Virginia made waves last month after it officially passed the Consumer Data Protection Act on March 2, effectively becoming the second state after California to pass a robust data privacy law.
The law, partially based on the proposed Washington Privacy Act that is working its way through that state’s legislature, differs from the laws passed in California in a few crucial ways. The most notable provision in the Virginia law is the lack of a private right of action, meaning average people cannot sue companies for making money off of their data.
But Virginia’s law does allow consumers to access, delete and stop the sale of their personal information, and companies will need consumer permission before collecting, using or disclosing particularly sensitive information, such as information relating to racial or ethnic origin, genetic data and geolocation data. Enterprises also now have a duty to protect user data from hacks.
“This is a historic moment for privacy rights,” said Maureen Mahoney, senior policy analyst for Consumer Reports.
“Virginia is now just the second state to pass a comprehensive privacy bill. While we’re pleased that Virginians will have new privacy rights, legislators should continue working in the next session to strengthen it. This bill has some important privacy provisions, but consumers need more practical options for controlling their data.”
SEE: Special report: Turning big data into business insights (free PDF) (TechRepublic Premium)
The Virginia law takes effect on Jan. 1, 2023 and applies to any companies that do business in the state, provide services to residents of the state or control or process the personal data of at least 100,000 Virginia residents. It also applies to companies that control or process the personal data of at least 25,000 residents of Virginia and bring in more than 50% of gross revenue from the sale of personal data.
In an email interview, Mahoney said consumers need tools to make the opt out more workable.
“The CCPA requires companies to honor browser privacy signals as a universal opt-out of sale. And the CCPA has an authorized agent provision that allows consumers to designate third parties to submit access, deletion and opt-out requests on their behalf,” Mahoney said. “Both of these tools are key to ensuring that consumers aren’t forced to submit requests at hundreds, if not thousands, of different companies in order to fully protect their privacy, and we urge Virginia legislators to adopt these provisions.”
Private right of action is one of the main issues that has held back data privacy laws in dozens of states, according to Dan Clarke, president at privacy company IntraEdge. Clarke’s company has worked with Intel to create a platform called Truyo that helps large companies automate compliance with existing privacy laws like CCPR and GDPR.
Clarke has also been brought in by multiple states to consult on data privacy laws and testified before Congress on the need for a federal data privacy law. He explained that while the CCPR and its follow-up, the CPRA, were the first, the law that is being copied the most is actually the Washington Privacy Act, even though it hasn’t even passed yet.
“People have a right to know what data a company has on you and how they use it. That’s the fundamentals of any of these omnibus privacy laws. The one that I see that seems to be gaining popularity with other states is the Washington Privacy Act, which was written from the ground up,” Clarke said. “It’s a bit of a hybrid of the California law and the GDPR. It uses most of the definitions and the enforcement framework of the California law, but uses most of the operating rules from the GDPR.”
The CCPA, he said, is a great law because it brought some amount of privacy rights to citizens, but it was written hastily and has had to be updated through other measures like the CPRA.
Conversely, the Washington Law, which passed 48-1 in the state Senate in March and now is making its way through the State House, is much more cleanly written and easier to follow, according to Clarke. The Washington law offers citizens the right to see, change or outright delete any of the personal information or data collected by a company. It also forces companies to release privacy notices.
“The Washington Privacy Act, although it hasn’t actually passed yet, is actually more likely to be replicated by other states. In fact the Virginia Privacy Law is effectively the Washington Privacy law, yet it passed before it ironically,” Clarke said.
Multiple states like New York, Texas, Minnesota, Oklahoma and more are mulling laws that closely resemble Washington’s, and Clarke said he has even been involved in the Texas draft legislation. Clarke noted that Washington’s law has struggled to get passed over the last two years because opponents on both sides of the political aisle either didn’t think it went far enough, or it went too far.
Clarke explained that he believes Washington, New York and Texas are likely to follow Virginia this year in getting some form of a privacy law passed, forcing many other states to consider moves. Utah and North Dakota are among 23 other states that are at some stage in the process of passing a law.
“North Dakota’s HB 1330 is attracting a lot of attention—it would provide a stronger privacy framework than the CCPA by requiring permission before selling consumers’ data, and it allows consumers to hold companies accountable for violating their rights,” Mahoney said.
When asked about the chance for federal privacy legislation akin to the GDPR, Clarke said his experience on Capitol Hill made him question whether Democrats and Republicans could ever find common ground on crucial issues like private right of action and enforcement mechanisms.
“My experience was that Democrats and Republicans were very far apart in what they wanted. It wasn’t ‘do you want to privacy law?’ It was one step underneath that. Is there a private right of action and who enforces it? Is it the FTC? Is it a new agency? Is it pre-emptive?” Clake said. Some Republicans, he added, did not want a private right of action, while many Democrats wanted stronger enforcement mechanisms.
