No one should be ashamed to admit they were blindsided by the passage of Virginia's Consumer Data Protection Act. There was no predicting how quickly and seamlessly Virginia's legislative process was going to be given the lack of prior history on passing privacy legislation via state Legislature.
What should come as no surprise, though, is that many of the provisions found in the CDPA are taken from existing privacy legislation. According to several privacy professionals, the CDPA has hints of the California Consumer Privacy Act, California Privacy Rights Act and EU General Data Protection Regulation. The question remains as to whether combining various provisions into this new law will, in fact, make life easier on companies that fall under its scope.
"The easy answer to that is no," Morrison & Foerster Partner Kristen Mathews, CIPP/US, said. "I view them as virtually overlapping circles. This means they do have those common provisions, but then there are others you won't see in the other laws."
The glaring differences with the CDPA from Mathews' perspective start with the definition of "personal data," which only relates to information identifiable to a natural person. Other provisions unique to Virginia's law are the definition of and conditions for "deidentification" and a lack of exceptions on a data subject's right to delete.
Another unique wrinkle Virginia brings is a data protection assessment, which will be new to some companies, while others will be familiar to a degree if they fall under the GDPR's scope.
"They're like the GDPR data protection impact assessments," Mathews said. "Not everybody has to do them. You're only having to do them with certain kinds of processing, but if you do them, they'll be internal, potentially questionnaire-based assessments of what you're doing against any risks that may be posed to consumers."
In a perfect scenario, Frankfurt Kurnit Klein & Selz Privacy and Data Security Group Chair Tanya Forsheit, CIPP/US, CIPT, PLS, would've loved to see Virginia's model be the precedent-setter for potential state laws as opposed to legislation out of California.
"I want to give Virginia credit because, in a fictional world where California never happened, the Virginia law would've been a much better starting point for these state laws," Forsheit said. "It has terminology that privacy lawyers and professionals are already familiar with. There's just a lot of things about the Virginia law that are better crafted in the first instance than the CCPA was crafted. So my initial reaction was actually, 'Gee, I wish the people who wrote this had been involved in California.'"
In particular, Forsheit highlighted how clean the CDPA's controller/processor terminology is, its familiar language around targeted advertising, and a concept of "sale" that may be narrow but "refers to monetary consideration in a way that aligns more with the general understanding of sale." What she's not so fond of are the potential challenges the CDPA's "unique" sensitive data opt-in provision poses, as well as how organizations are now burdened with identifying whether a data subject falls within the jurisdiction of California or Virginia law.
"Most of these companies don't really know where somebody resides," Forsheit said. "Unless they have a much more traditional brick-and-mortar business or some kind of model that depends on mail or home addresses, companies have no idea."
The best example of this struggle, according to Forsheit, is the opt-out versus opt-in models California and Virginia will have, respectively, on different categories of data come 2023. Organizations will be tasked with navigating that type of convergence and diversion between state laws, which could result in confusion or fatigue on the part of a company or its consumers.
There are mixed feelings on the legislation from the consumer-advocate standpoint. Many advocacy groups have noted some form of privacy protections are better than nothing but ultimately feel the CDPA was ill-conceived and pushed through by Big Tech lobbyists without consumer opinions being properly heard. Some consumer groups went as far as urging Gov. Ralph Northam, D-Va., to veto the bill altogether just days before it was signed.
Consumer Reports was not among those seeking a direct veto but argues the legislation undoubtedly needs further consideration.
"The bill should be stronger in order to make it more workable for consumers," Consumer Reports Policy Analyst Maureen Mahoney said. "We certainly urge legislators to consider improvements to the measure before it goes into effect in 2023."
Consumer Reports is especially keen on the concept of privacy protections by default via stronger data minimization provisions that really boil data practices down to what's necessary to provide a service. Mahoney also indicated her group would like to see a reduction in the general data management responsibilities the CDPA places on consumers.
Fortunately, Consumer Reports and other advocates will have a chance to air their grievances through a working group for stakeholders that was established by State Sen. David Marsden, D-Va., the CDPA's sponsor, during the drafting of the law. Per the legislation, this group will have until Nov. 1, 2021, to submit "findings, best practices, and recommendations" for implementing the law.
"We're optimistic about a robust multi-stakeholder process this year and in the next session to help address some of the issues in the measure," Mahoney said. "We appreciate the opportunity because that language and perspective aren't often included in bills. At the same time, it will be important to make sure that it actually is inclusive of consumer groups and their concerns are heard, as well."
Advocacy groups were not the only ones that saw an opportunity to go further. U.S. Sen. Mark Warner, D-Va., a proponent for privacy rights and the drafting of federal privacy legislation, was pleased to see his state seize the chance to craft legislation but believes it serves as a foundation that should be expanded upon.
"This is an important first step in providing vital privacy protections to Virginians," Warner said in a statement. "My hope is that Gov. Northam and the Legislature will improve this law in the near future in important ways, including incorporating my important bipartisan work on dark patterns and enhancing privacy protections around online advertisements, making it easier for Virginia citizens to invoke their privacy rights, such as through a global privacy control."
Future of Privacy Forum CEO Jules Polonetsky, CIPP/US, called the CDPA "a significant milestone," adding, "in the absence of a comprehensive federal privacy law, we are encouraged to see Virginia lawmakers and other states continue to establish and improve legal protections for personal information."
With the passage of the CDPA in the rearview, the focus now shifts to preparations for Jan. 1, 2023, the effective date for the CDPA, as well as the CPRA. There has been no indication whether Virginia lawmakers did this by design or coincidentally, but Forsheit doesn't expect a shared date to shake companies.
"I think a two-year ramp for both states to get there is a good thing. I would've had more issues if it was effective in six months or something," Forsheit said. "It's easier to have a single date despite having multiple laws with different requirements. Any kind of harmonization is helpful and allows companies to look ahead in terms of planning out for resources and budgets."
Photo by Trent Erwin on Unsplash