Democratic governor Ralph Northam is expected to sign off on legislation that would see Virginia become the second state after California to adopt it own consumer data privacy law.
The proposed Consumer Data Protection Act (CPDA) would apply to entities that “control or process” personal data of 100,000 or more Virginia residents each year, or that make at least half of their gross revenue from the sale and processing of personal data if they have that for at least 25,000 Virginia residents. In practice, this means that companies with a serious online presence would almost certainly be covered, while small businesses would likely not.
The CPDA would give Virginians a range of rights with regard to their personal data, including access, correction and deletion, as well as to opt out of having their data used for targeted advertising or having it sold to a third party.
Other requirements include those relating to data security, processing limitations and data minimisation. For example, it limits data collection to “what is adequate, relevant and reasonably necessary”.
Consumers using the internet alone or in a “household context” are covered, but those using the internet “in a commercial or employment context” aren’t.
The bill does not contain a private right of action; only Virginia’s attorney general can pursue a case.
Brian Hengesbaugh, chair of Baker Mckenzie’s global data privacy and security business unit, said: “The ‘opt out’ model and the lack of a private right of action are the correct measures to have included. This is new ground and it will be interesting to see how other states follow suit.”
Other states such as Washington, Oklahoma, New York, North Dakota and Minnesota have various compositions of data privacy bills in the works, reflecting the absence of a privacy framework from federal legislators.
The CPDA takes after the California Consumer Privacy Act (CCPA) in its ‘opt out’ model, but differs in that it exempts certain entities, including those already subject to HIPAA, the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act.
Along with five other privacy advocates, the Electronic Frontier Foundation and the Electronic Privacy Information Centre penned an open letter to Democratic senator David W. Marsden criticising the proposed law. They argue that, though it is a step in the right direction, it does not learn from the shortcomings of the CCPA.
“Because the CDPA is based on an opt-out model, like the CCPA, the deck is already stacked against consumers. Consumers have to contact hundreds, if not thousands, of different companies in order to fully protect their privacy.”
They also argue that the law should be updated to mirror the November refinement of the CCPA by the California Privacy Rights Act (CPRA), which ensures that the choice to use browsers in private mode constitutes opting out.
Hengesbaugh said: “The arrival of the CPRA really made the CCPA much more comprehensive. I would imagine that an ‘opt-in’ model, in Virginia or California, would result in many websites necessitating an ‘opting in’ from each user as they arrive on the site. Given that the vast majority of users do nothing when they land on a site, an opt-in legislative model would likely lead to a forced consent approach in practice (eg click “agree” to proceed). As such, an opt-out legislative model is more likely to give users who are concerned with privacy meaningful choice.”
A recent Consumer Reports study revealed that, for 42.5 percent of sites tested, at least one of three volunteers was unable to find the opt-out link. For 14 percent of the time, ‘burdensome or broken’ opt-out processes prevent consumers from exercising their rights.
The bill passed unanimously in the state Senate and 89-9 in the state House. Legislators have until 1 March when the General Assembly adjourns to make amendments, though they are expected to be minor. If passed, the new law will come into effect 1 January, 2023.
The attorney general’s office would allow a 30-day period after notifying the offender of a violation for a cure to be made. Uncured violation would result in the filing of an action seeking $7,500 per violation.