Delaware committee advances update to state data-privacy law, adds limits on algorithmic profiling and third‑party sales

Representative Jennifer Griffith, sponsor of HB 380, told the House Technology and Telecommunications Committee that the bill is an 11‑page update to the Delaware Personal Data Privacy Act designed to align Delaware with recent state developments while adding protections she said Delaware uniquely needs. "This bill reflects those changes in other jurisdictions," Griffith said, and it adds a provision meant to curb algorithmic discrimination "so an entity can't say no to someone from anything from housing to mortgage to college."

The bill expands the statute's definition of sensitive data to include categories the sponsor enumerated during her presentation: national origin; treatment for mental or physical health conditions (including reproductive and gender‑affirming care); neural data; financial account information; and government‑issued identification. Griffith said the bill also lowers the statute's applicability threshold to better align with other states, but the transcripted numeric figures provided during oral remarks were unclear in the record and the exact threshold in the filed text was not read into the hearing. (Threshold details should be confirmed in the bill text circulated to members.)

HB 380 would require controllers that sell personal data to contractually bind third parties in the data chain to follow Delaware law and limit use to the purposes for which the data were originally collected. "These new provisions essentially tie up that loophole and the contract requirements are specific," John Akins, deputy attorney general with the Delaware Department of Justice, told the committee. Akins said the contractual obligations extend along the chain of transfers so that downstream buyers remain constrained to limited, original purposes.

Advocacy groups at the hearing urged tougher limits on secondary uses and stronger data‑minimization standards. John Reynolds of ACLU of Delaware, while praising HB 380's profiling and impact‑assessment provisions, said current state law "has not done enough to change business as usual for big tech" and urged lawmakers to follow Maryland's data‑minimization approach so data are used only for services consumers request. Kara Williams of the Electronic Privacy Information Center told the committee EPIC "strongly supports data minimization" and urged amendments that would prohibit the sale of sensitive data entirely rather than relying on opt‑in consent for sales.

Business witnesses and industry groups raised concerns about interoperability, compliance costs, and preserving federal requirements. James Nutter of TechNet urged aligning definitions with other states to avoid a patchwork of obligations. Zachary Taylor of the Consumer Data Industry Association asked the sponsor to ensure changes do not undermine notices and disclosures required under the federal Fair Credit Reporting Act (FCRA) for fraud detection and identity verification.

Committee members pressed the sponsor and DOJ on implementation details. Vice Chair Representative Wilson Anton asked what a "clear and conspicuous" notice for a sale of sensitive data would look like on mobile devices; John Akins replied that the bill would require a specific opt‑in popup that discloses a sale and requires an affirmative "yes" or "no" response. Representative Griffith said she would seek language clarifications to ensure the notice is meaningfully distinguishable from the routine cookie popups consumers see.

The committee took a roll call on a motion to release HB 380. The on‑record roll call at the hearing showed four "yes" votes; committee staff will circulate the bill for signatures from members not present and said the bill will be reported out to the House if it receives the required additional signatures. The hearing record therefore shows that the committee moved to advance the bill to the signature process but does not record a final committee report-out at the hearing itself.

What happens next: the sponsor and Department of Justice will continue technical discussions with stakeholders and the committee will circulate the bill for signatures from absent members. If it receives the required signatures, HB 380 will be reported out on the legislative website and scheduled for floor consideration.