Rep. Griffith & Rep. Matthews & Rep. Baumbach & Sen. Hansen & Sen. Gay
Rep. Lambert; Sen. Ennis
HOUSE OF REPRESENTATIVES
151st GENERAL ASSEMBLY
HOUSE BILL NO. 262
AN ACT TO AMEND TITLE 6 OF THE DELAWARE CODE RELATING TO DATA BROKERS AND CONSUMER PROTECTION.
BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF DELAWARE (Three-fifths of all members elected to each house thereof concurring therein):
(vi) unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;
(2) “Business” means a commercial entity, including a sole proprietorship, partnership, corporation, association, limited liability company, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this State, any other state, the United States, or any other country, or the parent, affiliate, or subsidiary of a financial institution.
(4)a. “Data broker” means a business that both (i) knowingly maintains or collects the brokered personal information of at least 500 consumers and (ii) either sells or licenses such information to one or more independently operated businesses. The term “data broker” includes, but is not limited to, data collectors and third-party data brokers. A business may be both a data collector and a third-party data broker depending on its activities.
b. “Third-party data broker” means a data broker that receives the brokered personal information of one or more consumers with whom the data broker does not have a direct relationship (e.g., employee, contractor, agent, investor, donor, customer, client, subscriber, user, or other similar relationship in which the consumer would be aware that the data broker received the consumer’s personal information directly from the consumer).
c. The following activities conducted by a business, and the collection and sale or licensing of brokered personal information incidental to conducting these activities, do not qualify the business as a data broker:
4. Providing brokered personal information of an individual to an employer, potential employer, government agency, or contractual counterparty of the individual, with the written authorization of such individual in connection with a background check of such individual.
2. A license of data that is both incidental to a contract the business has with a third-party service provider and necessary for such third-party service provider of the business to accomplish the purpose of such contract, provided that the third-party service provider’s permitted uses of the licensed data is limited to fulfilling its contractual obligations to the business; or
3. The disclosure or transfer of brokered personal information pursuant to the terms of a subpoena, a court order, a regulation, a statute, a response to a discovery request, or other legal obligation.
b. In determining whether brokered personal information was acquired or is reasonably believed to have been accessed or obtained by a person without valid authorization, a data broker shall consider all relevant factors, including but not limited to the following factors:
1. Indications that the brokered personal information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing brokered personal information;
(7) “License” means a grant of access to, or distribution of, data by one person to another in exchange for consideration. A license does not include use of data for the sole benefit of the data provider if the data provider maintains control over the use of the data.
(a) A person shall not acquire brokered personal information through deception, false representations, or other fraudulent means, including on the basis of misrepresentations or material omissions about the data collector’s use of the brokered personal information.
(c) A data broker shall not provide for consideration, whether by sale, license, or other exchange, to another person brokered personal information where that data broker knows or reasonably should know that such brokered personal information was acquired in a manner prohibited by §12D-102(a), above.
(d) A data broker shall not provide for consideration, whether by sale, license, or other exchange, to another person brokered personal information where that data broker knows or reasonably should know that such brokered personal information will be used for any of the purposes set forth in §12D-102(b), above.
a. For a data broker who sold or licensed the brokered personal information of not more than 5,000 consumers and engaged in not more than 5 such sale or license transactions during the relevant year, the registration fee is $10.
b. For a data broker who is not eligible for the fee under sub-paragraph (a)(2)a., above, and who sold or licensed the brokered personal information of not more than 200,000 consumers, the registration fee is equal to the multiple of the number of consumers times $0.0025, rounded up to the nearest $10.
d. For registration fees due in each year after 2022, the calculations in paragraph (a)(2) of this section shall be increased by multiplying the registration fee calculated pursuant to paragraphs (a)(2)b. and (a)(2)c. of this section by the cumulative change in the national consumer price index from January 1, 2021 to January 1 in the year in which the registration fee is due. The registration fee due pursuant to paragraph (a)(2)a. is not subject to such increase.
a. The name and primary physical, e-mail, and Internet addresses of the data broker and links to all privacy policies issued by the data broker that are applicable to the brokered personal information that it collects or maintains.
b. If the data broker permits a consumer to opt out of the data broker's collection of brokered personal information, opt out of the inclusion, use, or processing of the consumer’s information in the data broker’s databases, or opt out of certain sales of data about the consumer:
d. A description of the data broker’s process for verifying the purchasers of its brokered personal information, along with such purchasers’ compliance with relevant privacy policies and representations, including any purchaser credentialing process.
f. Where the data broker has actual knowledge that it possesses the brokered personal information of minors, a separate statement detailing the data collection practices, databases, sales activities, and opt-out policies that are applicable to the brokered personal information of minors.
