DOVER – Delawareans would have stronger data privacy protections under two bills passed by the House Thursday.
The measures, both sponsored by Rep. Krista Griffith and Sen. Marie Pinkney, would strengthen Delaware’s existing Personal Data Privacy Act and require greater transparency and accountability around data breaches.
“At a time when algorithms sometimes know more about us than even our closest friends and family, it is more important than ever to ensure that consumers’ sensitive personal data is protected and cannot be misused by bad actors,” said Rep. Krista Griffith.
“Together, HB 380 and HB 381 will help to ensure that Delawareans can continue to participate in an increasingly digital world, with the comfort of knowing that we have some of the strongest data privacy protections in the country.”
House Bill 380 builds on Delaware’s existing data privacy laws to create stronger protection around residents’ personal online data.
Personal data is any information that can be linked to an identifiable individual, including a home address, a bank account number, or credit card information.
In 2023, the General Assembly passed the Delaware Personal Data Privacy Act to strengthen protections for consumers and help ensure Delawareans’ sensitive personal information is handled responsibly. Since its passage, states across the country have continued to expand and refine their own consumer privacy laws.
HB 380 would help make sure our state keeps up with evolving national standards and best practices by making several updates to the law, including:
- Expanding the existing definition of sensitive data to include national origin, treatment for any mental or physical health condition, including reproductive and gender affirming care, neural data, financial account information and government issued identification.
- Prohibiting controllers, the companies or organizations that collect and process personal data, from processing data of any residents who they know, or reasonably should know, are minors.
- Requiring controllers to provide notice of any adverse action taken after disclosing a report containing a consumer’s personal data to a third party.
The bill would also create a first of its kind due diligence obligation that would require controllers to make sure that any third-party they sell or disclose our data to are properly and securely handling that information.
“Algorithms play a huge role in Delawareans’ day-to-day lives, and it’s our responsibility to strengthen our data privacy laws to better protect our neighbors in this new age,” said Senator Marie Pinkney, Senate Prime Sponsor of House Bills 380 & 381.
“We must meet the moment and expand the consumer rights of Delawareans to ensure that their sensitive, personal data is protected. Together, these bills do just that.”
House Bill 381 expands on existing Delaware law, which requires companies to disclose any computer security breaches that may contain sensitive data and provide notice to its customers through written, electronic, or other means as soon as possible, but no later than 60 days after the determination of a security breach.
Under HB 381, businesses would also be required to provide notice to the Attorney General’s office within 60 days of the determination of a breach. Currently, the Attorney General’s office is only informed when a security breach affects more than 500 Delaware residents.
The purpose of this legislation is to better inform the Department of Justice’s Fraud & Consumer Protection Division, the entity responsible for the enforcement of consumer protection laws in Delaware.
A significant part of CPU’s responsibilities also includes engaging in consumer advocacy and providing consumers with the information needed to avoid becoming victims of consumer fraud and/or having their data privacy rights violated. Ensuring that the Attorney General’s office is informed of all data breaches that may contain sensitive data also helps to increase transparency and bolster the publicly available Data Security Breach Database, and allows for the creation of more timely and relevant informational materials.
“As technology advances and personal data becomes more valuable, we need to raise the guardrails that protect Delawareans. HB 380 and 381 modernize Delaware’s data privacy protections to keep pace with AI, require your consent if a company wants to sell your sensitive data, and help ensure that your data stays yours. I’m grateful to Rep. Griffith for her strong leadership,” said Attorney General Kathy Jennings.
Both HB 380 and HB 381 were developed in partnership with the Delaware Department of Justice, and now head to the Senate for consideration.
###
