CHAPTER 148

FORMERLY

SENATE SUBSTITUTE NO. 1 FOR

SENATE BILL NO. 68

AS AMENDED BY

SENATE AMENDMENT NOS. 1,2 & 3

AN ACT TO AMEND TITLE 6 OF THE DELAWARE CODE RELATING TO ONLINE PRIVACY AND PROTECTION.

BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF DELAWARE:

Section 1. Amend Title 6 of the Delaware Code by making deletions as shown by strike through and insertions as shown by underline as follows:

Chapter 12C. Online and Personal Privacy Protection.

§ 1201C. Short title.

This chapter shall be known and may be cited as the “Delaware Online Privacy and Protection Act.”

§ 1202C. Definitions.

For purposes of this chapter, the following definitions shall apply:

(1) “Advertising service” means a person who provides, creates, plans, or handles marketing or advertising for another person.

(2) “Book” means paginated or similarly organized content in digital, electronic, printed, audio, or other format, including fiction, nonfiction, academic, or other works of the type normally published in a volume or finite number of volumes, excluding serial publications such as a magazine or newspaper.

(3) “Book service” means a service by which an entity, as its primary purpose, provides individuals with the ability to rent, purchase, borrow, browse, or view books electronically or via the Internet.

(4) “Book service information” means all of the following:

a. Any information that identifies, relates to, describes, or is associated with a particular user.

b. A unique identifier or Internet Protocol address, when that identifier or address is used to identify, relate to, describe, or be associated with a particular user or book, in whole or in partial form.

c. Any information that relates to, or is capable of being associated with, a particular user’s access to or use of a book service or a book, in whole or in partial form.

(5) “Book service provider” means any commercial entity offering a book service to the public, except that a commercial entity that sells a variety of consumer products is not a book service provider if its book service sales do not exceed 2 percent of the entity’s total annual gross sales of consumer products sold in the United States.

(6) “Child” or “children” means one or more individuals who are under the age of 18 and residents of the State.

(7) “Conspicuously available” means, with respect to a privacy policy required by § 1205C of this chapter, to make the privacy policy available to an individual via the Internet by any of the following means:

a. A webpage on which the actual privacy policy is posted if the webpage is the homepage or first significant page after entering the website.

b. An icon that hyperlinks to a webpage on which the actual privacy policy is posted, if the icon is located on the homepage or the first significant page after entering the website, and if the icon contains the word “privacy.” The icon shall also use a color that contrasts with the background color of the webpage or is otherwise distinguishable.

c. A text link that hyperlinks to a webpage on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the website, and if the text link includes the word “privacy,” is written in capital letters equal to or greater in size than the surrounding text, or is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.

d. Any other functional hyperlink that is so displayed that a reasonable individual would notice it.

e. With respect to an Internet website, online or cloud computing service, online application, or mobile application that is not a website, any other reasonably accessible and visible means of making the privacy policy available for users of the Internet website, online or cloud computing service, online application, or mobile application.

(8) “Content” means information of any kind, including but not limited to text, images, audio, and video.

(9) “Governmental entity” means any entity or instrumentality of the State, or any political subdivision of the State, including but not limited to a law enforcement entity or any agency, authority, board, bureau, commission, department, or division, or any individual acting or purporting to act on behalf of any such agency, authority, board, bureau, commission, department, or division.

(10) “Internet” means, collectively, the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire, radio, or other methods of transmission.

(11) “Internet website, online or cloud computing service, online application, or mobile application directed to children” means any Internet website, online or cloud computing service, online application, or mobile application that is targeted or intended to reach an audience that is composed predominantly of children. An Internet website, online or cloud computing service, online application, or mobile application shall not be deemed directed to children solely because it refers or links to another Internet website, online or cloud computing service, online application, or mobile application directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link.

(12) “Law enforcement entity” means any government agency or any subunit thereof which performs the administration of criminal justice pursuant to statute or executive order, and which allocates a substantial part of its annual budget to the administration of criminal justice, including but not limited to the Delaware State Police, all law-enforcement agencies and police departments of any political subdivision of this State, the Department of Correction, and the Department of Justice.