“I don’t have a lot of hope that we’re going to get a federal privacy law,” Clarke stated, adding that there is some hope that President Joe Biden will seek to get some kind of privacy regulation across the goalline in his four years. Most likely, there will be a patchwork of laws in different states that companies and consumers will have to contend with.
The hope, Clarke explained, is that the patchwork of laws will frustrate companies and force the federal government to step in and standardize things. “When I testified in Texas with the committee, one of the first things I said was to start with something. Even if it’s not the strongest law in the land, you have nothing right now. Start with some amount of enforcement and you can always strengthen it later,” Clarke said.
Regardless of what happens at the state level, Clarke said medium- to large-sized companies need to prepare themselves for a future where they will have to comply with consumer requests for their data, which sounds a lot easier than it is.
The good news is that compliance with the CPRA, which will be required in a year and a half, will put most enterprises in good shape to handle any of the other privacy laws that get passed in other states. Most companies can simply hire a lawyer and write verbiage that can be posted on the organization’s website.
“There are some significant operational challenges to comply with privacy laws. You have to know where all your data is and what you use it for. That may sound simple, but for most businesses, they’ve been collecting data for years and years, often haphazardly. Often different departments collect different types with different purposes,” Clarke said.
“You actually have to go look and ask ‘What data do I have on everybody? What systems are they in? And how am I using them? And why am I using them?’ That’s really the first necessary step. The second thing is that consumers will have the right to see their data. You have a right to delete your data or request to have it deleted. You have a right to correct your data in the case of Washington Privacy Act and in Virginia. This forms an ongoing operational obligation for the company and those are often much more challenging.”
Clarke noted that Consumer Reports recently released a report highlighting the concept of third parties or agents that people can hire to perform these kinds of data requests. It can be cumbersome for an average person to contact hundreds of businesses to have your data deleted, so under the CCPA and CPRA, you can hire a third party to do it for you.
However, Consumer Reports found that when they tried to actually exercise these rights with 21 different companies like Airbnb, Amazon, AT&T, Comcast, Equifax, Intuit, Oracle and Starbucks, very few had processes in place to handle the requests.
Other data privacy experts said that while the Virginia law is a step in the right direction, it does not go far enough. Electronic Frontier Foundation legislative activist Hayley Tsukayama said the Virginia law “doesn’t put its money where its mouth is when it comes to enforcing the few rights it advances.”
“It’s also, I’d say, far more business-friendly than consumer-friendly. The CCPA set a benchmark for broad consumer privacy bills. It’s a little hard to judge its effectiveness yet—regulatory waves move slowly—but, overall has a structure that we like better than the style we’ve seen come out of Washington, which imitates the GDPR language, but does not offer anything like its protections in any of the iterations I’ve seen,” Tsukayama said, urging more states to fight harder for a private right of action.
“Top of the list would be meaningful enforcement, ideally in the form of a broad private right of action—the right for anyone to sue for privacy violations. In California, there is a limited private right of action for cases of data breach, which was expanded slightly under Prop 24. We’d like to see a private right of action for every violation of privacy laws. We also feel very strongly about nondiscrimination language, which makes clear that people who exercise their privacy rights won’t be subject to higher prices or worse service for trying to protect themselves.”
Tsukayama did laud North Dakota’s bill for having an opt-in framework, which would force companies to ask before they collect, use or sell your data.
Josh Odom, CTO at Pathwire said consent was one of the biggest changes to the industry that came with the passage of the GDPR. “As email marketers, we need to shift our understanding of consent from permanent to dynamic. This means that consent under GDPR is specific to the activity. We must ask ourselves: do I have permission to send marketing messages to them? Are they expecting my emails? Even a scammer would need my explicit consent to continue sending me spam,” Odom said.
“While this might frustrate email marketers, customers must also have the option to withdraw consent if they decide they don’t want to hear from you anymore. But why would you want to talk to someone who isn’t interested in what you have to say anyway? The CDPA echoes the importance of consent. Email marketers must be explicit about any information collected or processed from residents of the state of Virginia—and work with their sales teams to ensure that contact receives the same quality service at the same price as all prospects, regardless of their privacy decisions.”
Michael Magrath, director of global regulations and standards at OneSpan, echoed those remarks, noting that the pandemic has forced many enterprises to think about the data they collect.
“As we continue to live through the COVID-19 pandemic, data privacy and data protection are even more important and that should be the main driver in these legislations,” Magrath said. “We’re going to see lawmakers take strides toward a nationwide legislation that is designed to protect consumer data privacy and security, thanks to the initial steps taken by the state of California introducing CCPA.”