to describe in its privacy policy whether it maintains a process that allows users of the site, service, or application to request changes to their personally identifiable information collected by the operator through the site, service, or application, and, if it maintains such a process, the operator must also describe that process.

4.3.2 An operator that maintains a process that allows users of its site, service, or application to request changes to their personally identifiable information collected by the operator through the site, service, or application, shall be deemed to have made disclosure required by 6 Del.C. §1205C(b)(2) when the operator provides the following disclosure in its privacy policy:

Making Changes To Your Information

This [site/service/application] permits you to review and make changes to the personally identifiable information we collect from you. You can make changes by [describe process for a user to review and make changes—examples of such processes could include logging in to the site, service, or application and using available tools, contacting customer support, or by contacting the operator by specified telephone, postal mail, or email].

4.3.3 An operator that does not maintain a process that allows users of its site, service, or application to request changes to their personally identifiable information collected by the operator through the site, service, or application, shall be deemed to have made disclosure required by 6 Del.C. §1205C(b)(2) when the operator provides the following disclosure in its privacy policy:

Making Changes To Your Information

This [site/service/application] does not maintain a process by which you can review and make changes to the personally identifiable information we collect from you.

4.4 Description of Process for Notifying Users of Material Changes

4.4.1 Under 6 Del.C. §1205C(b)(3), an operator of a commercial site, service, or application is required to describe in its privacy policy how it notifies users of its site, service, or application of material changes to its privacy policy.

4.4.2 An operator shall be deemed to have made the disclosure required by 6 Del.C. §1205C(b)(3) when the operator provides the following disclosure in its privacy policy:

We may modify this privacy policy at any time. If we do, we will [post the revised version here/notify you via email/describe other method of notifying users]. You should periodically check here for the most up-to-date version of this privacy policy. Any changes to the privacy policy will not be retroactively applied and will not alter how we handle personally identifiable information we previously collected from you.

4.5 Identification of the Effective Date

4.5.1 Under 6 Del.C. §1205C(b)(4), an operator of a commercial site, service, or application is required to identify the effective date of its privacy policy.

4.5.2 An operator shall be deemed to have made the disclosure required by 6 Del.C. §1205C(b)(4) when the operator provides the following disclosure in its privacy policy:

This privacy policy is effective as of [month day, year].

4.6 Description of Response to Web Browser “Do Not Track” Signals

4.6.1 Under 6 Del.C. §1205C(b)(5), an operator of a commercial site, service, or application is required to disclose how the site, service, or application responds to web browser “do not track” signals or other mechanisms that are intended to give users the ability to exercise choice regarding the collection of personally identifiable information about a user’s activities, through the use of persistent identifiers such as “cookies,” “pixel tags,” and “web beacons,” over time and across third-party sites, services, or applications. This applies to all persistent identifiers used on the operator’s site, service, or application, regardless of whether those persistent identifiers are placed on the site, service, or application by the operator or a third party such as an advertising service.

4.6.2 An operator shall be deemed to have made the disclosure required by 6 Del.C. §1205C(b)(5) when the operator provides the following disclosure in its privacy policy:

Certain web browsers may provide an option by which you may have the browser inform websites or internet services you visit that you do not wish to have personally identifiable information about your activities tracked by cookies or other persistent identifiers across time and across third-party Internet websites, online or cloud computing services, online applications, or mobile applications. These are commonly called “do not track” signals. Our [site/service/application] responds to such signals by [if the site, service, or application takes action in response to such signals, describe the action taken and explain the basis for it; if the site, service, or application is unable to take action, state so and explain why; if the site, service, or application is able to take action but does not take action, state so and explain why].

4.7 Disclosure of Third Party Collection of Personally Identifiable Information

4.7.1 Under 6 Del.C. §1205C(b)(6), an operator of a commercial site, service, or application is required to disclose in its privacy policy whether anyone other than the operator may collect personally identifiable information about a user’s online activities, over time and across different sites, services, and applications, when a user uses the operator’s site, service, or application.

4.7.2 An operator shall be deemed to have made the disclosure required by 6 Del.C. §1205C(b)(6) when the operator provides the following disclosure in its privacy policy:

We [do not allow/may allow] allow third parties to collect personally identifiable information about a user’s online activities, over time and across different sites, services, and applications, when that user uses our site, service, or application. [If “may allow,” the operator must describe the kinds of third parties who may be permitted to engage in such collection, the purpose for permitting such collection, and what those third parties may do with the information collected—such as, for example, collection of a user’s personally identifiable information by an advertising service for the purpose of directing targeted advertising to the user while using the operator’s or a third-party’s site, service, or application.]

5.0 Alternative Safe Harbor to Comply with the Content Requirements of 6 Del.C. §1205C(b)

An operator of a commercial site, service, or application shall be deemed to have made the disclosures required by 6 Del.C. §1205C(b) if the operator has a privacy policy that complies with the requirements of the California Online Privacy Protection Act (CalOPPA), Cal. Bus. & Prof. Code §§22575–22579.

20 DE Reg. 55 (07/01/16) (Final)
 
+