Export Compliance Daily is a Warren News publication.
The ‘Right’ Balance

Microsoft, Tech Groups at Odds Over Delaware Privacy Bill

Microsoft clashed Tuesday with tech associations over privacy legislation advancing in Delaware (see 2305160054).

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

Delaware’s Senate Technology Committee heard testimony on HB-154, which closely mirrors a privacy law passed in Connecticut (see 2205110049). HB-154 strikes the right balance between the needs of consumers and businesses, and Delaware should enact the law this session, said Chris DiPietro, who lobbied on behalf of Microsoft Tuesday.

The major thrust of HB-154 is that it would allow consumers to request, correct and delete personal data collected by companies. The bill allows companies a 60-day right to cure to avoid data-handling violations. It doesn’t include a private right of action.

NetChoice, the Computer & Communications Industry Association, TechNet and the Software & Information Industry Association testified against passing the bill as written, saying it should instead more closely align with the law in Connecticut.

Exemptions in the bill would limit how businesses can use publicly available information (PAI) and require those businesses to delete public records could violate the First Amendment, said SIIA Privacy Counsel Anton van Seventer. He noted PAI is exempted from privacy laws in California and the vast majority of other states that passed omnibus privacy bills.

TechNet recommends Delaware lower the age threshold for minors from 18 to 16, said Executive Director Margaret Durkin, noting no other omnibus state privacy law extends protections to age 18. The bill rightly tries to fill gaps left in federal policy by the Children's Online Privacy Protection Act, said Delaware DOJ Fraud and Consumer Protection Division Director Owen Lefkon. DOJ supports the legislation blocking targeted advertising and the sale of data for teens without consent.

For the data protection assessment requirements included in the bill, legislators should consider industry self-regulation programs or existing accountability mechanisms, said Durkin, urging Delaware to more closely mirror the measure in Connecticut. Key definitions and terms in the bill diverge from existing state regulations, which could be costly for businesses, said CCIA State Policy Director Khara Boender. The Internet Coalition also believes the bill diverges too far from Connecticut's, said Lincoln Willis, who lobbied on the coalition's behalf.

Legislators have worked with telecommunications companies, banks, insurance companies and chambers of commerce to strike the right balance, said House Technology and Telecommunications Committee Chair Krista Griffith (D), the bill's lead sponsor. Her committee advanced the measure in May. The Senate panel heard testimony without taking a vote Tuesday. She noted the “bulk” of the legislation matches what passed in Connecticut. A key difference is that the bill would apply to entities that hold more than 35,000 consumers’ data, or at least 10,000 if they get more than 20% of gross revenue from selling data, a lower threshold than in Connecticut. The bill was adjusted to reflect Delaware’s smaller population, she said.

The Delaware Chamber of Commerce is disappointed the bill exempts one of the largest data collectors: state and local government, said the chamber’s Public Policy and Government Relations Director Tyler Micik.