The Delaware Online Privacy and Protection Act (DOPPA) has been in effect since January 1, 2016. This is the second state law regarding online privacy, which appears to suggest a trend where other U.S. states will pass their own privacy acts and regulations.
It is similar to the California Online Privacy Protection Act (CalOPPA) but not identical. Although, if you already comply with CalOPPA, it is likely that you'll by default comply with most DOPPA requirements, too.
Here is a review of this law and recommended steps to assure compliance.
- 1. What is DOPPA?
- 2. Differences from CalOPPA
- 3. Complying with DOPPA
- 3.1. Review your Privacy Policy
- 3.1.1. Categories of information
- 3.1.2. Process for users to request changes to information
- 3.1.3. Notification of changes to Privacy Policy
- 3.1.4. Effective date of Privacy Policy
- 3.1.5. Handling of "Do Not Track" signals
- 3.1.6. Third parties
- 3.2. Make it conspicuous
- 3.2.1. Link on homepage
- 3.2.2. Icons containing the word "privacy"
- 3.2.3. Clear text links
- 3.2.4. Offer a link at sign-up
- 3.3. Be careful with children's information
- 3.4. Protect book service data
What is DOPPA?
DOPPA covers more subject matter than other privacy laws. Its main tenants include:
- Website operators who collect personally identifiable information from Delaware residents,
- Limiting the online marketing of certain products to children, and
- Protecting the identity of users who access electronic books
The act adopts the standard definition of personally identifiable information (PII) meaning any data that can reveal the identity of a user. This includes full names, email addresses, telephone numbers, social security numbers, and physical contact information, like street addresses.
Any website operator who collects PII must conspicuously post a Privacy Policy that:
- Identifies the information collected,
- Offers users an opportunity to review and change data,
- Describes the notification process for changes in the Privacy Policy,
- Identifies third parties to the information, and
- Includes an effective date
Clear text hyperlinks and logos satisfy the requirement for being conspicuous.
If a website or app collects PII from children, it must already comply with Children's Online Privacy Protection Act (COPPA). With the addition of the Delaware law, your website or app must also avoid using the PII to market alcohol, tobacco products, fireworks, tattoos, body piercing services, and dietary supplements to children.
If you focus primarily on adult products such as those listed above, it is a good idea to review the complete list under Section 1204C of DOPPA.
Finally, DOPPA addresses user protection for book services, meaning websites or apps that distribute electronic books.
If a private or government entity requests information on a user's reading habits, you can only disclose that under limited circumstances. There are timeframes for objecting to a subpoena in case there is no compelling reason. The only time you must disclose without question is if a law enforcement agency issues a search warrant.
If you violate the act, you have 30 days to fix your shortcomings. Failure to follow through with an attorney general's request results in further penalties, including fines. While the act does not directly authorize civil liability against you it does not prohibit it either. That makes lawsuits a possibility if you mishandle a user's PII.
Differences from CalOPPA
Due to their similar names and overlapping subject matter, it is only natural that DOPPA is compared with its California counterpart. Being a newer law, it approaches privacy slightly differently.
The three primary differences between the laws include:
- Protected persons: CalOPPA is specific to "consumers" meaning anyone who seeks to purchase goods or services or apply for credit online. DOPPA protects "users" which is anyone who uses a website or app--even if they are merely playing a game or performing research without making a purchase.
- Covered services: Since it passed before mobile apps were wildly popular, CalOPPA is limited to commercial websites and apps. DOPPA covers websites, cloud computer services, online apps, and mobile apps.
- Definite of "operators": CalOPPA applies to any person or entity who runs a website or online service that collects PII. DOPPA examples its definition of "operators" to include entities and individuals who run websites, but also cloud services, online apps, and mobile apps.
You can almost consider DOPPA an updated version of CalOPPA. Since its definitions are more broad, you can likely comply with DOPPA by expanding on your CalOPPA compliance practices.
Complying with DOPPA
If you operate in the U.S., it is impossible to avoid interacting with Delaware residents. For that reason, err on the side of DOPPA compliance.
While many developers post separate CalOPPA provisions in their Privacy Policies, the same practice has not extended to DOPPA - at least not yet. Even if you do not post separate provisions for either law, your general practices can still comply with both.
Review your Privacy Policy
DOPPA compliance starts with a solid review of your Privacy Policy. The following sections are required in your Privacy Policy:
Categories of information
Most Privacy Policies start with the categories of PII collected from users. If you skipped this section or hid it in the middle of your agreement, consider moving it to the top.
U-Haul provides a good example of a clear information categories section. Notice the use of bullets for readability:
If your section is nonexistent or tends to run the categories of information together in one paragraph, consider editing it to produce a list so users can see this better.
Process for users to request changes to information
Providing an email address, telephone number or account login process for changing data is essential to DOPPA and CalOPPA. This does not have to complex provision but it must be complete.
ABC Financial invites corrections and provides a telephone number:
If you decide to process information change requests yourself, keep it accessible. Do not direct users to a telephone number that is never answered or a mostly-ignored email box.
You want to address these change requests not only for legal compliance but to keep your users happy.
