The Virginia Consumer Data Protection Act was signed into law March 2 by Gov. Ralph Northam, D-Va., and is scheduled to take effect Jan. 1, 2023. The law anticipates there may be amendments prior to implementation — it includes a provision requiring a work group to review its specific provisions "and issues related to implementation” for the Virginia legislature to consider. The work group meetings and the final report it submitted Nov. 1 provide insight into potential amendments prior to the law’s effective date.
Further details about the provisions of the VCDPA and its impact on businesses may be accessed in this article previously published by the IAPP.
Work Group discussion topics
The VCDPA requires (in §59.1-581) the Chairman of the Virginia Joint Commission on Technology and Science to set up a work group to review the provisions of the VCDPA and discuss issues relating to its implementation. Per the statute, members of the Virginia Consumer Data Protection Work Group must include the Secretary of Commerce and Trade, the Secretary of Administration, the attorney general, the Chairman of the Senate Committee on Transportation, representatives of businesses that control or process personal data of at least 100,000 persons and consumer rights advocates. Specific members are listed in the final report.
To achieve its objective, the work group convened meetings and received public comments over five months. Below are highlights of some of the key topics discussed by the work group. Recordings of the meeting are available here.
- Implementation of enforcement provisions by the office of the attorney general (work group meeting of July 12), including:
- Ability to cure. The VCDPA provides controllers or processors an ability to cure. The discussion noted some violations are not easily curable, i.e. data breaches, sales of data, etc. The enforcement language in the Colorado Privacy Act includes the language “if a cure is deemed possible” and was suggested as a potential guide.
- Funding for enforcement under 59.1-581. The OAG’s presentation noted the self-funding dynamic of the Consumer Privacy Fund is not really feasible as there are no funds available to allow enforcement at initial stages.
- Dynamics of damages, penalties, expenses and fees. The VCDPA does not cover actual damages for consumers who suffer loss due to breach of their personal data. The OAG presentation raised the possibility of the OAG pursuing damages on behalf of injured consumers, to the extent they exist.
- Consumer education campaign. The presentation considered what leadership, outside the OAG, could lead educational initiatives to assist with compliance obligations.
- Implementation of consumer right to delete provision, focusing on operational issues (Aug. 17 meeting). A representative of industry stakeholders noted that while controllers and data processors are able to delete data directly obtained from consumers, it may be operationally difficult to ensure the consumer’s data is not subsequently acquired from third parties. To address this issue and mitigate compliance risk, it was recommended that the right to delete be linked to the consumer’s right to opt out of sale to ensure controllers/processors prevent consumer data previously deleted from being reacquired or re-entering their system. The work group requested that the representative provide draft language for consideration.
- Proposed increased protection for children. The work group considered the need to include an authorization process requiring data controllers to obtain the consent of a child’s parent or lawful guardian before processing the child’s personal data (Aug. 17 meeting). The language in the Colorado Privacy Act was suggested as a model.
- Proposed inclusion of general opt-out provisions. The work group discussed the possible inclusion of a clause in the VCDPA granting consumers the right to a universal opt-out mechanism that is not limited to the right to opt out from targeted advertising, sale of personal data and profiling (Aug. 17 meeting). The language in the Colorado Privacy Act again was suggested as a model.
- Creation of an annual report from the Office of the Attorney General, highlighting shortcomings encountered during enforcements, recommendations for more effective enforcement and provisions on data usage, opt-out frequency, etc. (Aug. 17 meeting).
- Need to update language of public records. There was discussion about the importance of providing clarity to public record processors such as Lexis-Nexis under the VCDPA, specifically the need to provide an exemption given their role as aggregator of publicly available information (Aug. 17 meeting).
- Proposed exclusion of “demographic data” as sensitive data. There were comments regarding the VCDPA definition of “sensitive data” and how the inclusion of demographic data as sensitive data makes it difficult for advertisers to obtain necessary information required by organizations to make informed decision on the nature of goods and services to be provided to the underserved population. It was proposed that the definition be slightly amended to allow advertisers to obtain demographic data without seeking the consent of data subjects. (Web recording of Sept. 13 meeting).
- Need for consumer education. The work group discussed the importance of consumer education as a tool to achieving consumer protection under the VCDPA (Sept. 13 meeting). The creation of a one-stop shop for consumers — like a dedicated website — was suggested to be used for the dissemination of accurate information regarding the VCPDA.
Final report
The work group submitted its final report Nov. 1. In addition to the topics identified above, it listed the following as “points of emphasis” from the meetings:
- Consideration of a narrow exemption for §501(c)(4): “nonprofit organizations established to detect or prevent insurance-related crime or fraud.”
- Recruiting nonprofit consumer and privacy organizations to address concerns with the definitions of "sale," "personal data" and "publicly available information" in the VCDPA.
- Directing an agency to promulgate regulations because the VCDPA does not allow the OAG to do so.
- Posting and promoting sample data protection forms on an educational website to provide guidance to smaller businesses seeking to comply with the VCDPA.
According to the final report, the work group's recommendations based on these points of emphasis will be presented during the upcoming legislative session. It will be interesting to see what, if any, legislative action is taken with respect to the law in advance of its Jan. 2023 implementation date.
Photo by STEPHEN POORE on Unsplash