Virginia is poised to follow in California’s footsteps any minute now and become the second state in the country to adopt a comprehensive online data protection law for consumers.
The Consumer Data Protection Act, if adopted, would apply to entities of a certain size that do business in Virginia or have users based in Virginia. The bill enjoys broad popular support among state lawmakers: it passed 89-9 in the Virginia House and unanimously (39-0) in the state Senate, and Democratic Gov. Ralph Northam is widely expected to sign it into law without issue in the coming days.
In the absence of a general-purpose federal privacy framework, states all over the nation are very slowly stepping in with their own solutions. The Virginia law is somewhat modeled on California’s landmark Consumer Privacy Act, which was signed into law in 2018 and took effect on January 1, 2020. Legislatures in several other states—including Minnesota, New York, North Dakota, Oklahoma, and Washington—have some kind of data privacy bills currently under consideration.
What would the Virginia law do?
The CDPA applies to entities that “control or process” personal information of 100,000 or more Virginia residents in a calendar year or to entities that make 50 percent or more of their gross revenue from the sale of personal data if they hold information about at least 25,000 residents. Basically, the big data brokers and companies with a major online presence would all be covered, but small businesses would not be. Under the law, these entities that determine “the purpose and means of processing personal data” are called “controllers.”
Covered consumers are also defined very explicitly in the bill, meaning specifically individuals acting on their own or in a “household context.” It does not include actions “in a commercial or employment context.” So if you’re using the Internet at home on your own time, you’re covered; if you’re using the Internet at work for work reasons, you’re not.
Provided that an interaction does involve a private consumer, a covered business, and covered personal information, however, then Virginia residents would gain a handful of explicit new rights for how their data is handled, including:
- The right to confirm if a controller has your data and, if so, to see it
- The right to correct inaccuracies in the data the controller has
- The right to have a controller delete personal data provided by or obtained about you
- The right to opt out of having your data used for targeted advertising; having it sold to a third party; or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”
The law puts in place guidelines for how controllers should collect, handle, and share personal information. For example, it mandates that data collection must be limited to “what is adequate, relevant, and reasonably necessary” for the purpose at hand. Controllers would also be required to conduct assessments of any activities that involve the use of personal data for targeted advertising, for profiling, or for sale. The assessments also have to “identify and weigh the benefits that may flow, directly and indirectly” to all stakeholders including the consumer and the public, and the Attorney General can request access to those assessments.
The bill contains wide carve-outs specific types of data and covered entities that are already regulated under laws such as HIPAA, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and educational privacy law FERPA.
Notably, the Virginia bill does not include any private right of action whatsoever over violations, meaning you can’t sue if your rights are being violated under the law; only the Virginia attorney general’s office can pursue a case.
Even California isn’t quite California
A coalition of consumer advocates, including the Electronic Frontier Foundation, the Electronic Privacy Information Center, and Consumer Reports say that Virginia’s goals are in the right place, but argue the CDPA doesn’t go far enough to provide meaningful protection.
“We readily acknowledge that there is a lot to like about the bill,” the organizations wrote in a letter (PDF) to the bill’s primary sponsor. “The CDPA would grant important new rights to Virginia citizens that the residents of most states do not currently enjoy.”
“Because the CDPA is based on an opt-out model… the deck is already stacked against consumers,” the coalition notes. “Consumers have to contact hundreds, if not thousands, of different companies in order to fully protect their privacy.”
These opt-out measures haven’t exactly worked as intended in California in the past year, either, the coalition notes, pointing to a Consumer Reports study that found the mandatory “do not sell my information” links required by California law are not only hard to find but sometimes just plain don’t work at all. “At least 14% of the time, burdensome or broken [do not sell] processes prevented consumers from exercising their rights under the CCPA,” the study found, and participants in the study were dissatisfied with the opt-out process more than half of the time.