(Delaware) Testimony in Support of H.B. 380, Amending the Delaware Personal Data Privacy Act

Chair Spiros Mantzavinos
Banking, Business, Insurance & Technology Committee 
Delaware Senate
411 Legislative Avenue 
Dover, DE 19901

Re: H.B. 380 (An Act to Amend Title 6 of the Delaware Code Relating to Personal Data Privacy) – SUPPORT

Dear Chair Mantzavinos and Members of the Committee, 

Consumer Reports and the Electronic Privacy Information Center (EPIC) write in support of H.B. 380 and sincerely thank you for your consideration of advancing consumer privacy in Delaware. H.B. 380 would build on the Delaware Personal Data Privacy Act (DPDPA) by extending to Delaware consumers important new protections, including by limiting the sale of sensitive data, expanding consumers’ rights around the use of profiling, improving key terms, expanding the law’s coverage, and more. These important amendments largely reflect the last several years of work on privacy legislation across the United States and would raise the baseline of protection for Delaware consumers. Consumer Reports and EPIC urge the Committee to advance this important bill.

We particularly appreciate that the bill includes the following elements: 

• Limiting the Sale of Sensitive Data. House Amendment No. 2 of the bill would restrict businesses from selling consumers’ sensitive data unless “strictly necessary to provide or maintain a product or service affirmatively requested by the consumer.” Businesses will also need to clearly disclose such sales before they occur and obtain consumers’ consent. Such a standard would dramatically reduce the outward flow of data about our most personal characteristics into the commercial ecosystem, including our health, precise geolocation, race, religious beliefs, and data from children. This change would also shift the burden of privacy protection away from consumers and toward companies that otherwise have every incentive to exploit consumer data for their own benefit and profit. The less sensitive information companies collect and sell about us in the first place, the less that can be used against us for hyper-targeted scams, surveillance pricing, or shared with unwanted third-parties or exposed in a data breach. This standard would also move Delaware closer to the several other states that include similar protections for sensitive data (or subsets thereof), including Maryland, Oregon, Connecticut, and Virginia. Several other states are currently advancing similar provisions, including California and New Jersey. We strongly urge the Senate to retain this piece of the legislation.  
• Expanded Definition of Sensitive Data. We support the expansion of the definition of sensitive data to include categories such as social security numbers, financial information, neural data, and health treatment or status. These updates pull categories that other states have included in their definition of sensitive data and are common-sense additions of personal data that necessitate heightened protections.
• Lower Thresholds. H.B. 380 would lower the threshold for coverage so that the bill would apply to any businesses that control or process the personal information of 10,000 consumers; businesses that control or process the personal information of 5,000 consumers and that derive more than 20 percent of their revenue from the sale of personal data; or third parties that acquire personal data from a controller. This change will expand protections for consumers, ensuring that large national companies with a moderately sized footprint in Delaware will be required to abide by the law. We similarly support lowering the threshold for businesses required to conduct data protection assessments to those that process the personal data of 50,000 consumers. 
• Narrowing of Entity-Level Exemptions. Delaware’s privacy law currently exempts from coverage any financial institution or an affiliate of a financial institution, as defined in the Gramm-Leach-Bliley Act (GLBA). This carveout arguably makes it so that large tech companies (Apple, Amazon, Google, Facebook, and Microsoft) would be exempted from the entire law if one arm of their business receives enough financial information from banks, a line many of them are already currently skirting. H.B. 380 would narrow this entity-level exemption somewhat by exempting specific types of businesses (e.g., banks, insurers, credit unions, etc.) rather than any financial institution or affiliate under GLBA. While we support any efforts to close potential loopholes, this exemption should be tightened further to instead exempt only the information that is collected pursuant to GLBA, applying its protections to all other personal data collected by such entities that is not currently protected by other laws.  
• Protections for Personal Data Used in Profiling Rights. We commend the bill sponsor for focusing in H.B. 380 on protecting personal data used in profiling decisions. Profiling is often used in high-stakes contexts, including in determining people’s access to housing, employment, health care, and other life necessities, so this particular use of data should have additional safeguards. We support the new definitions for “adverse action” and “report,” the addition of a consumer right to know whether a controller is engaging in profiling, and the requirement that controllers conduct impact assessments if they engage in profiling. While we support the addition of consumer rights to be notified of an adverse action in a decision based on profiling, access the personal data used in that profiling decision, correct inaccuracies in their personal data, and request meaningful human review of the profiling decision, as drafted, H.B. 380 seems to provide consumers with more rights if a third party conducts the profiling than if a controller does. The bill should be amended to ensure that a consumer can exercise all these rights regardless of the entity engaging in the profiling.  
• Right to Access Inferences. In our experience assisting consumers making privacy requests, many businesses do not respond to access requests by providing all of the personal information they’ve amassed about consumers, including inferences they have generated about consumers based on existing personal data. We appreciate that H.B. 380 would clearly require businesses to respond to any access request with any such inferences. This information can be highly material to a consumers’ decision to interact with a business, as it can reveal whether they are being placed into sensitive marketing segments, such as “parents of preschoolers,” “rural and barley making it,” “Christian church goers,” or “wealthy and not healthy” (all of which are real marketing categories used by data brokers and others).  
• Right to Request List of Third-Party Recipients of Data. We appreciate that this proposal would allow consumers to request the list of third parties to which their personal information has been sold or shared. This is a critical protection that provides much needed transparency into the otherwise opaque data sharing ecosystem. In addition, it allows consumers to trace the movement of their personal data and more meaningfully leverage their privacy rights in the event that they wish to access or delete personal information shared with third parties.  

