Delaware Online Privacy and Protection Act (DOPPA)

With the increasing number of digital platforms and the vast amount of data being collected, it’s no wonder that regulatory bodies are stepping in to set guidelines for how businesses should manage user data. Among the notable legislations in the U.S. is the Delaware Online Privacy and Protection Act.

In essence, this Personal Data Privacy Act sets the standard for how companies operating in Delaware handle and protect the personal data of their users, particularly minors.

Whether you’re launching a new website, app, or online service, it’s essential to be aware of these regulations. Not only can they impact your operations, but they can also affect your relationship with your users. By understanding this privacy legislation, you’ll be taking a proactive step toward building trust and maintaining a transparent digital environment.

KEY TAKEAWAYS:
  • The Delaware Online Privacy and Protection Act sets guidelines for how companies in Delaware handle and protect user data, particularly minors, emphasizing responsibility, transparency, and respect for personal data.
  • DOPPA requires operators of websites and online services, especially those directed at minors, to make their privacy policies easily accessible and transparent, and places limitations on marketing certain products to children.
  • Compliance with DOPPA requires businesses to conduct data protection assessments, maintain transparent privacy policies, implement consent mechanisms, minimize data collection, and establish data breach protocols to avoid penalties and potential legal ramifications.

PRO TIP: Don’t waste your time and take the guesswork out of the legal jargon with this personalized privacy policy generator trusted by over 200,000 businesses.

What Is the Delaware Online Privacy and Protection Act (DOPPA)?

The Delaware Online Privacy and Protection Act (DOOPA) is a piece of legislation designed to protect the privacy of internet users in Delaware. At its core, DOPPA is about responsibility, transparency, and respect for personal data in the digital age.

This Delaware law has been in effect since January 1, 2016. Just like other state privacy laws, it mandates that operators of websites and online services, especially those directed at minors, make their privacy policies easily accessible and transparent.

This means that if you collect information from users, they should clearly understand what’s being gathered, how it’s used, and with whom it’s shared.

Additionally, it pays special attention to the online privacy protection of minors. The legislation places limitations on the marketing of certain products to children and offers guidelines for collecting data from them. It’s not just about following rules but also ensuring the digital safety of our younger users.

Moreover, it emphasizes the importance of securing personal data. I cannot stress enough how vital it is to implement robust security measures. Data breaches not only jeopardize your reputation but can also lead to legal consequences.

The repercussions for non-compliance with DOPPA are no joke either. If you operate in Delaware or serve its residents remotely – don’t take chances! Make sure your website complies well ahead.

PRO TIP: A thorough Data Protection Assessment will help ensure compliance with all aspects of DOPPA and avoid possible fines.

What Are the General Definitions of DOPPA?

To fully comprehend DOPPA, it’s essential to first get acquainted with its key terms. Let’s see what these definitions are below.

  • Personal Information: Think about addresses, phone numbers, email addresses, social security numbers, and even digital footprints like IP addresses. Online businesses routinely gather this type of information to offer a more personalized experience to users. But with DOPPA in play, how they manage, store, and protect this data becomes even more critical.
  • Third Parties: Picture any entity, organization, or individual that isn’t part of the primary business but still plays a role in controlling or processing the personal data of its users. This could be partners, affiliates, vendors, or subcontractors. For instance, if an online store uses a separate payment processing company to handle transactions, that processor would be considered a third party.
  • Data Protection Assessment: This is a thorough review process that businesses undergo to ensure they’re not just meeting but exceeding DOPPA’s stipulations. The assessment looks at various factors, from how personal data is gathered and stored to how it’s protected against potential breaches.
  • Sensitive Data: The definition of sensitive data involves particulars that, if disclosed, could pose higher risks to an individual’s privacy or well-being. It often includes financial information, health records, biometric data, or details regarding one’s racial or ethnic origin, political affiliations, and religious beliefs. Businesses need to exercise an extra layer of caution when handling such details, ensuring they meet the stringent requirements set by DOPPA.
  • Minors: DOPPA places a special emphasis on “minors,” who are defined as individuals under the age of 18. Since the act pays particular attention to the online safety and protection of minors, being clear about who falls into this category is essential.
  • Compliance: Compliance isn’t just about following rules; it’s about embodying them. It means that businesses must adapt their practices, processes, and protocols to align seamlessly with the standards set out in the act. It’s an ongoing commitment, not a one-time checkbox.
  • Consumer Rights: This refers to the privileges and protections granted to users or consumers under DOPPA. It emphasizes the power individuals have concerning their personal data, from understanding how it’s used to having a say in its management.
  • Data Processing Activities: A broad term that means any action or set of actions performed on personal data. This can range from collecting, storing, and modifying to transmitting, disseminating, and even erasing data. Every activity must adhere to the guidelines of Delaware to ensure the continued protection of user information.
  • Law Enforcement Agency: These are governmental bodies or organizations authorized to enforce the law and ensure justice. They might step in if there are suspicions or proven instances of non-compliance or data breaches.

