INSURANEWS Logo
Top Stories
Life
Health
Medicare
Property & Casualty
Annuity
Industry

Delaware's House Bill 380 Enhances Privacy Framework for Businesses

Share:

Delaware is set to enhance its privacy framework with House Bill 380, a move that could affect a wide array of businesses by tightening specific exemptions. This amendment to the Delaware Personal Data Privacy Act (DPDPA) proposes stricter definitions for sensitive data and increased regulations on artificial intelligence (AI) usage in employment contexts. If enacted, the changes will be effective from January 1, 2027.

Currently, HB 380 has progressed through the Delaware House and is pending Senate approval. Given the backing from legislators and the Delaware Department of Justice, the bill is expected to advance. Governor Matt Meyer is anticipated to sign the measure upon Senate passage.

A key component of the proposed legislation is the reduction of thresholds for business applicability. Businesses dealing with Delaware residents, through operations or data activities, could become subject to privacy law mandates if specific conditions are fulfilled. Notably, any third party acquiring personal data from a controller would be governed by the DPDPA, irrespective of size, eliminating numerical thresholds.

Another significant change targets the Gramm-Leach-Bliley Act (GLBA) exemption. HB 380 seeks to refine the exemption, requiring fintech companies and non-bank lenders to reevaluate their compliance under the new provisions.

For healthcare organizations, HB 380 clarifies certain exclusions for healthcare data, compelling meticulous examination of data sets to ensure compliance alongside existing HIPAA protections. Employment-related data management will also pivot; processes such as AI-driven job screenings will need regulatory compliance where they impact employment decisions.

Vendors face increased obligations, particularly concerning AI and automated decision-making systems. The redefined terms in the bill would impose direct compliance duties on service providers processing data indirectly, increasing contractual obligations.

The threshold for obligatory Data Protection Assessments will decline from 100,000 to 50,000 consumers, with a specific requirement for profiling assessments in the context of significant automated decisions. This includes delineating purposes, risks, and mitigative strategies for AI applications. Businesses that handle sensitive data must adhere to new disclosure conditions, confirming consumer consent. Additionally, employers utilizing AI must ensure these systems undergo bias testing, which is crucial for defending AI-based employment decisions.