(13) “Market or advertise” or “marketing or advertising” means making a communication or arranging for a communication to be made, in exchange for compensation, about a product or service the primary purpose of which is to encourage recipients of the communication to purchase or use the product or service.

(14) “Operator” means a person who owns an Internet website, online or cloud computing service, online application, or mobile application. It does not include any third party that operates, hosts, or manages, but does not own, an Internet website, online or cloud computing service, online application, or mobile application on the owner's behalf or processes information on the owner's behalf.

(15) “Personally identifiable information” meansany personally identifiable information about a user of a commercial Internet website, online or cloud computing service, online application, or mobile application that is collected online by the operator of that commercial Internet website, online service, online application, or mobile application from that user and maintained by the operator in an accessible form, including a first and last name, a physical address, an e-mail address, a telephone number, a social security number, or any other identifier that permits the physical or online contacting of the user, and any other information concerning the user collected by the operator of the commercial Internet website, online service, online application, or mobile application from the user and maintained in personally identifiable form in combination with any identifier described in this paragraph.

(16) “Post” means to communicate, transmit, or otherwise make available to any other person via the Internet.

(17) “User” means, for purposes of § 1204C and § 1205C of this chapter, an individual that uses an Internet website, online or cloud computing service, online application, or mobile application or, for purposes of § 1206C of this chapter, an individual that uses a book service.

§ 1203C. Enforcement.

The Consumer Protection Unit of the Department of Justice has enforcement authority over this chapter and may investigate and prosecute violations of this chapter in accordance with the provisions of Subchapter II of Chapter 25 of Title 29 of the Delaware Code.

§ 1204C. Prohibitions on online marketing or advertising to a child.

(a) An operator of an Internet website, online or cloud computing service, online application, or mobile application directed to children may not market or advertise a product or service described in subsection (f) of this section on that Internet website, online or cloud computing service, online application, or mobile application.

(b) An operator of an Internet website, online or cloud computing service, online application, or mobile application who has actual knowledge that a child is using its Internet website, online or cloud computing service, online application, or mobile application, and which user is that child, may not market or advertise a product or service described in subsection (f) of this section to that child, if the marketing or advertising is directed to the child based uponinformation specific to that child, including the child's profile, activity, address, or location sufficient to establish contact with the child, and excluding Internet Protocol (IP) address and product identification numbers for the operation of a service. The operator shall be deemed to be in compliance with this subsection if the operator takes reasonable actions in good faith designed to avoid marketing or advertising a product or service described in subsection (f) of this section.

(c) An operator of an Internet website, online or cloud computing service, online application, or mobile application directed to children or an operator of an Internet website, online or cloud computing service, online application, or mobile application who has actual knowledge that a child is using its Internet website, online or cloud computing service, online application, or mobile application shall not knowingly use, disclose, or compile, or allow another person to use, disclose, or compile, the personal information of the child if that operator has actual knowledge that the child’s personally identifiable information will be used for the purpose of marketing or advertising to the child a product or service described in subsection (f) of this section.

(d) An operator of an Internet website, online or cloud computing service, online application, or mobile application directed to children, in which marketing or advertising is provided by an advertising service, need not comply with subsection (a) of this section with respect to such marketing or advertising and instead shall notify the advertising service, in a manner directed by the advertising service, that the Internet website, online or cloud computing service, online application, or mobile application is directed to children.

(e) An advertising service which provides marketing or advertising for an Internet website, online or cloud computing service, online application, or mobile application directed to children, and which has received the notice required by subsection (d) of this section, may not market or advertise on the Internet website, online or cloud computing service, online application, or mobile application a product or service described in subsection (f) of this section.

(f) The marketing or advertising prohibitions described in this section shall apply to the following products or services:

(1) Alcoholic liquor as defined in § 101 of Title 4.

(2) Tobacco products, smokeless tobacco products, or moist snuff as defined in § 5301 of Title 30.

(3) Tobacco substitutes as defined in § 1115 of Title 11.

