DOVER — A bill that would create a framework for consumer data protections has been making its way through the General Assembly, with the goal of increasing transparency on how businesses use the data.
House Bill 154, known as the Delaware Personal Data Privacy Act, would give consumers the right to view their personal data and know who is collecting it — as well as the chance to opt out of data collection for targeted ads. In addition, the bill would also give people the right to request its deletion or make changes.
“Right now, Delawareans have very little power on how to protect their personal information in today’s economy,” said Rep. Krista Griffith (D-Fairfax), the bill’s primary sponsor. “Businesses and tech companies operate with virtually no limitation on how to process that data, so consumers are really decades behind where they need to be in terms of having basic rights over their own personal information. This bill would help get those rights back.”
HB 154 passed 33-5 on Thursday afternoon, with Rep. Mike Ramone (R-Pike Creek) not voting. Republican Reps. Richard Collins, Jeff Hilovsky, Charles Postles, Bryan Shupe and House Minority Whip Lyndon Yearick voted against it. Two representatives were absent.
The bill is set to receive funding in the Fiscal Year 2024 budget, with a cost estimate of $280,454 for four new full-time employees to enforce it.
Consumers would also have the right to receive a copy of the data a company has collected in a portable and easy-to-use format, unless it reveals company secrets. The Department of Justice would also conduct public outreach six months before the bill becomes law, at an estimated one-time cost of $45,000.
Griffith and other sponsors modeled this legislation, filed in May, on what exists in other states, like Connecticut and Colorado, that went into effect in recent years. The proposed Personal Data Privacy Act would apply to businesses that process or control the data of no less than 35,000 consumers.
Companies that control and process 10,000 or less and derive more than 20% of gross revenue from selling that data would also be forced to comply. That clause mirrors similar states like Virginia law (50% of gross revenue) and Connecticut (25%).
It also answers outcry from businesses and restaurants throughout the state, which worried about a similar bill proposed last year that impacted those collecting data for email offers, newsletters and advertisements.
“My goal with this bill is to empower our consumers in a way that doesn’t cause our small businesses to be impacted negatively or getting in the way of services and industries that have protections,” Griffith said. “You do see some entities … like big tech that want to make money off our information that don’t want these bills. Will they ever be happy with this legislation? I don’t think so.”
TechNet, a trade association for technology companies, has already made their concerns clear. A TechNet representative testified before the House Technology & Telecommunications Committee, and asked to raise the thresholds for compliance, including a minimum of 50% of data revenue.
Last year, Griffith proposed HB 262 that would have required the state Department of Justice to create a registry of data brokers, or businesses that collect or maintain data from at least 500 or more consumers or those who sell or license information to businesses. That registry would have included companies’ privacy policies, opt-out information and more that Delawareans could search on their own.
After much debate, that bill from last year was revised so that financial institutions and financial firms that fall under the Gramm-Leach-Bliley Act would not be asked to register. But still, that bill failed to make it out of the Senate Committee last session.
This time, Delaware Personal Data Privacy Act has 25 co-sponsors, all Democrats except Rep. Ruth Briggs King (R-Georgetown), who voiced her support for a data broker during the 2022 session.
“I’ve worked days and days with stakeholders from groups like Rehoboth-Dewey Beach Chamber of Commerce to the state Chamber of Commerce to TechNet to Comcast to Delmarva Power to the bank and insurance companies,” Griffith said. “I have made a number of concessions to address their concerns to preserve the integrity of this: empowering consumers in their ability to protect their own information.”
Before the Delaware Personal Data Privacy Act was voted on this week, Griffith successfully proposed amendments. That includes exempting nonprofits focused on preventing insurance crime and ensuring consumers have the right to receive a list of third parties with whom companies have shared their data.
The Delaware State Chamber of Commerce still opposes the bill, noting that it could open up businesses to lawsuits and impose additional costs on businesses that would be regulated. Speaking during the End of Policy Conference this week, William Denny of Potter Anderson & Corroon LLP stressed that businesses would be dealt the brunt of the work to process data and maintain records on it.
He said the definitions of sale were broad enough that would require businesses and organizations that share data internally to trigger the opt-out clauses, which would cause more burdens on business. Penalties could be up to $10,000 per violation, and the amended law provides a 60-day right to cure starting in 2026.
“You can imagine if you have a database of however many data subjects. If you violate this act, every data subject is a unique violation, so the potential damages may be tremendous. The burdens are more significant for small and mid-sized businesses,” Denny said on Wednesday during a panel discussion.
“A company may need to conduct a readiness assessment and start understanding the nuances of all state laws,” he added. “Companies typically are subject to more than one state law, and they need to develop a detailed plan to comply.”
HB 154 now heads to the Senate Banking, Business, Insurance & Technology Committee for consideration.