Question: Which of the following categories of consumer data do you collect directly from consumers and from consumers’ devices? Answer Choices (indicate all that apply): (0) none; (1) name, telephone, or contact information; (2) demographic information, such as age, gender, gender-identity; (2a) data related to the assignment of a consumer to predicted demographic categories; (3) race, nationality, ethnicity, or sexual preference data; (4) geolocation data; (5) financial account data; (6) income or wealth data; (7) employment data; (8) biometric data; (9) device-based user activity data; (10) health data; (11) genetic data; (12) social security number or other government-issued identification number; (13) internet browsing data; (14) information on a consumer’s purchasing history; (15) date of birth; (15) criminal history; (16) information on a consumer’s status as a victim of a crime; (17) other
Question: To which of the following categories of third party do you sell or license such consumer data? Answer Choices (indicate all that apply): (0) none; (1) financial institutions; (2) insurance providers; (3) healthcare providers; (3) non-profit organizations; (4) law enforcement agencies; (5) non-law enforcement governmental agencies or subdivisions; (6) advertising platforms; (7) lead generators; (8) charitable solicitors; (9) non-US based businesses; (10) non-US governments; (11) third-party data brokers; (12) other.
Question: Do you limit the use of brokered personal information by a purchaser or licensee receiving brokered personal information from you? Answer Choices (indicate all that apply): (1) Yes, we require all recipients to comply with our privacy policies that are applicable to such information when in our control; (2) Yes, we contractually limit use to those purposes set forth in our contract; (3) Yes, we prohibit resale; (4) Yes, we limit uses in ways other than those methods listed in answer choices (1), (2) and (3); (5) No.
Question: If you answered “yes” to the preceding question, what steps do you take to ensure the purchaser’s or licensee’s compliance with those limitations? Answer Choices (indicate all that apply): (1) maintain a right to audit or inspect the purchaser or licensee; (2) require and receive periodic reports on compliance from the purchaser or licensee; (3) conduct periodic not-for-cause audits or inspections of the purchaser or licensee; (4) conduct for-cause audits or inspections of the purchaser or licensee; (5) other.
h. On an annual basis by September 1 in the year preceding the year in which a registration is due, the Director of Consumer Protection may add and remove questions and answer choices to the questions set forth in paragraph (a)(3)g. of this section as the Director determines to be appropriate in light of the evolving nature of the data brokerage industry.
(c) A data broker that includes information it knows or reasonably should know to be false in a registration submitted pursuant to subsection (a) of this section is liable to the State for all of the following:
(a) A data broker shall develop, implement, and maintain a comprehensive information security program that is written in more readily accessible parts and contains administrative, technical, and physical safeguards that are reasonably designed to achieve the following objectives:
(1) The program conforms to the standards or framework of a nationally- or internationally-recognized standards-setting organization in the field of cybersecurity, to be identified by the Director of Consumer Protection through rulemaking pursuant to subsection (a) of § 12D-106 of this chapter.
(2) The data broker is subject to the requirements of any federal or state law or regulation governing the protection, security, or integrity of brokered personal information, and the data broker’s information security program conforms to the requirements of the applicable federal law or regulation.
(b) Money in the Internet Privacy Protection Fund may be used for expenses incurred by the Consumer Protection Unit of the Department of Justice in connection with any activity to carry out or enforce the provisions of this chapter, including payment of salaries for personnel and costs, expenses incurred in administering the registration process set forth in § 12D-103 of this chapter, charges incurred in the preparation, institution, and maintenance of investigations or enforcement actions brought pursuant to the authority granted by this chapter, and consumer education and outreach relating to information security and privacy.
(a) The Director of Consumer Protection shall promulgate regulations to carry out the purposes of this chapter, which shall include identifying acceptable information security standards or frameworks for purposes of the safe harbor provision of paragraph (c)(1) of § 12D-104 of this chapter, which may include:
(b) The Consumer Protection Unit of the Department of Justice shall make public on a searchable website the information each data broker submits pursuant to paragraph (a)(3) of § 12D-103 of this chapter. The Consumer Protection Unit of the Department of Justice shall update the website with the current year’s registration information by April 30 of each year. The Director of Consumer Protection may aggregate and analyze data broker registration information and make the results of any such analysis public.
This Act seeks to provide consumers with critical information about how their personal information is being used by data brokers. This Act requires data brokers to register with the Consumer Protection Unit of the Department of Justice and answer questions regarding their use of personal information that would be published online to inform consumers. A fee schedule is established based on the size of the data broker that would fund the enforcement of the statute. Entities or individuals who collect personal information but do not sell or license that personal data are not required to register. Registration only applies to data brokers who sell or license information. The Act prohibits acquiring or providing brokered personal information where it will be used for certain unlawful purposes, or where it was obtained through fraudulent means. The Act requires data brokers to protect brokered personal information.