(4) Firearm as defined in § 222 of Title 11, or ammunition for a firearm.

(5) Electronic control devices as defined in § 222 of Title 11.

(6) Fireworks as defined in § 6901 of Title 16.

(7) Tanning equipment or device or tanning facility as defined in § 3002D of Title 16.

(8) Dietary supplement products containing ephedrine group alkaloids.

(9) Lottery, Internet lottery, Internet table games, Internet ticket games, Internet video lottery, sports lottery, table game, video lottery, or video lottery facility as defined in § 4803 of Title 29.

(10) Salvia divinorum or Salvinorin A, or any substance or material containing Salvia divinorum or Salvinorin A as referenced in § 4714 of Title 16.

(11) Body-piercing as defined in § 1114 of Title 11.

(12) Branding as defined in § 1114 of Title 11.

(13) Tattoos as defined in § 1114 of Title 11.

(14) Drug paraphernalia as defined in § 4701 of Title 16.

(15) Tongue-splitting as defined in § 1114A of Title 11.

(16) Any material, including any book, article, magazine, publication, or written matter of any kind, drawing, etching, painting, photograph, video, film, motion picture, or sound recording, which predominately appeals to the prurient, shameful, or morbid interest of minors, is patently offensive to prevailing standards in the adult community as a whole with respect to what is suitable material for minors, and taken as a whole lacks serious literary, artistic, political, social, or scientific value for minors.

(g) This section shall not be construed to require an operator of an Internet website, online or cloud computing service, online application, or mobile application to collect age information about users.

(h) The marketing and advertising restrictions described in subsections (a) through (c) of this section shall not apply to the incidental placement of products or services embedded in content if the content is not distributed by or at the direction of the operator primarily for the purposes of marketing and advertising a product or service described in subsection (f) of this section.

§ 1205C. Posting of privacy policy by operators of commercial online sites and services.

(a) An operator of a commercial Internet website, online or cloud computing service, online application, or mobile application that collects personally identifiable information through the Internet about individual users residing in Delaware who use or visit the operator’s commercial Internet website, online or cloud computing service, online application, or mobile application shall make its privacy policy conspicuously available on its Internet website, online or cloud computing service, online application, or mobile application. An operator shall be in violation of this subsection only if the operator fails to make its privacy policy conspicuously available within 30 days after being notified of noncompliance.

(b) The privacy policy required by subsection (a) of this section shall do all of the following:

(1) Identify the categories of personally identifiable information that the operator collects through the Internet website, online or cloud computing service, online application, or mobile application about users of its commercial Internet website, online or cloud computing service, online application, or mobile application and the categories of third-party persons with whom the operator may share that personally identifiable information.

(2) If the operator maintains a process for a user of the Internet website, online or cloud computing service, online application, or mobile application to review and request changes to any of that user’s personally identifiable information that is collected through the Internet website, online or cloud computing service, online application, or mobile application, provide a description of that process.

(3) Describe the process by which the operator notifies users of its commercial Internet website, online or cloud computing service, online application, or mobile application of material changes to the operator's privacy policy for that Internet website, online or cloud computing service, online application, or mobile application.

(4) Identify the effective date of the privacy policy.

(5) Disclose how the operator responds to web browser “do not track” signals or other mechanisms that provide users the ability to exercise choice regarding the collection of personally identifiable information about a user’s online activities over time and across third-party Internet websites, online or cloud computing services, online applications, or mobile applications, if the operator engages in that collection.

(6) Disclose whether other parties may collect personally identifiable information about a user’s online activities over time and across different Internet websites, online or cloud computing services, online applications, or mobile applications when a user uses the operator's Internet website, online or cloud computing service, online application, or mobile application.

(7) An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operator's privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the user that choice. (c) An operator of a commercial Internet website, online or cloud computing service, online application, or mobile application that collects personally identifiable information through the Internet website, online or cloud computing service, online application, or mobile application from users of its Internet website, online or cloud computing service, online application, or mobile application who reside in Delaware shall be in violation of this section if the operator fails to comply with the provisions of this section, rules and regulations promulgated pursuant to subsection (b) of this section, or with the provisions of the operator’s posted privacy policy either (i) knowingly and willfully or (ii) negligently and materially.

