The Roanoke Times
RICHMOND — Your online activities, your purchases, your travel and your political views all have been a commodity for many years now. That data is bought, sold, shared and used in ways you probably aren’t even aware of, and you can’t do much about it.
Virginia lawmakers are trying to give consumers more power over their data — sort of.
The General Assembly is close to giving final approval on the Consumer Data Protection Act, which would give Virginians certain rights over the data that large companies and data brokers collect. The rights have limits, and it’s unlikely to lead to widespread instances of Virginians significantly altering how their personal data is used, but lawmakers said this is an important first step in making changes to the data collection industry that has gone unregulated.
“This is a consumer protection bill focused on giving consumers control over their data,” said Sen. David Marsden, D-Fairfax.
The measure from Marsden and Del. Cliff Hayes, D-Chesapeake, gives consumers a right to access data about them; an ability to correct it or have it deleted; and a right to opt out of the sale and processing of their data.
“Because of the time we’re in, any and everybody needs to be conscious of the fact of the data in which you hold, process and control doesn’t belong to you,” Hayes said. “That personal identifiable information belongs to the people.”
After weeks of preparing for the proposal’s rollout before the General Assembly, it has moved seamlessly through the legislative process. It’s modeled somewhat off a landmark law that went into effect a year ago in California. And for all the frequent complaints from Republicans that Virginia is adopting California-style policies, this is one most of them are backing along with Democrats.
In the absence of a general federal privacy law, other states are following in California’s footsteps to enact similar laws. If Gov. Ralph Northam were to sign the bill into law, Virginia would become only the second to have a general data privacy framework. The law wouldn’t go into effect until 2023.
The law would apply to businesses that control or process data for at least 100,000 people or commercial entities that generate at least 50% of their revenue from the sale and processing of consumer data of at least 25,000 customers. Small and midsize businesses effectively would be exempted.
The bill also has various other exemptions for industries that already have to adhere to rigorous federal data and privacy protection laws, such as the banking and health care sectors.
The technology industry told lawmakers that the legislation was important in restoring the public’s trust in technology at a time that it has been declining, as well as providing standard guidance to companies.
“It’s a thoughtful approach to what’s become an urgent need to modernize the United States’ privacy law,” said Ryan Harkins, senior director public policy for Microsoft. “We’ve seen dramatic changes in technology in the last couple decades, and U.S. law has failed to keep pace.”
There’s no default mechanism for people to take advantage of the law in a widespread way. In order for Virginians to protect their personal information or even to know what data businesses are gathering about them and selling, they have to take action on their own.
A study from Consumer Reports found that people in California ran into hurdles with its data privacy law. Businesses set up links on their websites for consumers to opt out of the sale of information, but consumers reported they sometimes had a hard time finding those links, the process was too burdensome, or people didn’t know whether the company accepted their request.
Consumer Reports and other consumer advocacy groups wrote a letter to Marsden about the Virginia legislation to say the deck is “stacked against consumers” with this opt-out model.
“Consumers have to contact hundreds, if not thousands, of different companies in order to fully protect their privacy,” the letter read.
Virginia’s attorney general’s office would handle enforcement, and fines and fees for violations that aren’t corrected would go into a fund to support the office’s work on this issue.
Consumers don’t have a right of action, meaning they can’t sue the companies. This was one of the biggest complaints from some consumer advocates and trial lawyer groups, who said a right of action would help put teeth into the law.
“The one person this bill is designed to protect is the one person who has no cause of action and has no damages,” said Mark Dix, a lobbyist for the Virginia Trial Lawyers Association.
California offers a private right of action. Marsden said that a right of action is what prevented a similar bill passing in Washington state.
“This bill insulates big technology, which is why we’re hearing their support for this bill,” Dix said.
If Northam signs the legislation, a group will convene to continue discussions about the law before it goes into effect.
“We’ve got to start protecting our people’s data,” Marsden said.