State Legislatures across the U.S. are making privacy a priority out of the gate in 2021. The number of states with proposed privacy legislation up for consideration continues to grow, including bills in Washington and Virginia that are already seeing movement.

While the track of the Washington Privacy Act has accrued quite the following, Senate Bill 1392 for Virginia's Consumer Data Protection Act has begun gaining traction. On Jan. 27, 2021, the Virginia Senate Committee on General Laws and Technology voted 13–0 with one abstention in favor of moving the bill forward to the Senate Finance Committee for further consideration and debate.

"Mr. Chairman, it is time," State Sen. David Marsden, D-Va., during the meeting. Marsden introduced the bill to the Senate Jan. 13. "It is time that we find a meaningful way of protecting the citizens of the Commonwealth of Virginia's data. … Virginia is in a unique position to be a leader on this issue. There's a huge amount of the data on the internet that flows through the commonwealth. Privacy is not a new issue."

The bill applies to businesses that control or process data for at least 100,000 Virginians or those who make 50% of their gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers. It also outlines data rights for consumers, including the rights to access, correct and delete data, along with the ability to opt out of processing. Enforcement of the provisions and standards of the law, which would take effect Jan. 1, 2023, fall solely on the attorney general's office, which would be supported by a Consumer Privacy Fund.

"This bill contains all the key elements to protect consumers and is cleaner, simpler and easier to understand than what was passed in California," Marsden said. "The bill sets a baseline to give consumers control over their personal data, provide companies clear expectations and leverage best practices without creating excessive or unreasonable compliance burdens."

Questions from committee members focused on the the bill's provisions for data portability and how the bill's 100,000-person control or processing threshold for applicability was determined. The committee otherwise showed a receptiveness to the proposal, as did representatives from Microsoft and Amazon, who were on hand to provide supporting testimony.

"We support legislation that requires transparency about data privacy, prohibits the sale of data without consent, and ensures the right to request access to and deletion of their personal information," Amazon Associate General Counsel of Privacy Bill Way said. "SB 1392 achieves these goals, providing protections for Virginia consumers and certainty to the business community on how to build effective data protection programs."

Consumer Reports Policy Analyst Maureen Mahoney said her organization had no particular stance on the bill, noting it was happy to see the legislation, but urged a more consumer-friendly approach and the elimination of the right to cure provision in enforcement.

Commonwealth Law Group Partner Mark Dix was a bit more pointed with his criticism of the bill. Speaking on behalf of the Virginia Trial Lawyers Association, Dix commended lawmakers for introducing privacy legislation but quickly pivoted to how "it's not the right approach" for addressing the issues.

"This bill provides no cause of action whatsoever to the consumer and provides no remedy to the consumer whose data has been violated," Dix said. "Relying on the attorney general is not enough. What if we get an attorney general for whom this is not an important issue? Private attorneys are more than able to prosecute these claims and advocate for consumers."

On the point of the enforcement by the attorney general, Consumer Litigation Associates Founding Partner Leonard Bennett said the attorney general is likely to view the enforcement scheme as "unworkable" in its current form.

"You could model the Virginia Value Act enacted last year," Bennett said. "A consumer makes a complaint, takes it to the attorney general — who I have reason to believe would confirm this model is in place and they can do it — and then say if (the claim) is founded or unfounded. Then, and only then, if it's founded and the attorney general can't prosecute it can the consumer take their action and go to court. That would solve a lot to make this viable and enforceable."

Even prior to the opposing views, Marsden acknowledged a plan to establish a stakeholder group through the life of the bill to address any amendments worth considering during the legislative process.

"We have got to get moving," Marsden said. "The beauty here is this doesn't take effect until 2023, and the administration is going to work with us to keep a group going that would allow some of the folks not in favor of the bill to work in more detail on it. It's the best of all worlds.

"We've got to start protecting our people's data. Virginia is the place to do it. … We're not Wisconsin. They're responsible for cheese. We're responsible for the internet. Let's get it right."