With these definitions, ensuring compliance and protecting your online operations in Delaware becomes a more straightforward task so keep these terms in mind as you safeguard your online operations.

Who Does DOPPA Apply to?

First off, if you operate a website, online service, or application that gathers personal data from its users and you conduct business in Delaware, the regulations are relevant to you. It doesn’t necessarily matter where your company is headquartered; what’s significant is whether you cater to users in Delaware.

A significant focus of this privacy protection is on minors. So, if your platform is primarily designed for or tends to attract individuals under the age of 18, you need to be particularly attentive. While many regulations touch upon data privacy, DOPPA is notably rigorous when it comes to the safety and protection of younger users.

Don’t make the mistake of thinking that because your website or service doesn’t explicitly target minors, you’re exempt. If minors can access your platform and you collect personally identifiable information from them, parts of DOPPA will apply to your operations.

What Are the Data Subject Rights Under DOPPA?

Understanding these rights is essential for businesses to ensure transparency, maintain trust, and uphold compliance. Here’s a deeper dive into these data subject rights:

Right to Access

The “Right to Access” is a cornerstone of modern data privacy, reflecting the increasing emphasis on user empowerment and transparency. Under this provision, consumers are granted the ability to reach out and request specifics about the data held by businesses. It’s not just a surface-level inquiry; this right extends to the depths of the data reservoir.

When users exercise this right, they aren’t merely asking for a general overview. They’re seeking a comprehensive breakdown. From the obvious data points like their names and email addresses to the more intricate and subtle pieces of information gathered during their online journeys, everything is under scrutiny. This could span browsing habits, preferences, feedback, and more.

PRO TIP: It’s a good practice to maintain organized and updated records, so you can promptly address these requests or have them available in case of an audit.

Right to Opt-out

Consumers are becoming more protective of their personal information. They’re keenly aware of how their data is processed, and they’re demanding more control over its distribution. DOPPA has responded to this demand through the “Right to opt-out.”

When we talk about the “Right to Opt-out,” we’re speaking directly to a user’s ability to dictate the boundaries of their data sharing. This isn’t a mere formality; it’s a fundamental right.

Especially when we venture into the world of targeted advertising, a space where personal data becomes the bedrock of tailored ad campaigns. It’s not enough just to inform users; businesses are required to give them an avenue, a clear pathway, to say “no”.

Whether it’s a simple button on a website or a dedicated section in a mobile app, users should find it straightforward to prevent the sale of personal data or sharing with certain categories of third parties.

WARNING: Not providing clear avenues for consumers to opt-out can lead to non-compliance and potential legal ramifications.

Not providing clear avenues for consumers to opt-out can lead to non-compliance and potential legal ramifications.

Right to Correct

The digital landscape we navigate today thrives on data, and the accuracy of this data can significantly impact decisions, experiences, and interactions. DOPPA, with a keen understanding of the modern world’s nuances, introduces the “Right to Correct” to address these very concerns.

The “Right to Correct” isn’t just about rectifying an old phone number or updating an address. It includes the broader principle that individuals have a say in their digital representation. Should they find any discrepancies, be it something as minor as a misspelled name or more substantial inaccuracies, they can actively reach out to businesses and prompt corrections.