§ 1206C. Privacy of information regarding book service users.

(a) A book service provider shall not knowingly disclose to any government entity, or be compelled to disclose to any person, private entity, or government entity, any book service information about a user to any person, except under any of the following circumstances:

(1) A book service provider may disclose a user’s book service information to a law enforcement entity pursuant to any lawful method or process by which a law enforcement entity is permitted to obtain such information.

(2) A book service provider may disclose a user’s book service information to a governmental entity other than a law enforcement entity only pursuant to either (i) a court order issued by a duly authorized court with jurisdiction over a matter that is under investigation by the governmental entity or (ii) a court order in a pending action brought by or against the government entity, and in either situation only if all of the following conditions are met:

a. Prior to issuance of the court order, the governmental entity seeking disclosure gives timely, reasonable, written notice of the proceeding to the book service provider to allow the book service provider the opportunity to appear and contest the issuance of the court order.

b. The book service provider refrains from disclosing a user’s book service information pursuant to the court order until it gives timely, reasonable, written notice of the proceeding to the user about the issuance of the order and the ability to appear and quash the order, and the user has been given a minimum of 35 days prior to disclosure of the information within which to appear and quash the order.

(3) A book service provider may disclose a user’s book service information to any person who is not a governmental entity only pursuant to a court order in a pending action brought by or against the person, and only if all of the following conditions are met:

a. The court issuing the order finds that the person seeking disclosure has a compelling interest in obtaining the book service information sought.

b. The court issuing the order finds that the book service information sought cannot be obtained by the person seeking disclosure through less intrusive means.

c. Prior to issuance of the court order, the person seeking disclosure provides, in a timely manner, the book service provider with reasonable notice of the proceeding to allow the book service provider the opportunity to appear and contest the issuance of the court order.

d. The book service provider refrains from disclosing a user’s book service information pursuant to the court order until it provides, in a timely manner, notice to the user about the issuance of the order and the ability to appear and quash the order, and the user has been given a minimum of 35 days prior to disclosure of the information within which to appear and quash the order.

(4) A book service provider may disclose a user’s book service information to a person if the user has given informed, affirmative consent in writing to the specific disclosure to the specific person for a particular purpose.

(5) A book service provider may disclose a user’s book service information to a law enforcement entity if the law enforcement entity asserts, orally or in writing, that there is an imminent danger of death or serious physical injury requiring the immediate disclosure of the requested user’s book service information and there is insufficient time to obtain a court order. Where the user’s book service information was sought pursuant to this subsection by a law enforcement entity in a criminal matter, the relevant law enforcement entity shall apply for a search warrant within 48 hours. In the event such application for approval is denied or such an application is not made, the contents search shall be treated as having been obtained in violation of this subchapter. Where the law enforcement entity provided the book service provider only with an oral assertion, the law enforcement entity seeking the disclosure shall provide the book service provider with a written statement setting forth the facts giving rise to the imminent danger of death or serious physical injury no later than 48 hours after seeking disclosure.

(6) A book service provider may disclose a user’s book service information to a law enforcement entity if the book service provider in good faith believes that the book service information is evidence directly related and relevant to a crime against the book service provider or that user.

(b) A court issuing an order requiring the disclosure of a user’s book service information may, in its discretion:

(1) Impose appropriate safeguards against the unauthorized disclosure of book service information by the book service provider and by the person seeking disclosure pursuant to the order.

(2) Modify or rescind a court order in a civil proceeding requiring the disclosure of a user’s book service information upon a motion made by the user, the book service provider, or the person seeking disclosure.

(c) A book service provider, upon the written request of a law enforcement entity, shall take all necessary steps to preserve records and other evidence in the book service provider’s possession of a user’s book service information related to the use of a book or part of a book, pending receipt of a request or demand for such information pursuant to subsection (a) of this section. The book service provider shall retain the records and evidence for a period of 90 days from the date of the request by the law enforcement entity, which shall be extended for an additional 90-day period upon a renewed written request by the law enforcement entity.

