A data privacy bill that will give consumers more rights went unanimously through the House Technology & Telecommunications Committee Tuesday, two in favor and four on its merits.
House Bill 154, sponsored by Rep. Krista Griffith, D-Greenville, would give consumers the right to delete their personal data, change their personal data, know who is collecting their personal data and opt out of data collection for targeted ads.
The bill only applies to companies that control or process personal data on 35,000 or more people, or companies that process the personal data of over 10,000 people but make at least 20% of their gross revenue from selling that data.
There are some entities that are exempt, including the state of Delaware and financial institutions.
Some consumer data, including Health Insurance Portability and Accountability Act (HIPAA) information, credit information, data collected as part of research, and data from victims of crimes, are also exempted from being changed by consumers.
The bill would require the Department of Justice to engage in public outreach six months before the bill becomes law to tell people what the bill does.
Owen Lefkon, director of the Fraud and Consumer Protection Division of the Delaware Department of Justice, said they support the bill because of the protections it gives to consumers’ data.
“We know this is a complicated bill with many provisions,” Lefkon said. “But at its core, it’s simple. We have to codify what consumers already expect. That their data is their own and that they should have some rights to be able to access and control it.”
Rep. Sean Matthews, D-Brandywine Hundred, said he supports the bill but wishes more states had passed similar laws.
“I think in the future, I would prefer if Delaware would be one of 40 states rather than one of 10 states…if you could work towards standardizing it,” Matthews said. “I would hate to see a business entity write off Delawareans based on the small market size, based on compliance with a bill that was not industry-wide.”
States including Virginia, Colorado, Connecticut, Utah, Indiana, Iowa, Tennessee, and California have passed similar privacy legislation.
Last year, Connecticut’s governor signed into law the Connecticut Data Privacy Act, which will starting July 1 give residents some protections on the use of their data.
“We would all love a federal approach on this,” Griffith said. “But it doesn’t seem to be coming anytime soon and in the meantime, our consumers are not able to tap into their own information…when I was growing up, I never would have thought that all of this intel about my life…would be in so many different places.”
The bill has an incomplete fiscal note and 25 additional sponsors and cosponsors, all Democrats except for Rep. Ruth Briggs King, R-Georgetown.
Fiscal notes on proposed bills often aren’t finished until after a bill passes a committee hearing.
Rep. Shannon Morris, R-Harrington/Felton, said he’s not comfortable voting for a bill that doesn’t have a fiscal note attached to it.
Lefkon said that they’re looking to add four more full time employees to enforce the bill and that will cost about $400,000 plus an additional $45,000 for the outreach campaign.
Ten people spoke during the public comments session, with seven speaking in favor and the others voicing concerns they have about the bill.
Christina Bryan, director of communications and policy with the Delaware Healthcare Association, said the bill doesn’t exempt entities that deal with HIPAA.
“Hospitals and other healthcare providers are already covered by these stringent federal privacy protection requirements,” Bryan said. “In addition, an entity level exemption is provided in the bill for financial institutions governed under Gramm Leach Bliley, but a comparable exemption is not provided for HIPAA covered entities.”
The Gramm Leach Bliley Act, and specifically Title V of the act that House Bill 154 references, makes the Federal Trade Commission require financial institutions to protect the privacy of consumers’ personal information.
Scott Kidner, speaking on behalf of the Central Delaware Chamber of Commerce, said they appreciate the cutoff in the bill for entities that make over 20% of their revenue from data collection.
Margaret Durkin, the executive director for TechNet’s Mid-Atlantic Region, said they would prefer the bill changed to increase the thresholds from 35,000 people to 200,000, and from 10,000 people to 25,000 and from 20% of revenue to 50% of revenue from data collection.
This is not the first time that a digital privacy bill has been proposed.
Last year House Bill 262, also sponsored by Griffith, would have required data brokers to register with the state and provide information on how they use customer data.
While it passed the House 27 to 13, it didn’t get a hearing in a Senate committee.
House Bill 154 has now been placed on the House ready list.
Share this Post