Identity Review | Global Tech Think Tank
Keep up with the digital identity landscape.
Virginia follows in California’s footsteps as Governor Ralph Northam signs the Consumer Data Protection Act (VCDPA) into law on March 2. It is only the second state to establish its own data protection laws.
Like its predecessors, namely California’s CPRA and the EU’s GDPR, the bill gives users more control and clarity into the data that companies collect and use. Some of the key provisions include allowing users to opt out of having their data collected and sold and being able to see what data is stored and delete it. The legislation comes at a time when many people believe consumer privacy is an ethical issue, as well as a crucial cybersecurity one.
“This omnibus bill is clear, concise and holds companies accountable for protecting consumer data in providing protections for consumers,” said State Sen. David Marsden (D-Fairfax), a patron of the bill. Despite critics claiming that Virginia is becoming a California copycat in terms of policy, he has spearheaded the campaign for this specific privacy bill, which is largely seen as less restrictive than its California counterpart’s, for several months now. “Virginia is in a unique position to be a leader on this issue. There’s a huge amount of the data on the internet that flows through the commonwealth. Privacy is not a new issue,” he remarked when introducing the bill to the Virginia Senate.
Corporate executives have also commented on Virginia’s stance on consumer data: “Virginia’s new Consumer Data Protection Act validates data privacy is becoming a top priority as consumers demand more control over their personal data. States are likely to follow Virginia and California in initiating legislation to expand consumers’ rights to prevent companies from being able to collect and share personal data without prior consent or knowledge,” said Robert Prigge, CEO of Jumio.
The VCDPA is widely considered to be less restrictive than California’s landmark data protection act, the California Privacy Rights and Enforcement Act (CPRA), a state-wide privacy bill passed in November 2020 that significantly expands on the 2018 CCPA.
Much like the CPRA, the VCDPA gives consumers six main rights: right to access, which allows users to “to confirm whether or not a controller is processing the consumer’s personal data and to access such personal data”; right to correct, where users can correct stored personal data; right to delete, where users can delete personal data that is stored; right to data portability, where users can obtain a transmittable copy of all data collected; right to opt out, where users can choose to not have data processed for ad personalization or sold; and right to appeal, where users can appeal a business’s failure to comply with the provisions of the bill.
However, unlike the CPRA, the VCDPA doesn’t allow individual consumers to file lawsuits against companies (called a private right of action) in the case of data breaches, and the law will be enforced by Virginia’s attorney general instead of a third-party agency. The CPRA also allows users to opt out of the collection of sensitive personal information and requires companies to disclose financial incentive programs, both of which are provisions the Virginia law does not include.
The Virginia law also has a different method of deciding which businesses are subject to the law. The CPRA has a strict monetary threshold as it applies to any California for-profit businesses with a gross annual revenue over $25 million, whereas the VCDPA applies only to businesses who control and process at least 100,000 consumers’ personal data each year or control and process at least 25,000 consumers’ personal data and derive over 50 percent of gross revenue from the sale of personal data. Because of these differences, the Virginia legislation is viewed as being more industry friendly.
The law will take effect on January 1, 2023, giving companies a couple years to comply with the new restrictions. The bill itself is still subject to changes and expansions. However, as privacy advocates seek stronger and more extensive data protection measures, Marsden stated that there will be a specialized group in Governor Northam’s administration actively working on strengthening protections.
For now, legislators are satisfied to lay the groundwork for basic consumer privacy protections, an endeavor that was many years in the making. “We learned that some of the other states were trying to take on so much that in the time frame you have to pass legislation it bogs it down,” said Virginia Del. C.E. “Cliff” Hayes Jr. (D-Chesapeake), the House patron of the bill. Specifically, he hopes that more specific provisions will be added to address crucial issues regarding AI and facial recognition, both of which continue to present some of the most complex ethical dilemmas in the socio-technical sphere.
Along with being an ethics and security issue, experts have also highlighted how consumer privacy is an economical issue that businesses should not take lightly. “With expanded consumer data rights come expanded enterprise responsibilities, and organizations must retain consumer trust to protect both their business and their consumers,” said Prigge.
Other states, including Washington, Utah and New Jersey, are working on their own consumer privacy legislation. With more and more states enacting their own state-level consumer privacy legislation, the federal government may also soon look into creating a cohesive federal privacy law.
ABOUT THE WRITER
Lydia You is a computer scientist from Princeton University based in New York City. She is a Tech Innovation Fellow at Identity Review covering the intersection of global tech policy, internet culture and the future of digital media.
Contact Lydia You at lydia@identityreview.com.
Do you have information to share with Identity Review? Email us at press@identityreview.com.