VIEWPOINT: Data Broker Bill Will Hurt Delaware Business

William Denny

If the Data Broker Bill, HB 262, becomes law, it is unlikely that Delaware citizens will be rushing to the Department of Justice website to research vendor privacy practices before making their next car repair appointments, pizza delivery orders or online purchases. Rather, it will be lawyers who rush to the website, looking to bring class action lawsuits against businesses who fail to register or whose data collection and selling practices might differ from their public disclosures. Whether or not such claims have merit, businesses will be pressured to settle rather than run up high litigation costs, causing insurance costs to climb as well. Consumers are unlikely to benefit.

Vermont is the only other state in the nation with a similar data broker law. Passed in 2018, the Vermont Data Broker Law has failed to create a useful tool for consumers. According to reports, most businesses to whom the Vermont law applies have failed to register, and those few who have registered have typically failed to offer clear answers regarding their practices. No other state has followed Vermont’s lead, although California and Nevada have adopted very different and much narrower data broker laws. 

HB 262 is modeled on the Vermont law with three significant exceptions. First, the Vermont law applies only to the collection and selling of data where the business does not have a direct relationship with the consumer, while the Delaware law also applies to businesses who are collecting and selling information of their own customers. This dramatically increases the number of businesses that would be subject to the law, many of whom would not have guessed that they would be subject to the new law and would be ill equipped to comply with the law’s significant burdens. 

- Advertisement -

Second, the Vermont law excludes government entities from having to comply with the law. In contrast, HB 262 applies to any entity, which would include governmental entities, which are repositories of huge troves of data about Delaware citizens. No information has been provided on the cost of compliance by state or local agencies or the impact of this bill on their budgets. 

Third, the Vermont law can be enforced only by the Attorney General of the state. In contrast, Delaware would allow a private right of action for any alleged violation of the prohibitions on collecting or selling personal information. Private parties, recruited by class action lawyers, could allege that their personal information was collected through deception or false representations, which could include something as simple as the collection practices of a business not being consistent with that business’s privacy policy. Businesses would be forced to defend themselves at great expense and would look to their insurance carriers to pay for the defense. Insurance rates would likely rise because of this increased risk, regardless of whether the lawsuits were ultimately dismissed. 

It is difficult to see who would benefit from the Data Broker Bill. Because compliance with the bill’s onerous registration requirements would likely be spotty and incomplete, as is the case in Vermont, the information would be of limited use to Delaware citizens. Moreover, it is unlikely that any Delaware citizen would spend the time finding the Department of Justice database or parsing through its data to decide which vendor to choose. Thus, the bill would likely fail in its stated primary purpose of “providing consumers with critical information of how their personal information is being used by data brokers.”

Instead of passing a relatively ineffective and costly Data Broker Bill, Delaware should consider passing a comprehensive data privacy law that would protect the privacy rights of Delaware citizens. As of now, five states (California, Virginia, Colorado, Utah and Connecticut) have adopted such laws and similar laws are being considered in a dozen other states, with a federal version being considered in Congress. Such a law in Delaware could address individual privacy rights comprehensively and be more fair to businesses.

Businesses are already subject to a host of U.S. federal and state privacy, data security and data breach notification laws. It is important to protect the very real privacy rights of individuals, but this should be done in a considered and comprehensive fashion, in a manner that actually helps the individual and with thought taken for the impact.

New Courses for Busy Professionals

Working professionals are getting an exciting new lineup of noncredit course offerings from the University of Delaware – and plenty more are on the...

William R. Denny is a partner with Potter Anderson & Corroon LLP. His business and litigation practice focuses on commercial and corporate transactions, vendor management, mergers and acquisitions, data privacy and security and information technology.

– Digital Partners -