DELAWARE -Two bills aimed at strengthening Delaware’s data privacy protections and improving transparency around data breaches passed the Delaware House on Thursday and now move to the Senate for consideration.
The measures, House Bill 380 and House Bill 381, were developed in partnership with the Delaware Department of Justice.
“At a time when algorithms sometimes know more about us than even our closest friends and family, it is more important than ever to ensure that consumers’ sensitive personal data is protected and cannot be misused by bad actors,” Rep. Krista Griffith (D -Wilmington) said.
“Together, HB 380 and HB 381 will help to ensure that Delawareans can continue to participate in an increasingly digital world, with the comfort of knowing that we have some of the strongest data privacy protections in the country.”
House Bill 380 would expand Delaware’s existing Personal Data Privacy Act, which lawmakers approved in 2023. The bill broadens the definition of sensitive personal data to include national origin, treatment for mental or physical health conditions, reproductive and gender-affirming care, neural data, financial account information and government-issued identification.
The legislation would also prohibit companies and organizations that collect and process personal data from processing the data of minors when they know, or reasonably should know, the person is underage.
In addition, the bill would require companies to notify consumers if adverse action is taken after sharing a report containing personal data with a third party.
Lawmakers said the measure would also create a new due diligence requirement that forces companies to ensure third parties handling consumer data are protecting that information properly.
“Algorithms play a huge role in Delawareans’ day-to-day lives, and it’s our responsibility to strengthen our data privacy laws to better protect our neighbors in this new age,” Sen. Marie Pinkney (D -Wilmington) said.
“We must meet the moment and expand the consumer rights of Delawareans to ensure that their sensitive, personal data is protected. Together, these bills do just that.”
House Bill 381 focuses on data breach reporting requirements. Current Delaware law requires businesses to notify consumers of data breaches involving sensitive information within 60 days.
The new bill would also require businesses to notify the Delaware Attorney General’s Office within 60 days of determining a breach occurred, regardless of how many people are affected. Current law only requires notification when more than 500 Delawareans are impacted.
Lawmakers said the change would help the Department of Justice’s Fraud and Consumer Protection Division better track breaches, improve consumer education efforts and strengthen the state’s publicly available Data Security Breach Database.
