(a) An operator of a commercial internet website, online or cloud computing service, online application, or mobile application that collects personally identifiable information through the Internet about individual users residing in Delaware who use or visit the operator’s commercial internet website, online or cloud computing service, online application, or mobile application shall make its privacy policy conspicuously available on its internet website, online or cloud computing service, online application, or mobile application. An operator shall be in violation of this subsection only if the operator fails to make its privacy policy conspicuously available within 30 days after being notified of noncompliance.

(b) The privacy policy required by subsection (a) of this section shall do all of the following:

(1) Identify the categories of personally identifiable information that the operator collects through the internet website, online or cloud computing service, online application, or mobile application about users of its commercial internet website, online or cloud computing service, online application, or mobile application and the categories of third-party persons with whom the operator may share that personally identifiable information.

(2) If the operator maintains a process for a user of the internet website, online or cloud computing service, online application, or mobile application to review and request changes to any of that user’s personally identifiable information that is collected through the internet website, online or cloud computing service, online application, or mobile application, provide a description of that process.

(3) Describe the process by which the operator notifies users of its commercial internet website, online or cloud computing service, online application, or mobile application of material changes to the operator’s privacy policy for that internet website, online or cloud computing service, online application, or mobile application.

(4) Identify the effective date of the privacy policy.

(5) Disclose how the operator responds to web browser “do not track” signals or other mechanisms that provide users the ability to exercise choice regarding the collection of personally identifiable information about a user’s online activities over time and across third-party internet websites, online or cloud computing services, online applications, or mobile applications, if the operator engages in that collection.

(6) Disclose whether other parties may collect personally identifiable information about a user’s online activities over time and across different internet websites, online or cloud computing services, online applications, or mobile applications when a user uses the operator’s internet website, online or cloud computing service, online application, or mobile application.

(7) An operator may satisfy the requirement of paragraph (b)(5) of this section by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the user that choice.

(c) An operator of a commercial internet website, online or cloud computing service, online application, or mobile application that collects personally identifiable information through the internet website, online or cloud computing service, online application, or mobile application from users of its internet website, online or cloud computing service, online application, or mobile application who reside in Delaware shall be in violation of this section if the operator fails to comply with the provisions of this section, rules and regulations promulgated pursuant to subsection (b) of this section, or with the provisions of the operator’s posted privacy policy either (i) knowingly and wilfully or (ii) negligently and materially.

80 Del. Laws, c. 148, § ?1;