At the same time, we urge the drafters to strengthen the bill by adding the following protection, which is necessary to provide Delaware consumers with the level of protection they deserve:

• Institute Meaningful Data Minimization Provisions. A strong privacy law should limit the data companies can collect and use to match what consumers expect based on the context of their interaction with the business. For example, a mobile flashlight application should not be permitted to collect a consumer’s precise geolocation information because such information is not necessary to provide the service requested, and the collection of that data is unlikely to be in the consumer’s interest.  

In contrast, the core of the framework currently found in the DPDPA is “notice-and-choice,” which focuses on disclosures in privacy policies. The law allows businesses to continue collecting whatever personal data they want and using it for any reason they want as long as they disclose those practices in their privacy policies and allow consumers to opt out. However, very few consumers have the time to read privacy policies in practice and would likely struggle to decipher their lengthy legalese even if they did. Moreover, the opt-out framework offloads all of the burden of consumer protection onto consumers themselves, while absolving companies of the responsibility to engage in responsible data collection. As the Connecticut Attorney General’s Office has written: 

Unfortunately, the CTDPA’s current notice-and-consent model sets an exploitable standard— businesses can seek to justify unnecessary data collection by deeming such collection “adequate, relevant and reasonably necessary” to the purposes disclosed to consumers. This standard contravenes data minimization principles outright— it allows businesses to collect data they simply do not need so long as it is disclosed in privacy notices that are often bulky, confusing, or worse, misleading.

Rather than continue with this approach that harms consumers, H.B. 380 should implement a data minimization rule that businesses can only collect and use data when it is “reasonably necessary” to provide the services the consumer asks for. Unfortunately, the new data minimization standard proposed in H.B. 380 is still ultimately pegged to “the purposes disclosed to the consumer.” Company privacy policies often list open-ended and ambiguous processing purposes that allow them to essentially do whatever they want with consumer data, which means any limitation that is based on these disclosures will be illusory. We therefore propose the following redline:

(1) Limit the processing of personal data to what is reasonably necessary and proportional to provide or maintain the product or service requested by the consumer. in relation to the purposes for which such data is processed, as disclosed to the consumer

Thank you again for your consideration and for your work on this important legislation. We look forward to working with you to ensure that Delaware residents have the strongest possible privacy protections.