DEPARTMENT OF JUSTICE

Fraud and Consumer Protection Division

Statutory Authority: 29 Delaware Code, Section 2521 (29 Del.C. §2521)

6 DE Admin. Code 104

PROPOSED

PUBLIC NOTICE

104 Privacy Policies for Commercial Online Sites, Services, and Applications

Public Notice

In compliance with the State's Administrative Procedures Act (APA -Title 29, Chapter 101 of the Delaware Code) and 29 Del.C. § 2521, the Consumer Protection Unit of the Delaware Department of Justice ("the Consumer Protection Unit") hereby publishes notice of a proposed repeal of a regulation to the Online and Personal Privacy Protection Act (6 Del.C. § 1201C et seq.) pursuant to 6 Del.C. § 1203C and 29 Del.C. § 2521.

Summary of Proposed Repeal

Regulation 104 Privacy Policies for Commercial Online Sites, Services, and Applications was adopted on July 1, 2016 (the "Regulation") shortly after the adoption of the Online and Personal Privacy Protection Act (6 Del.C. § 1201C et seq.) (the "Online Act"). The Online Act mandated certain online businesses post a privacy policy with specified information. The purpose of the Regulation was to provide operators of commercial Internet websites, online or cloud computing services, online applications, or mobile applications with optional "safe harbor" language that they may, but are not required to, use in their privacy policies that the Consumer Protection Unit would comply with the disclosure requirements of 6 Del.C. §1205C(b) at that time. The Delaware Personal Data Privacy Act was adopted in 2023 (6 Del.C. § 12D-101 et seq.) (the "DPDPA") and requires certain business include "reasonably accessible, clear, and meaningful privacy notice" with additional information compared to the Online Act. The "safe harbor" language in the Regulation may not satisfy the DPDPA requirements in certain circumstances and risks causing confusion for businesses about their privacy notice obligations. Accordingly, the Consumer Protection Unit has determined that the "safe harbor" language in the Regulation is no longer appropriate under the Online Act or the DPDPA and has proposed repealing the Regulation.

Possible Terms of the Action Agency

None.

Other Regulations That May be Affected by the Proposal

The Consumer Protection Unit does not believe that other regulations will be impacted.

Notice of Public Comment

Persons wishing to comment on the proposed regulation may submit their comments in writing no later than November 1, 2024, by email to John.Eakins@Delaware.gov or by U.S. mail to the following address:

John Eakins

Department of Justice, Consumer Protection Unit

820 N. French St.

Wilmington, DE 19801

104 Privacy Policies for Commercial Online Sites, Services, and Applications

1.0 Introduction and Purpose

The purpose of this regulation is to provide operators of commercial Internet websites, online or cloud computing services, online applications, or mobile applications with optional “safe harbor” language that they may, but are not required to, use in their privacy policies that the Consumer Protection Unit has determined will comply with the disclosure requirements of 6 Del.C. §1205C(b).

2.0 Effective Date

The effective date of this regulation is Friday, July 15, 2016.

3.0 Definitions

3.1 The following terms are defined in 6 Del.C. §1202C and have the same meaning when used in this regulation:

“Content”

“Internet”

“Operator”

“Personally identifiable information”

“Post”

“User”

3.2 For purposes of this regulation, the term “site, service, or application” means an Internet website, online or cloud computing service, online application, or mobile application.

4.0 Optional Safe Harbor Language for Privacy Policies

4.1 Use of the language and format in this Section 4.0 is not mandatory. Operators are free to use alternative language and formats of their choosing that comply with 6 Del.C. §1205C(b).

4.2 Identification of the Categories of Personally Identifiable Information Collected and the Third-Party Persons to Whom Such Information May Be Disclosed

4.2.1 Under 6 Del.C. §1205C(b)(1), an operator of a commercial site, service, or application is required to identify in its privacy policy the categories of personally identifiable information it collects from users of its site, service, or application, and the categories of third-party persons to whom such information may be disclosed.

4.2.2 An operator shall be deemed to have identified “the categories of personally identifiable information” required by 6 Del.C. §1205C(b)(1), when the operator provides the following disclosures in its privacy policy, if the operator collects, stores, or uses the specified kind of personal information:

Collecting Personally Identifiable Information

We may collect, store, and use the following kinds of personal information:

• Information you provide to us when your register with our [site/service/application], including your [describe the personal information provided by the user upon registration that you collect, store, and use—examples might include first and last names, e-mail address, physical address, telephone number, social security number].