For businesses, this translates to an essential responsibility. It’s not merely about collecting and storing data; it’s about ensuring that the data is both current and accurate.

Under DOPPA, providing avenues for users to submit corrections and acting on those corrections promptly is not just a best practice — it’s a mandate.

Right to Erasure (or “Right to be Forgotten”)

DOPPA acknowledges the significance of these digital footprints and introduces the “Right to Erasure,” widely referred to as the “Right to be Forgotten.”

What does this mean for the everyday user? It’s simple. They hold the reins over the longevity of their data’s presence in a business’s systems. If they decide that they no longer want their personal details to reside with a company, they can act on it.

By invoking this right, consumers can direct a business to not just archive, but permanently delete their personal information from databases, storage systems, and even backups.

How Can Businesses Comply With DOPPA?

Compliance with the DOPPA might initially seem overwhelming. But with a structured approach, you can ensure your business stands on solid ground. Let’s break down the steps you, as a business owner, need to consider:

  • Data Protection Assessment: Begin by conducting regular assessments to monitor and ensure the secure processing of personal data. This not only ensures compliance but also helps identify vulnerabilities.
  • Transparent Privacy Policies: A well-drafted and transparent privacy policy is the backbone of any online business. Ensure your policy is not only compliant with DOPPA but is also conspicuous, user-friendly, and easily accessible.
  • Consent Mechanisms: With the evolution of privacy laws, the emphasis on user consent has grown exponentially. Implement robust tools or mechanisms that facilitate consumers in giving, altering, or withdrawing their consent. This is especially important when their data is shared with other entities for purposes such as targeted advertising.
  • Data Minimization: Collect only the information that’s absolutely necessary. If you don’t need it, don’t ask for it. This reduces the risk associated with data breaches and makes managing data more straightforward.
  • Regular Training: Ensure that your team, especially those handling consumer data, undergo regular training sessions to stay updated with DOPPA’s requirements. An informed team can significantly reduce the risk of non-compliance.
  • Children’s Data Protection: DOPPA has special provisions for children’s data. Implement age verification measures and have mechanisms in place to secure parental or guardian consent for users below 14.
  • Data Breach Protocols: Establish clear procedures for detecting, reporting, and investigating a personal data breach. Quick response mechanisms can mitigate potential damage and ensure you’re complying with the need to report breaches under DOPPA.
  • Third-party Vetting: If you’re collaborating with third parties, vet them diligently. Ensure they too adhere to DOPPA regulations, as you could be held responsible for their actions concerning shared data.
  • Public Awareness: Consider making users aware of their rights under DOPPA, either through dedicated web pages, email campaigns, or notifications. An informed user base can lead to fewer disputes and an enhanced reputation for the business.
  • Review and Update: Privacy laws and technologies are constantly evolving. Make it a habit to periodically review and update your data handling and protection practices to stay in line with current requirements and best practices.

For you, ensuring DOPPA compliance isn’t just about avoiding penalties; it’s about creating a relationship of trust with your consumers, and enhancing your brand’s reputation in the digital marketplace.

PRO TIP: Use plain language in your privacy policies. Legal jargon can be off-putting and might even deter users from fully understanding their rights. It’s in your best interest for your users to understand and feel comfortable with how you handle their data.

Who Enforces DOPPA?

DOPPA is enforced by the Delaware Department of Justice which is tasked with monitoring businesses and ensuring that they adhere to the regulations set forth by this privacy act. If a company is found to be in violation, the Department of Justice has the authority to take action and prosecute violations of the law, which can range from issuing warnings to pursuing legal remedies.

It’s essential for you to be aware of this oversight. The Department of Justice doesn’t just react to complaints; they proactively work to ensure businesses are maintaining the highest standards of data privacy and protection.

I recommend regularly reviewing your practices and seeking guidance when needed, making consumer data privacy a top priority.

PRO TIP: Periodic reviews of guidelines and resources from the Delaware DOJ can help you stay ahead of any changes and ensure continued compliance with DOPPA. Remember, being proactive is always better than being reactive when it comes to legal matters.

What Are the Penalties for Violating DOPPA?