Notification of changes to Privacy Policy
Unlike CalOPPA, DOPPA requires that your Privacy Policy includes a description of how you will notify users of changes.
Make this provision detailed. If you send emails, post banner ads or use pop-up windows, describe them all in a section about changes to the Privacy Policy. This is usually included with the provisions indicating you have a right to make changes.
Here is an example from the Niantic Privacy Policy:
This is easy to overlook because emails or notices at the time of changes is usually sufficient. However, now is the time to make the extra effort to describe that process in your Privacy Policy.
Effective date of Privacy Policy
This is an easy change to make to your Privacy Policy. If you do not already have the date of your last revision included within your Privacy Policy, add it now.
Pandora places this date at the beginning of its Privacy Policy:
There are no requirements to where you place this date. You can put it at the end of your policy if you prefer. However, rather than use "last revised" consider presenting the date as "effective as of" to stay consistent with the language in DOPPA.
Handling of "Do Not Track" signals
This provision will be similar to the CalOPPA notices in some Privacy Policies. Since many operators do not want the extra work of consistently reviewing "Do Not Track" requests, this notice often states that specifically.
Pandora takes that approach in its CalOPPA provisions. This would also work for DOPPA:
Like CalOPPA, DOPPA only requires honesty. If you do not plan to change your practices, indicate that to your users in the Privacy Policy.
Third parties
Third party disclosure must also be addressed. This includes who may receive data, which U-Haul addresses in a well-presented list:
If third parties use their own tracking software and cookies to customize advertising, that must also be disclosed.
Pandora's provision addresses these third party advertisers:
Once again, transparency is key. When third parties use their own cookies to collect data, keep that description broad, as with "advertisers." This way, if an unknown element collects data, you are less likely to face liability since you gave a broad warning to your users in the Privacy Policy.
Make it conspicuous
There are four ways to assure your Privacy Policy meets the conspicuous location requirements. They all focus on making links to this agreement as clear as possible through placement.
Link on homepage
Links in footers are familiar to users and meet the requirements under DOPPA. U-Haul offers an example here:
As an alternative, you can also offer a link in the sidebar of your homepage. The only requirement is that any user visiting your homepage can find the link to your Privacy Policy.
Icons containing the word "privacy"
If you decide to use an icon to the Privacy Policy rather than a link on a homepage or other part of your website, it must contain the word "privacy" and not be obscured with flashing effects, dark text against a dark background or other camouflaging web design.
This announcement of a previous Microsoft update contains two effective logos--one with the lock and the purple button with white text. Both include the word "privacy":
If your website or app tends to be more graphically focused, this an effective approach that also meets the requirements under DOPPA.
Clear text links
If you prefer text, make the Privacy Policy visible on all pages. You can do this anywhere: footers, headers, and sidebars. The only requirement is that you use a readable, screen-friendly text that stands out against the background.
Basically, if your website has a black background, do not make your text links dark blue so users cannot easily find them.
Offer a link at sign-up
This is not a requirement, but it is a good practice. Offering a link to your Privacy Policy at login or sign-up assures acceptance of its terms.
You can have the most clear Privacy Policy in your market but it does not help you if users do not accept it. Reminding them that using your services constitutes acceptance works, but affirmative consent works better in today's privacy-savvy marketplace.
The New Statesman Tech offers an excellent example of this approach:
This is a good idea if you handle large amounts of PII. It allows users to make an informed decision and helps you meet the conspicuous placement requirements better.
Be careful with children's information
As mentioned, DOPPA restricts using children's PII to market certain products to them. This is different subject matter than with the Children's Online Privacy Protection Act and expands on your responsibilities already implemented in that law.
If you sell items like firearms, fireworks, alcohol, piercing services or other restricted goods and services, your best approach is to restrict your website to users over 18. This reduces the chances of children accessing your site or app and gives you reasonable grounds to believe children are not among your users.
To violate this section, you have to be aware of children using your site, so those who sneak past your restriction methods will not expose you to liability.
If your website or app is designed primarily to children, take action to assure that third party advertisers do not post ads leading to restricting services products and services.
Protect book service data
If you distribute electronic books, understand that you only need to release user data under very limited circumstances. In fact, you are not allowed to release this data except when it is reasonable.
A discovery request, criminal summons or other formal request is usually appropriate. Before releasing this information, you must give the user 35 days advance notice. If the user objects or you find the order particularly uncompelling, you can object. The liability is on you if you disclose book service information inappropriately, so you will need a review and disclosure process to handle these requests in case you receive one.
However, if a law enforcement agency requests the information because there is an imminent threat or danger, you must comply in a timely manner. If you receive this request verbally or it appears inappropriate, you may request a search warrant which must be provided within 48 hours. Once that appears, comply immediately.
If you comply with CalOPPA, it is likely you comply with most provisions under DOPPA. Just as if any other new law passes, this makes now a good time to review your Privacy Policy and practices. A few minor adjustments assures better compliance as more states implement their own online privacy protection laws. This helps you continue operating your website/app in a proactive manner and avoid penalties.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.