Bill to create data broker registry workshopped
DOVER — Rep. Krista Griffith (D-Fairfax) is working closely with stakeholders on her proposed bill that would create a registry of data brokers, a tool that will be necessary to shine a light on what information is being bought and sold.
“This bill is not intended to harass businesses, it’s to provide sunlight to Delaware residents,” Griffith told the Delaware Business Times. “This extremely personal information is being sold from them without their knowledge, and the goal is to give our consumers an easy and concise way to find out who is selling that information.”
House Bill 262, or the Data Act, would require data brokers —businesses that collect or maintain data of consumers or those who sell or license information to businesses — to notify the Delaware Department of Justice. The state DOJ will create a registry of companies, their privacy policies and opt-out information and more so that Delawareans could search on their own. The DOJ estimates that 2,000 data brokers would be required to register if the bill becomes law.
The data subject to this bill would include names, address, date and place of birth, mother’s maiden name, household family members, Social Security number, biometric data such as eye or fingerprint scans and more.
Under HB 262, the registry would also list specific methods for people to opt-out, such as direct web links to forms, an email or physical address or phone number to contact, and whether the opt-out applies to certain sales or third parties. Companies who register would also be required to develop and implement security programs to safeguard the information.
However, Griffith has been organizing meetings with the Delaware State Chamber of Commerce, the Delaware Bankers Association and other stakeholders to listen to concerns. She is working on an amendment that reportedly would drop the provision for security measures if a company already has a protocol in place.
“It’s a work in process, and I don’t anticipate making everyone happy with this legislation,” Griffith told DBT. “But this is an issue. I bet if you went out and asked people on the street, ‘Do you believe you have the ability to find out people selling your information?’ They would say no, but they would like the opportunity to do so.”
As drafted, HB 262 would impact companies who collect more than 500 people’s data with intent to sell, and companies would have to pay a fee to register with the DOJ before Jan. 31. Registration fees range between $10 to $500, and are based on the company’s activities and how fast they sell or license the data.
For example, a data broker that sold the data of less than 5,000 consumers and engaged in less than five transactions for the year would have to pay $10.
Those who fail to register will be fined $50 each day to not exceed a total of $10,000 for each year.
Griffith pointed out that nonprofits and other companies that collect the information for market research would not have to register, since the bill specifically mandates those who sell the data would have to register.
“There is some confusion out there right now, because nonprofits have a list of donors and some are wondering if they have to register. They don’t, but they have to make sure that data is stored in a secure place,” she said.
Earlier this year, HB 262 was met with opposition and concerns from the Delaware Bankers Association, the Delaware State and New Castle County Chamber of Commerce, all worried how this may impact the state’s financial sector and other businesses.
Tom Collins, the president of the Delaware Bankers Association, noted that there were several federal regulatory agencies that already oversee and monitor financial institutions. He worried this bill may add to the burden of doing business in the First State, and hoped for an exemption for financial institutions.
“The regulators help create an environment of accountability and ensure that the problem areas are addressed expeditiously,” Collins said during the Jan. 25 hearing. “With this heavy regulation, privacy is a responsibility for the federal government.”
National trade associations like Consumer Data Industry Association (CDIA), the State Privacy and Security Coalition, TechNet, a trade association for technology companies, also voiced similar concerns. If HB 262 is passed, Delaware will be among a small handful of states to run a registry, including California, Vermont and Virginia. Furthermore, many consumer data groups were concerned that the private right of action clause would open up a bevy of civil lawsuits.
The CDIA, which represents nationwide, regional and specialized credit bureaus and more, believes a registry is not necessary at this time, and more restrictions may inhibit the flow of legitimate consumer transactions.
“Obviously, your information is available to the companies that you’re doing business with. Consumers should expect and assume that when they’re applying for products or services, that there’s often going to be a fraud prevention, identification or an authentication check,” CDIA Senior Vice President Eric Ellman told the Delaware Business Times. “Consumers should generally be aware that data is being used in ways to benefit them, even though they might not realize it.”
Chris Gilrein, TechNet Executive Director for Massachusetts and the Northeast, also argued that the scope of the bill was “massive,” and was concerned it would require small to medium businesses to build out infrastructure to ensure any contact with payment processors and anti-fraud measures comply with the bill.
“That’s expensive up front, and those would be the lucky ones,” Gilrein said. “This may really implicate a lot of pro-consumer transactions, because companies license or enter into contracts with third parties to protect consumer identity to protect your information.”
In a separate interview, Griffith said that HB 262 is not a value statement on legitimate data brokers, but making it transparent to consumers where that data is being shared.
“I respect that we have a strong financial services industry here and so the bill was designed to really have no impact in a negative way. This is not meant to be expensive or difficult for businesses. This bill is about transparency,” she said.