Identical versions of the bill passed through the House and Senate where the bill garnered unanimous support in the state Senate, and near unanimous support in the House. If signed by the governor in the next few months, the law would go into effect Jan. 1, 2023, giving the tech and related industries ample time to make necessary changes to business practices to ensure compliance.
“So a lot of consensus around it, because the need is so pressing,” said Sen. Dave Marsden, a lead sponsor of the legislation.
The Virginia proposal follows closely a similar bill making its way through the Washington Legislature. Meanwhile, the California Consumer Privacy Act (CCPA) was passed and signed into law in 2018. And in November 2020, voters passed the California Privacy Rights Act, a ballot initiative aimed at strengthening the CCPA.
“It’s based to some extent, certainly a little bit of California, a lot from the state of Washington,” said Marsden, reflecting on the evolution of consumer data protection not only in Virginia, but across the nation.
The Virginia proposal would affect businesses collecting or processing personal consumer data for 100,000 customers or more, annually. The law would define personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” according to the language in the bill. De-identified data, as well as publicly available data is excluded. The law would also not apply to government entities and nonprofits, and data collected by employers, among other carveouts like medical data which is already regulated under the Health Insurance Portability and Accountability Act, known as HIPAA.
The bill is “first and foremost a consumer protection bill. It allows you to look at your data, change your data, delete your data and opt out of your data being used for sale to other folks,” Marsden explained. The law would allow consumers in Virginia the ability to opt out of the sale of their data.
The proposed law would place a limited oversight of data privacy on “pseudonymous data,” which is data that can not be tied back to an individual without the use of additional information. This could include data related to IP addresses, browser information or cookie IDs held by websites, said Stacey Gray, senior counsel with the Future of Privacy Forum, a nonprofit serving in an expert advisor capacity in areas like data privacy and security.
“Usually these companies don't have the ability to identify specific individuals without linking it up with additional information — like a phone number or email address,” said Gray, via email. “So, it's still considered ‘personal information’ because it relates to a person, and thus is subject to most of the requirements of the bill … but, as long as it isn't linked to additional information, there's an exemption for complying with access, deletion and correction requests.”
Another detail of the Virginia bill is, it does not have a “private right of action,” which gives consumers the ability to take legal action when their data is misused.
“The attorney general is going to be the enforcer of these data breaches. And they will be able to charge penalties and fees,” said Marsden. “And that’s what will fund the Office of the Attorney General who does these things.”
This provision could be a sticking point for consumer groups who would prefer a law that gives more legal options to consumers, said Gray.
“Yes, most consumer groups would like to see individual enforcement rights, in addition to attorney general enforcement, or, at the federal level, Federal Trade Commission enforcement,” said Gray, adding the existing state actions “are highly variable,” and do not generally have the same consumer redress as the General Data Protection Regulation (GDPR), the European version of consumer data privacy.
Still, without federal leadership in consumer data protection, lawmakers like Marsden believe the Virginia law could become a template for other states as they consider taking similar steps.
“This is an iterative process, where California started it out … Washington improves on a lot of it. And I think we’ve improved on the Washington bill. We’ve made it simpler, and shorter and easier language and definitions and that sort of thing. So we think this might be one that people use,” he said.
Other states have introduced similar bills. Last year, the Minnesota Legislature took up the Minnesota Consumer Data Privacy Act. Similar legislation was introduced in Michigan, Connecticut and New York. While most proposals would have consumers opt out to having their personal data sold, a proposed law in Oklahoma includes an “opt-in” feature, according to a blog about the Virginia bill and the current landscape of consumer data protection action, by the Future of Privacy Forum.
To smooth the rollout of the proposed Virginia data privacy law, the legislation will include the formation of a “stakeholders group,” to be organized by the governor’s office.
“People will have an opportunity to come before a stakeholders group … and different groups will have an opportunity to say, ‘Hey, here’s our problem with it. Can you fix this?’” said Marsden.