Last month, Virginia became just the second state in the US to pass a bill that is specifically designed to protect consumer data. Virginia’s Consumer Data Protection Act follows California’s CCPA, but also has significant differences. That’s because the law has been drafted with a good deal of input from tech firms, an aspect which – critics say – undermines the purpose of the act.
In this article, we’ll take a look at the new bill, whether the criticisms made of it are justified, and what it means for the ongoing debate about homeland security vs. data privacy.
Perhaps the most notable feature of Virginia’s new bill, especially in comparison to similar bills that are slowly crawling through state and federal legislatures, was how quickly it passed. Gov. Ralph Northam, when signing the bill into law, explicitly noted this point, and said that the fact that Virginia was able to pass such significant legislation without a major fight is a testament to the quality of the bill. Specifically, he said, the fact that the bill protected tech companies from a flood of data-related lawsuits meant that lawmakers were more comfortable giving it their approval.
That is very likely the case. The bill, unlike similar legislation in California and elsewhere, was drafted in consultation with industry bodies. This means that it offers tech companies more protection, and more leeway, than similar proposed legislation elsewhere. It’s no surprise, therefore, that the Future of Privacy Forum, a data privacy think tank supported by corporate benefactors such as Google, Amazon, Facebook and Twitter, hailed the passage of the Virginia bill as a “significant milestone” on what is quickly becoming a national issue.
For their part, Virginia lawmakers stress that they were keen to pass a law that was friendly not just to business interests but to other large employers in the state. An estimated 70 percent of internet traffic flows through servers in Virginia, because the state contains the headquarters of the CIA, and therefore hosts much of the infrastructure that powers the various global spy alliances. That makes incorporating strong data privacy in the law pretty difficult.
The bill takes, as its starting point, similar legislation that has been passed both in Europe (the GDPR) and California (the CCPA). It first defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” and then grants Virginia consumers rights in relation to this data. Specifically, they can request access to their data and require that it be corrected or deleted.
There are, however, a number of caveats.
The law only applies to companies that keep data on more than 100,000 consumers in a given year or those that make a significant proportion of their income from buying and selling data. In addition, certain types of data are excluded, including data dealing with health care, creditworthiness, driver’s licenses and education.
The most striking limitation of the law, however, is that it places the sole responsibility for ensuring compliance with the Virginia Attorney General’s Office. The office can levy fines on companies which break the provisions of the act, but its powers are quite limited. The office must give companies 30 days notice that it plans to impose a fine. In that time the company can halt any court action by giving the attorney general’s office a written statement promising the violation(s) have been addressed and no more law-breaking will occur. The attorney general’s office could only proceed with enforcement if the company still fails to comply.
Most problematic of all is the fact that entrusting enforcement to the Attorney General’s Office shields companies from being sued. Consumers who believe their rights have been violated will merely have the right to raise the issue with the attorney general – they will not be able to sue the company directly.
This last aspect of the act – which protects tech firms from court cases – is likely the reason why it has gained such wide support. It might also spell the downfall of the act, however, because even legislators who recently approved the bill are already saying that it doesn’t go far enough.
Specifically, in a world where few actually read privacy policies, some Senators are pointing out that the public might be disappointed with the act that has been passed with so much congratulatory back-slapping. Sen. Scott Surovell (D-Fairfax) warned colleagues directly that they might face questions about why they had limited consumer power under the act.
He said, “Data is property relating to you. And if anybody should have a right to do something about it, it’s the person who is generating the information.” He went on: “The only person who can fight for your rights under this is the attorney general. And I just believe that’s fundamentally wrong.”
A Final Word
Policymakers and tech analysts are waiting to see how these debates play out, not least because the Virginia law has been mentioned as a potential template for a national privacy law. The fight – between individual privacy rights and the business priorities of tech companies – is just beginning, and both experts and public sentiment are still a long way from agreement.
In other words, watch this space, because the future of data privacy just might be decided in Virginia in the next couple of years.
Author Bio: Heinrich Long was born in a small town in the Midwest before setting sail for offshore destinations. Although he long chafed at the global loss of digital privacy, after Edward Snowden’s revelations in 2013, Heinrich realized it was long past time to join the fight. Heinrich enjoys traveling the world, while also keeping his location secret and digital tracks covered.