Violating DOPPA’s provisions doesn’t just tarnish a company’s reputation but can also lead to substantial financial consequences. Businesses found in violation of DOPPA can be slapped with significant fines.

The state Attorney General has the power to prosecute violations with penalties of up to $2,500 per incident. That could add up quickly if you have countless users!

While these fines are intended to deter non-compliance, their exact amount often varies based on several factors. Here’s an overview:

  • First-time Violation: Even if it’s your first unintentional slip, DOPPA takes every breach seriously. Such a violation could stem from an oversight or a misunderstanding of the requirements. Up to $1,000 fine.
  • Subsequent Violations: If a business doesn’t take the first penalty as a wake-up call and continues to violate DOPPA, the consequences become sterner. These can arise from repetitive non-compliant activities or even from not rectifying the initial breach. Up to $2,500 fine.
  • Willful Neglect: This category includes businesses that are fully aware of DOPPA but choose to ignore it, displaying a blatant disregard for the law. Such deliberate non-compliance suggests a conscious decision to risk users’ data privacy rights. Civil penalties up to 1% of their gross revenue from the previous year

The nature of the violation – whether it was a one-off oversight or a repeated breach, the amount of data compromised, and the duration of non-compliance – all play a role in determining the fine’s magnitude. Moreover, larger corporations, especially those with substantial gross revenues, are likely to face heftier penalties than smaller entities.

Additionally, beyond just monetary fines, companies might also face legal actions or lawsuits from affected consumers, adding to the financial and reputational costs.

PRO TIP: Take time to review and update your company’s privacy policy at least once a year or as often as needed – especially if your processing activities change or expand over time.

How Does DOPPA Compare to Other Data Privacy Laws?

DOPPA, at its core, is focused on safeguarding the online privacy of Delaware residents. While its foundational principles might echo the sentiments of other laws, there are distinctions that set it apart.

For instance, California’s CCPA and Europe’s GDPR have made waves in the data privacy world. Like DOPPA, both prioritize consumer rights to access, correct and delete personal data. However, while GDPR has a broader scope, addressing the data rights of EU citizens globally, DOPPA primarily focuses on those residing in Delaware.

Furthermore, the mechanisms for enforcement and penalties differ across these laws. GDPR, for instance, is notorious for its hefty fines, which can amount to millions or even a significant percentage of a company’s global annual revenue. DOPPA, while strict, usually has more localized implications.

But there’s one thing all these laws share: the emphasis on transparency, user control, and the ethical handling of personal information.

As you adapt to DOPPA’s requirements, remember that the underlying theme of all these regulations is to build a more secure and trustworthy digital ecosystem. By aligning with this goal, you’ll be complying with the law and building trust with your audience.

Frequently Asked Questions

What is the Delaware Online Privacy and Protection Act (DOPPA)?

DOPPA is a legislation designed to protect the privacy of internet users in Delaware, emphasizing responsibility, transparency, and respect for personal data.

Who does DOPPA apply to?

DOPPA applies to websites, online services, or applications that collect personal data from users and conduct business in Delaware, especially those that target or attract minors.

How can businesses comply with DOPPA?

Businesses can comply with DOPPA by conducting data protection assessments, ensuring transparent privacy policies, implementing consent mechanisms, practicing data minimization, and regularly training their team, among other steps.

Who enforces DOPPA?

DOPPA is enforced by the Delaware Department of Justice, which monitors businesses and takes action against violations, ranging from warnings to legal remedies.

What are the penalties for violating DOPPA?

Violating DOPPA can result in fines, with penalties of up to $2,500 per incident. The exact amount varies based on factors like the nature of the violation and the amount of data compromised.

Gabriela Dascalescu
CS50L, FIP, CIPP/E, CIPM, CIPT
Gabriela is a privacy expert and data protection officer who focuses on translating legalese. She dedicates to staying updated on tech and digital law developments to help clients get compliant with privacy regulations and legal tech requirements. She provides clear and concise legal advice, considering business objectives and interdisciplinary expertise. She integrates knowledge from various legal fields to offer comprehensive solutions in today's interconnected world.