Article cover photo

The Virginia Consumer Data Protection Act

It’s unlikely that anyone reading this article is unaware of the privacy landscape in the US. The word “landslide” comes to mind [1]. In 2008 a ground swell of data privacy laws began with the Illinois Biometric Information Protection Act [2] (BIPA) which provided consumers with biometric data privacy protections. The data privacy wave continued to spread across the US and ten years later the first US comprehensive state data privacy law passed in California in 2018; it was the infamous California Consumer Protection Act (CCPA) [3]. Nevada and Maine were next, passing their comprehensive consumer privacy laws in 2019 [4].

On 1 January 2020, CCPA became effective, and after numerous attempts by the California Attorney General the associated regulations were finalized. CCPA was then superseded by the more restrictive California Consumer Privacy Act (CPRA). Other states are looking to implement comprehensive data privacy laws, the most current law to pass is the Virginia Consumer Data Protection Act (CDPA)[5]. It is expected to be signed into law by March 1st.[6]

A prevailing opinion in the US is that the patchwork quilt of comprehensive state data privacy laws is quickly becoming expensive and complicated to comply with and may put sufficient pressure on the US federal government to pass a federal omnibus privacy law. [7]

Why, you ask, is it so hard to pass a comprehensive consumer privacy law in the US? Think about it like a three-legged stool. There are three points of view to consider.

First, individuals whose data is being collected must decide how important privacy is in balance with the modern conveniences that their personal information provides through the vehicle of technology. Simply put, having your cake and eating it too is the desired state.[8]

Second, the US federal and state governments tasked with protecting resident’s privacy rights are not aligned on how to approach the issue. Globally there are generally eight data privacy rights, which are (1) right of access, (2) right of rectification (correction), (3) right of deletion, (4) right of restriction, (5) right of portability, (6) a right not to be marketed to, (7) right against automated decision-making, and (8) a private right of action (generally associated with security issues). These global rights have evolved over time and generally originate from the privacy guidelines provided to its members by the Organization for Economic Cooperation and Development – but that’s another story for another day. CCPA gave four of these rights (Access, Deletion, Portability, Opt-Out of sale (with a parental Opt-in for sale of minor’s data). CPRA will give CA residents seven of these rights with the Attorney General as the enforcing agency providing for a penalty of $7500 per violation, although the right of restriction is limited to sensitive personal information only. Maine gives the right of restriction with a mandatory opt-in but only applies to Internet Service Providers, and Nevada gives a mandatory opt-out. The disparity of viewpoints regarding the rights consumers should have is variable and unpredictable. Governments also often have a conflict of interest. The elephant in the room is that these same government’s tasked with protecting their resident’s right to privacy are tasked with enforcing their own laws so they draw on the same pools of data that these new privacy laws are designed to limit.

The final point of view is businesses that collect personal information and in return provide modern conveniences. Some of these businesses rely on personal information as currency. These companies may sell this information to generate revenue or use the data to improve their products and services. And some businesses offer their products or services for a fee, but still require personal information to provide the high standard of technological quality and convenience that is demanded from US consumer’s today.

All three of these points of view must work together to make up the whole, but they seem to be at odds. And we haven’t even begun to consider the ethical considerations that are generated as more and more data is collected and used to improve technology and the myriad of ways the resulting data is being used.

Now, that we’ve discussed the landscape, let’s talk about the most recent US state comprehensive privacy law in Virginia. The CDPA, if signed into law by the governor of Virginia, will not apply to government entities, non-profits or entities already governed by “regulated sectors,” de-identified personal data or publicly available personal data (which has a very broad definition). CDPA will apply to companies that (i) conduct business in Virginia, or (ii) target market products and services to Virginia residents, and (iii) control or process the personal data of at least 100,000 Virginia residents, or (iv) make at least 50 percent of its gross revenue from the sale and processing of at least 25,000 Virginia resident’s personal data.” These businesses are considered “Controllers” of the data when they determine the purpose and the means of their processing, and the law will impose many of the obligations also required of Controllers under the EU General Data Protection Regulation (GDPR).

Virginia residents will have a right of information and access, rectification, deletion, portability, an opt-out right for targeted marketing, the sale of their personal data, and profiling, and a right to appeal a rights-based decision made by the Controller who can’t discriminate against a Virginia resident who exercises their rights. There is no right of restriction and no private right of action. There is also an explicit opt-in consent requirement to process sensitive data, which means that a Virginia resident’s consent must be “freely given, unambiguous and explicit.” This requirement for explicit consent is quite a high bar to meet and is comparable with the EU’s GDPR. If signed into law, it will become effective on the same day as the CPRA, 1 January 2023.

In summary, a pattern is starting to emerge in the US as a wave of state privacy legislation gains momentum. Similar characteristics and high priority issues are being highlighted for a potential Federal ombudsman law. But in the meantime, businesses and consumers will continue to struggle to normalize and comply with the privacy landscape in the US.

---------------------

[1] Karen Schuler, Federal Data Privacy Regulation in On the Way - That’s a Good Thing, https://iapp.org/news/a/federal-data-privacy-regulation-is-on-the-way-thats-a-good-thing/

[2] https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004

[3] Kurt R. Hunt, CCPA: The 1st Major America Foray Into Comprehensive Data Privacy Regulation, https://www.natlawreview.com/article/ccpa-1st-major-american-foray-comprehensive-data-privacy-regulation

[4] Baker and McKenzie, Maine and Nevada’s New Data Privacy Laws and California Consumer Privacy Act Compared, https://www.bakermckenzie.com/en/insight/publications/2019/06/maine-and-nevada-new-data-privacy-laws

[5] https://lis.virginia.gov/cgi-bin/legp604.exe?212+ful+SB1392ER

[6] Amy C. Pimental and Wendy Zhang, Virginia Consumer Data Protection Act: A Growing Wave of Comprehensive State Privacy Laws, https://www.natlawreview.com/article/virginia-consumer-data-protection-act-growing-wave-comprehensive-state-privacy-laws

[7] Andrew Martins, With GDPR in Europe and California’s CCPA Regulations on the Books, A New Survey Suggests U.S. Consumers Want a Federal Consumer Data Privacy Law. https://www.businessnewsdaily.com/15467-consumers-want-federal-data-privacy-law.html

[8] Dan Gaul, Balance Between Convenience and Privacy: Here’s What Consumers Want, https://www.forbes.com/sites/forbestechcouncil/2019/09/11/striking-the-balance-between-convenience-and-privacy-heres-what-consumers-want/?sh=57cc35c45134