When Virginia’s General Assembly first took up legislation billed as a major step toward giving regular people more control over their data in an increasingly online world, some of the first testimony lawmakers heard came from tech giants like Microsoft and Amazon.
Both companies said they were in full support of Virginia’s effort to become just the second state in America to pass its own data privacy bill, an early marker in a debate still unfolding in other states and at the national level.
Supporters of Virginia’s Consumer Data Protection Act, approved by the General Assembly this year and already signed by Gov. Ralph Northam, say the fact that Virginia was able to pass such significant legislation without a major fight is a testament to the quality of the bill, which lays out new consumer protections while largely shielding companies from a flood of data-related lawsuits.
Noting that an estimated 70% of internet traffic flows through servers in Virginia, Sen. Dave Marsden, D-37th, of Fairfax, said Virginia’s legislation could be “a good starting place for a national privacy bill.”
“We really need to take a leadership role here,” Marsden, one of the bill’s main sponsors, said in an interview. “We are a technology state.”
During testimony on the bill, a Microsoft representative said it could help “earn the public’s trust in technology,” while an Amazon rep said addressing privacy concerns is critical to “meet our customers’ high expectations.”
The Future of Privacy Forum, a data privacy think tank supported by corporate benefactors such as Google, Amazon, Facebook and Twitter as well as the Bill and Melinda Gates Foundation and the Robert Wood Johnson Foundation, hailed the passage of the Virginia bill as a “significant milestone” on a national issue.
“In the absence of a comprehensive federal privacy law, we are encouraged to see Virginia lawmakers and other states continue to establish and improve legal protections for personal information,” Future of Privacy Forum CEO CEO Jules Polonetsky said in a news release after Northam approved the legislation earlier this month.
Though the bill passed with broad, bipartisan support, some critics say the momentum was the result of an industry-friendly proposal that avoided hot-button issues that have derailed similar efforts elsewhere, most notably the question of whether ordinary Virginians should have the right to sue companies profiting from the sale and use of their data.
Near the end of the 2021 legislative session last month, Sen. Scott Surovell, D-36th, who represents parts of Fairfax, Prince William an Stafford counties, warned colleagues they might face questions over their votes in a few years when the law is in place and “the worms start to crawl out.”
“It is property relating to you. And if anybody should have a right to do something about it, it’s the person who is generating the information,” Surovell said. “The only person who can fight for your rights under this is the attorney general. And I just believe that’s fundamentally wrong.”
The Virginia Trial Lawyers Association and some consumer-rights advocates agreed.
“As is typical, Virginia has taken a business-first perspective that codifies business-designed obstacles to consumers having meaningful control of their personal information,” Irene Leech, president of the Virginia Citizens Consumer Council said in a news release that called for the bill to be vetoed.
California is the only other state to pass comprehensive data privacy legislation. Its law grants consumers a limited right to sue companies who misuse data.
Policymakers are paying close attention to privacy bills emerging across the country, with the expectation that compliance concerns and the desire to avoid a patchwork of state laws will eventually encourage states to find a uniform regulatory model.
The Virginia law won’t take effect until the beginning of 2023, and the bill includes the establishment of a work group that will continue studying the issue and potentially recommend future changes.
As approved, here’s what the law covers:
What kind of data are we talking about?
The law defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” covering a broad swathe of consumer activity that might give companies a valuable profile of someone’s purchasing habits, interests, location and financial status.
The legislation has exemptions for certain types of data already regulated by other areas of the law, including data dealing with health care, creditworthiness, driver’s licenses and education.
It also creates a category of “sensitive” information, such as data dealing with race, ethnicity, religion, health conditions and citizenship status, genetics or biometrics, “precise geolocation data,” and data collected from children. Companies wouldn’t be allowed to process sensitive data without first getting the consumer’s consent.
The law creates separate rules for aggregate or de-identified data that’s not inherently linked to a specific person.
The new rules would only apply to companies that keep data on more than 100,000 consumers in a given calendar year, or data brokers — companies that either take publicly available information and sell it or buy data from one company to sell to another — that get more than half their gross revenue from the sale of personal data. Nonprofits would not be subject to the law.
What rights does the law give consumers?
Under the new rules, Virginia consumers would have the right to access certain data a company has on them and request that data be corrected or deleted. If a consumer asks a company for a copy of their data, it would have to be provided in a portable format that would presumably allow the consumer to take it to another business or a competing social media platform.
Consumers will also have the right to opt out of having their data used for targeted advertising, sold to other companies or compiled into a personal profile used to analyze or predict behavior.
Companies whose business models rely on such data would have to create “data protection assessments” for targeted advertising, profiling and other sensitive uses of data. Those assessments would have to weigh the benefits of a certain data practice against potential risks to consumers.
Those assessments would not be available to the general public, because the law states they are exempt from the Virginia Freedom of Information Act. However, the records would be available to the state in an enforcement action.
Parents and legal guardians would be able to invoke data protections on behalf of children under 13, but teenagers would have to act independently to assert control over their data.
How will those rights be protected?
Enforcement of the law will be handled exclusively by the Attorney General’s Office, a setup that prohibits individual consumers from suing companies if they feel their data privacy rights have been violated.
While the attorney general could take companies to court, potentially securing civil penalties of $7,500 per data violation that would go into a new Consumer Privacy Fund, businesses would have a chance to get out of legal trouble by correcting whatever they had done wrong. The law requires the attorney general to give a company a written notice detailing its potential violations at least 30 days before bringing any action in court.
In that time, a company whose practices are in question could halt any court action by giving the attorney general’s office a written statement promising any violations have been addressed and agreeing to stop breaking the law. The attorney general’s office could only proceed with enforcement if the company is still failing to comply.
Several tech companies applauded the passage of the Virginia law and said they hope to see similar steps in other states.
Sen. Mark Warner, D-Va., who has prioritized data privacy issues at the federal level, called Virginia’s law an “important first step” but said he’d like to see stronger protections “making it easier for Virginia citizens to invoke their privacy rights.”
Warner specifically highlighted the need to rein in so-called dark patterns, manipulative online tactics used to obtain more customer data, and the possibility of new internet standards empowering customers to control their data through web browser settings.
Marsden defended the initial structure of the bill, saying the debate over including a private right to sue was a “killswitch” for similar efforts in other states. Running enforcement through the attorney general’s office, he said, will prevent courts from being inundated with data privacy lawsuits.
“We’re just trying to sort through it and I think we came up with a really good bill,” he said.