Virginia now has consumer data protection laws after Governor Ralph Northam signed HB 2307. Out of 139 legislators in the General Assembly, only 15 voted against the Consumer Data Protection Act. According to legal site JDSupra, that makes Virginia the second state (after California) to pass such a law.
Key provisions of the bill allow consumers to opt out of data collection, require entities to post conspicuous notices when collecting data to be sold to third parties, and require them to post privacy notices describing how to opt out. However, the bill also allows those entities to deny the opt-out request under certain circumstances, authorizing the consumer to file a complaint through the attorney general.
HB 2307, introduced by Delegate Cliff Hayes, Jr. (D-Chesapeake), was a companion to Senator David Marsden’s (D-Fairfax) SB 1392, which died in committee. However, both chambers approved Hayes’ bill with major bipartisan support.
“This bill rightly balances robust consumer data protections while providing the essential clarity and consistency for businesses that generally align with existing and emerging international, federal and state laws our member banks are subject to,” Virginia Bankers Association spokesman Matthew Bruning told a House committee in January.
Representatives of Microsoft and Amazon also spoke in favor of the bill in the committee.
“We support HB 2307. We think it’s a thoughtful approach to address what’s become an urgent need to modernize the United States’ privacy law,” Microsoft Senior Director of Public Policy Ryan Harkins said.
Opt-Out or Opt-In
Consumer advocates are warning that the bill is not as effective at protecting consumers as it seems to be, thanks in part to the opt-out provision.
“Every consumer has to – themselves, no one else can do it for them – figure out whatever system each business uses. The business is allowed to require ‘reasonable’ proof that we are who we say we are. They can also charge us more or give us less service if we opt out,” Virginia Citizens Consumer Council President Irene Leech told The Virginia Star.
Leech said, “Most are going to be online systems, so it really leaves rural and older people out, makes it very difficult for people who don’t have good computer skills and/or access to internet. Plus, imagine the confusion when each company does it differently – if a consumer can even find the right place to contact every single company they do business with.”
“I’d call this worse than nothing. It codifies the current process that requires consumers to take all the burden and it is designed by industry for industry, so it gives them all the cards,” she said. “People concerned about their privacy are going to be very frustrated by this law.”
“A strong privacy bill would protect people’s privacy by default by letting them opt-in to data sale and use, rather than having to go to each company to ask them to stop using their information,” the Electronic Frontier Foundation argued in an article about the bill.
Leech is also concerned that the bill lacks a private right-of-action, meaning consumers can’t directly take violating businesses to court, but instead have to file a complaint with the attorney general. That clause was the center of controversy on the Senate floor in February.
Senator Scott Surovell (D-Fairfax) noted that there are serious privacy concerns that need to be addressed.
“Google probably knows where you’re sitting right now. They probably know how many times you’ve been in this building in the last month, the last two months,” he said. “Right now, there are very few, if any restrictions whatsoever on companies that buy and sell this information. If you’re afraid of the government, see the information the private sector has about you. It is truly tremendous.”
But he said, “This bill is a truly massive bill and I’m not sure everybody here really understands what they’re voting on. And from my perspective I think once this thing is sort of baked in for a while and the worms start to crawl out, this is going to be a vote we’re going to be asked about.”
He said, “This bill, Mr. President, from my perspective, is missing all kinds of stuff. Obviously the biggest piece it’s missing is a private right-of-action.”
A few other senators, including Senator David Suetterlein (R-Roanoke) echoed Surovell’s concerns. Suetterlein said, “I am not someone that feels great about the attorney general standing up for consumers.”
Marsden said that leaving out right-of-action was necessary to pass the bill, and noted that the bill calls for a study to see if more legislation is needed in the future. “Right now we have nothing no data protections for anyone,” he said.
“We knew that [right-of-action] would be a deal-killer here,” Marsden said. “This is considered by the folks that are neutral on either side of the issue, they say this is the best bill they’ve seen.”
Leech told The Star that there will be an opportunity to put teeth into the already-passed bill next January. “However, it’s hard to get changes once law passes,” she said.
– – –