• Information you provide when completing a profile on our [site/service/application], including your [describe the personal information provided by the user upon registration that you collect, store, and use—examples might include first and last names, gender, age, date of birth, education status, employment status, relationship status, hobbies and other interests].

• Information you provide when you subscribe to a newsletter or other periodic report or notification that we provide, including [describe the personal information provided by the user when they subscribe that you collect, store, and use—such as first and last names and an email address].

• Information about your device or computer, including [your IP address, geolocation, browser type, browser version, device type, operating system, referring [site/service/application]].

• Information about your visits to and use of the [site/service/application], including how you use the [site/service/application], such as [describe the type of information—examples might include the timing, length, frequency, and pattern of use, and the pages, screens, or other displays of information looked at by the user].

• Information relating to any purchases you make of our [goods/services] or any other transactions that you enter into through our [site/service/application], including [describe the information—examples might include first and last names, e-mail address, physical address, telephone number, and payment card information].

• Information that you post to our [site/service/application] for publication on the Internet, including [describe the information—examples might include first and last names, user names, profile pictures, and the actual content of what a user posts].

• Information contained in or relating to any communication that you send to us or send through our [site/service/application], including [describe the information—examples might include the content of the communication and metadata associated with it].

• [Identify and describe any other any other personal information that is collected by the site, service, or application, including when or how the operator collects it.]

4.2.3 An operator shall be deemed to have identified “the categories of third-party persons” required by 6 Del.C. §1205C(b)(1), when the operator provides the following disclosures in its privacy policy, if the operator shares a user’s personally identifiable information with the specified third-party persons:

Disclosing Personally Identifiable Information With Third Parties

We may disclose personally identifiable information we collect from you to the following third parties, for the purposes specified:

• Agents. [Describe the types of agents to whom the operator may disclose the information, why the operator may disclose it to them, and whether those agents can retain, store, or use the information for any other purposes—examples might include an outside shipping company used to fulfill and deliver orders, or a credit card company that processes sales transactions].

• Service Providers. We use third parties to provide [describe the services provided] on our [site/service/application]. If [or When] you sign up for [specified services], we will share [describe the information that will be shared] to the extent necessary in order for the third party to provide that service. [State whether the service providers can retain, store, or use the information for any other purposes.]

• Affiliates. We may disclose your personal information to our affiliates, including [describe the types of affiliates, such as the operator’s employees, officers, and directors, the operator’s subsidiaries, the operator’s ultimate parent company, and any other subsidiary of the operator’s ultimate parent company, as appropriate], in order to [describe why the operator might disclose the information to affiliates, and whether the affiliates can retain, store, or use the information for any other purposes].

• Other Third Parties. We may disclose to [describe any other types of third parties to whom the operator may disclose a user’s personal information] your [describe what information is disclosed], in order to [describe why the operator may disclose the information to these other types of third parties, and whether these other third parties can retain, store, or use the information for any other purposes].

• Other Disclosures. We may also disclose personally identifiable information we collect from you when we are required to do so by law, or when we believe that disclosure is necessary to protect our rights or to comply with a judicial proceeding, court order, or legal process served on our [site/service/application].

4.3 Description of Process to Review and Request Changes to Personally Identifiable Information Collected

4.3.1 Under 6 Del.C. §1205C(b)(2), an operator of a commercial site, service, or application is required to describe in its privacy policy whether it maintains a process that allows users of the site, service, or application to request changes to their personally identifiable information collected by the operator through the site, service, or application, and, if it maintains such a process, the operator must also describe that process.

4.3.2 An operator that maintains a process that allows users of its site, service, or application to request changes to their personally identifiable information collected by the operator through the site, service, or application, shall be deemed to have made disclosure required by 6 Del.C. §1205C(b)(2) when the operator provides the following disclosure in its privacy policy:

Making Changes To Your Information

This [site/service/application] permits you to review and make changes to the personally identifiable information we collect from you. You can make changes by [describe process for a user to review and make changes—examples of such processes could include logging in to the site, service, or application and using available tools, contacting customer support, or by contacting the operator by specified telephone, postal mail, or email].

