DOVER — In one of the last public hearings as the end of session is on the horizon, representatives of the consumer reporting industry and Delaware’s business groups are still pushing for concessions in the proposed Data Act.
The Consumer Data Industry Association (CDIA) Manager of Government Relations Mike Carone argued before the Senate Banking, Business & Insurance Committee on Wednesday that HB 262 would add yet another layer of regulation to already existing federal oversight.
“I know there is [talk] about some questionable behavior by some companies on some hot button issues. None of our members are involved in any of that type of work,” Carone said. “It’s all around consumer reporting: your files, public records, background checks, nothing that hasn’t already existed for decades — and it’s all heavily regulated.”
House Bill 262 would require the state Department of Justice to create a registry of data brokers, or businesses that collect or maintain data from at least 500 or more consumers or those who sell or license information to businesses. That registry would include companies’ privacy policies, opt-out information and more that Delawareans could search on their own. Companies can be held liable if they knowingly buy data that was fraudulently acquired.
The bill, sponsored by Rep. Krista Griffith (D-Fairfax) and co-sponsored by Sen. Stephanie Hansen (D-Middletown), is now working its way through the senate.
“The consumers have a right to know where this information is going and what’s being done with it. So that we can make informed decisions,” Hansen told the committee. “When I started door knocking, people wanted to know where their private information was going. And they don’t believe that we, as the government, were taking care of them.”
Registration fees for the state registry would range between $10 to $500, and be based on the company’s activities and how fast they sell or license the data. Those who fail to register will be fined $50 each day to not exceed a total of $10,000 for each year.
The Data Act is not limited to companies in Delaware, but any company that “interacts with Delaware consumers,” when it comes to buying and selling Delawareans data, Lefkon added. It is difficult to estimate how many companies would have to register, though he predicted it would impact 2,000 to 3,000 companies.
Amendments discussed
After some concerns from the banking sector as well as some technology trade associations, Griffith amended the bill to eliminate the private right of action in certain situations. The private right of action will still apply in the case the brokered information is aquired for fraud, stalking or unlawful discrimination.
It also clarified that financial institutions and financial firms that fall under the Gramm-Leach-Bliley Act would not be asked to register.
But Chris DiPietro, a lobbyist with the CDIA, argued that another amendment be created to include firms that fall under the Fair Credit Reporting Act, which would cover many credit reporting agencies such as Equifax, TransUnion, and Experian.
“Consumer records are used by financial institutions to keep our economy moving,” DiPiertro said. “The FCRA is a very robust statute that governs the credit reporting agencies, and it requires every consumer to be provided with a copy of their credit file, disclosure information after they disclose payment information from a bank, and consumer rights.”
Griffith, who attended the meeting, maintained that the FCRA did not have expansive protections for consumers compared to the Gramm-Leach-Bliley Act. She noted that the three credit bureaus maintain a database of 220 million people — and would be a prime target for data brokers.
“Essentially we would not be saying to the credit agencies, ‘no, you can’t do this,’” she added. “We’re saying ‘if you do this, then what you need to do is provide that information to the Delaware Department of Justice, so that they can share that with consumers.”
Once again during the hearing, the business community spoke out against HB 262, citing unknown impacts on the bill if it is passed, especially on the private right of action as it applies to businesses. Tyler Micik, the Delaware State Chamber of Commerce Public Policy & Government Relations manager, noted that the Delaware DOJ has no record of consumer complaints on the issue.
“There is no data to validate whether the problem in the business community exists. This bill goes far beyond what any other state has done,” Micik said.
Joe Fitzgerald, a lobbyist for the New Castle County Chamber of Commerce, pushed to receive a more detailed analysis on how HB 262 would impact government entities.
How it would work
Griffith and Hansen brought in an expert witness to testify about how the Data Act may work if it is passed: Christopher Curtis, chief of the public protection division at the Vermont Attorney General.
Vermont was among the first states to pass a data privacy registry and protection act back in 2019. After the bill passed, the state went from 123 brokers registered to more than 500, and Curtis said the state is working to see if those include duplicate companies.
“I think the benefit to consumers is that if we receive calls or if somebody receives a notice of a data breach from a company that they were cared for and aware of, they can contact our Consumer Assistance Program, which is our frontline call service to handle complaints,” Curtis said.
Such was the case in the Equifax data breach, when the Vermont Public Protection Division was “inundated” with calls from concerned residents.
If Delaware were to enact the Data Act, companies who sell or license data would have to answer a series of multiple choice questions about the data that is collected, how it’s protected and who may purchase it.
The Delaware Department of Justice Consumer Protection Unit Chief Christian Wright said the DOJ would also create a website that would allow consumers to see the differences in the terms of use agreement.
“For example, if anyone bought Disney Plus or Netflix from Roku, Chromecast, Apple TV — I can tell you, those companies all have different policies in how they handle data. I’ve researched this myself,” Wright said. “It’s about putting information in the hands of consumers to give them the ability to comparison shop for privacy.”
Editor’s note: a previous version of this article incorrectly misspelled Mike Carone’s name and misidentified his title. We regret the error.