(d) Violations.

(1) Reasonable reliance by a book service provider on a warrant or court order for the disclosure of a user’s book service information, or on any of the enumerated exceptions to the confidentiality of a user’s book service information set forth in this section, is a complete defense to any action for a violation of this section.

(2) Except in an action for a violation of this section, no evidence obtained in violation of this section shall be admissible in any civil or administrative proceeding.

(e) Reporting requirements.

(1) Unless disclosure of information pertaining to a particular request or set of requests is specifically prohibited by law, a book service provider shall prepare a report including all of the following information, to the extent it can be reasonably determined:

a. The number of federal and state warrants, federal and state grand jury subpoenas, federal and state civil and administrative subpoenas, and federal and state civil and criminal court orders, seeking disclosure of any book service information of a user related to the access or use of a book service or book, received by the book service provider from January 1 to December 31, inclusive, of the previous year.

b. The number of requests for information made with the informed consent of the user as described in paragraph (4) of subsection (a) of this section, seeking disclosure of any book service information of a user related to the access or use of a book service or book, received by the book service provider from January 1 to December 31, inclusive, of the previous year.

c. The number of disclosures made by the book service provider pursuant to paragraphs (5) and (6) of subsection (a) of this section from January 1 to December 31, inclusive, of the previous year.

d. For each category of demand or disclosure, the book service provider shall include all of the following information:

1. The number of times notice of a court order in a criminal, civil, or administrative action has been provided by the book service provider and the date the notice was provided.

2. The number of times book service information has been disclosed by the book service provider.

3. The number of times no book service information has been disclosed by the book service provider.

4. The number of times the book service provider contested the demand.

5. The number of times the user contested the demand.

6. The number of users whose book service information was disclosed by the book service provider.

7. The type of book service information that was disclosed and the number of times that type of book service information was disclosed.

(2) Notwithstanding paragraph (1) of this subsection, a book service provider is not required to prepare a report pursuant to this section unless it has disclosed book service information related to the access or use of a book service or book of more than 30 total users consisting of users located in this State or users whose location is unknown and cannot be determined or of both types of users.

(3) The reporting requirements of this subsection shall not apply to information disclosed to a governmental entity that is made by a book service provider serving a postsecondary educational institution when the book service provider is required to disclose the information in order to be reimbursed for the sale or rental of a book that was purchased or rented by a student using book vouchers or other financial aid subsidies for books.

(4) A report prepared pursuant to this subsection shall be made publicly available in an online, searchable format on the book service provider’s website or before March 31 of each year. If the book service provider does not have a website, the book service provider shall post the report prominently on its premises or send the report in both paper and electronic format to the Consumer Protection Unit of the Department of Justice on or before March 31 of each year.

(5) On or before March 1 of each year, a book service provider subject to § 1205C of this chapter shall complete one of the following actions:

a. Create a prominent hyperlink to its latest report prepared pursuant to paragraph (1) of this subsection in the disclosure section of its privacy policy applicable to its book service.

b. Post the report prepared pursuant to paragraph (1) of this subsection of its website explaining the way in which a user’s book service information and privacy issues related to its book service are addressed.

c. State on its website in one of the areas described in paragraphs a. and b. of this paragraph (e)(5) that no report prepared pursuant to this subsection is available because the book service provider is exempt from the reporting requirement pursuant to paragraph (2) of this subsection.

(f) Nothing in this section shall otherwise affect the rights of any person under the Delaware Constitution of 1897 or be construed as conflicting with the federal Privacy Protection Act of 1980 (42 U.S.C. § 2000aa et seq.).

Section 2. This Act becomes effective January 1 following its enactment into law.

Section 3. If any provision of this Act or the application thereof to any person or circumstances is held invalid, the invalidity does not affect any other provision or application of the Act which can be given effect without the invalid provision or application; and, to that end, the provisions of this Act are declared to be severable.

Approved August 07, 2015