4.3.3 An operator that does not maintain a process that allows users of its site, service, or application to request changes to their personally identifiable information collected by the operator through the site, service, or application, shall be deemed to have made disclosure required by 6 Del.C. §1205C(b)(2) when the operator provides the following disclosure in its privacy policy:

Making Changes To Your Information

This [site/service/application] does not maintain a process by which you can review and make changes to the personally identifiable information we collect from you.

4.4 Description of Process for Notifying Users of Material Changes

4.4.1 Under 6 Del.C. §1205C(b)(3), an operator of a commercial site, service, or application is required to describe in its privacy policy how it notifies users of its site, service, or application of material changes to its privacy policy.

4.4.2 An operator shall be deemed to have made the disclosure required by 6 Del.C. §1205C(b)(3) when the operator provides the following disclosure in its privacy policy:

We may modify this privacy policy at any time. If we do, we will [post the revised version here/notify you via email/describe other method of notifying users]. You should periodically check here for the most up-to-date version of this privacy policy. Any changes to the privacy policy will not be retroactively applied and will not alter how we handle personally identifiable information we previously collected from you.

4.5 Identification of the Effective Date

4.5.1 Under 6 Del.C. §1205C(b)(4), an operator of a commercial site, service, or application is required to identify the effective date of its privacy policy.

4.5.2 An operator shall be deemed to have made the disclosure required by 6 Del.C. §1205C(b)(4) when the operator provides the following disclosure in its privacy policy:

This privacy policy is effective as of [month day, year].

4.6 Description of Response to Web Browser “Do Not Track” Signals

4.6.1 Under 6 Del.C. §1205C(b)(5), an operator of a commercial site, service, or application is required to disclose how the site, service, or application responds to web browser “do not track” signals or other mechanisms that are intended to give users the ability to exercise choice regarding the collection of personally identifiable information about a user’s activities, through the use of persistent identifiers such as “cookies,” “pixel tags,” and “web beacons,” over time and across third-party sites, services, or applications. This applies to all persistent identifiers used on the operator’s site, service, or application, regardless of whether those persistent identifiers are placed on the site, service, or application by the operator or a third party such as an advertising service.

4.6.2 An operator shall be deemed to have made the disclosure required by 6 Del.C. §1205C(b)(5) when the operator provides the following disclosure in its privacy policy:

Certain web browsers may provide an option by which you may have the browser inform websites or internet services you visit that you do not wish to have personally identifiable information about your activities tracked by cookies or other persistent identifiers across time and across third-party Internet websites, online or cloud computing services, online applications, or mobile applications. These are commonly called “do not track” signals. Our [site/service/application] responds to such signals by [if the site, service, or application takes action in response to such signals, describe the action taken and explain the basis for it; if the site, service, or application is unable to take action, state so and explain why; if the site, service, or application is able to take action but does not take action, state so and explain why].

4.7 Disclosure of Third Party Collection of Personally Identifiable Information

4.7.1 Under 6 Del.C. §1205C(b)(6), an operator of a commercial site, service, or application is required to disclose in its privacy policy whether anyone other than the operator may collect personally identifiable information about a user’s online activities, over time and across different sites, services, and applications, when a user uses the operator’s site, service, or application.

4.7.2 An operator shall be deemed to have made the disclosure required by 6 Del.C. §1205C(b)(6) when the operator provides the following disclosure in its privacy policy:

We [do not allow/may allow] allow third parties to collect personally identifiable information about a user’s online activities, over time and across different sites, services, and applications, when that user uses our site, service, or application. [If “may allow,” the operator must describe the kinds of third parties who may be permitted to engage in such collection, the purpose for permitting such collection, and what those third parties may do with the information collected—such as, for example, collection of a user’s personally identifiable information by an advertising service for the purpose of directing targeted advertising to the user while using the operator’s or a third-party’s site, service, or application.]

5.0 Alternative Safe Harbor to Comply with the Content Requirements of 6 Del.C. §1205C(b)

An operator of a commercial site, service, or application shall be deemed to have made the disclosures required by 6 Del.C. §1205C(b) if the operator has a privacy policy that complies with the requirements of the California Online Privacy Protection Act (CalOPPA), Cal. Bus. & Prof. Code §§22575–22579.

20 DE Reg. 55 (07/01/16)

28 DE Reg. 280 (10/01/24) (Prop.)