And just like that, Virginia is on track to be the next U.S. state with comprehensive privacy legislation. For all the close calls other state legislatures have had on privacy bills in recent years, it took the Virginia General Assembly three weeks to introduce and debate the Consumer Data Protection Act to the edge of passage.
Senate Bill 1392 unanimously passed its first and second readings by the Virginia Senate with 39-0 votes on Feb. 3 and 4. Those votes follow an 89-9 vote on Jan. 29 from the House of Delegates to approve SB1392's companion bill, House Bill 2307. According to DLA Piper Partner Jim Halpert, the final Senate approval of SB1392 could come following a third reading Feb. 5, at which point the bill would head for a reconciliation between the Senate and House before enactment. If the law is indeed enacted, the bill could be signed into law by the governor at the end of February.
"Virginia is a different kind of state where it has a very short legislative session and, in this case, a senior member really wanted to get something done on privacy and was very focused on it," Halpert said. "Since the legislature changed control, the Democrats have had a big agenda with hopes of accomplishing something in this area."
Halpert and Future of Privacy Forum Senior Counsel Stacey Gray, CIPP/US, both indicated that lawmakers conducted significant preparation ahead of the legislative session, which may have helped the bill move swiftly through both chambers. Discussion drafts began circulating in the fall of 2020, and the FPF was invited to participate in a pre-session meeting of the Joint Commission on Technology and Science, which first introduced the privacy bill.
"In the two hearings I was at, I didn't see much opposition or really any from most advocates," Gray said. "There was a little bit of push on a private right of action, but otherwise the substance of the bill was good. I think that goes a long way. Maybe it's not perfect, but everyone seems to agree it's a good thing."
Consumer Reports Director of Consumer Privacy and Technology Policy Justin Brookman said his group and fellow advocacy groups "fully appreciate that the bill is certainly an improvement from the status quo," but they are urging lawmakers to "take a moment to pause and consider improvements" prior to passing the bill.
In its current form, the bill applies to businesses that control or process data for at least 100,000 Virginians or those that make 50% of their gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.
Halpert called it a "somewhat simplified version of the Washington Privacy Act," noting the inclusion of required privacy impact assessments, the right to deletion and a "slightly broader" opt-out provision that goes beyond just the sale of personal information. Notably, the bill does not include a private right action.
"There will always be arguments over whether bills should be broader and whether there should be a private right of action or additional rights, but I think this is a pretty good model for blue states that want to legislate on privacy," Halpert said. "It offers some lessons about how to get things done in an era of a lot of division and arguments over items that may not be really important but still very contentious."
The lack of a private right of action is chief among the points of contention from advocates, but CDPA's opt-out provisions could also use more refining, according to Brookman.
"Advocates would prefer something much stronger than an opt-out bill, but even for an opt-out-based bill, this has a lot of weaknesses," Brookman said. "Our studies on opting out in California show it's tedious and difficult. This bill mirrors language from Nevada saying companies can make you verify your identity before opting out, making opt-out rights even more impractical to use in practice."
Brookman is also skeptical on the bill's inclusion of a right to cure and believes the substantive protections are "unfortunately weaker" than those of the California Consumer Privacy Act.
"I do think that those problems could be fixed with a handful of straightforward amendments," Brookman said. "It still wouldn't be the gold standard in a privacy law, but they would make the law a lot more effective."
As far as compliance for those organizations that fall under Virginia's proposed law, Gray doesn't see any immediate issues so long as they have been following along with the privacy legislation in California.
"Businesses that have been building compliance for the California Consumer Privacy Act and California Privacy Rights Act are at least on a good track for complying with access, deletion and portability because those three things are quite similar," Gray said. "Along the same lines, if they've been building an opt-out for sale then they're on the right track, but the Virginia bill does go further. It says that it's not just sale (that requires an opt-out), but it's also targeted advertising and forms of profiling."
Additionally, Halpert said businesses can draw on some versions of processes used for EU General Data Protection Regulation compliance, but Virginia's provisions are "a little more streamlined and less complicated" compared to the GDPR. To that end, what companies may be challenged to grasp are the bill's provisions on consent related to sensitive data.
"Companies should look very carefully at how this bill defines affirmative consent," Gray said. "It's compared to a GDPR standard and a very very high one. If that was enforced by an attorney general that really wanted to go after violations, it could become a high standard here."
The attorney general has exclusive rights to bring enforcement against companies, which was contested during the Senate General Laws and Technology Committee hearing Jan. 27. The opposition claimed the attorney general would not have the resources to enforce the law, but the bill may prove otherwise with the inclusion of a Consumer Privacy Fund.
"The goal here is to ensure the attorney general can bring real enforcement actions," Halpert said. "I think there was a discussion with the attorney general's office about what they would need. The idea of this fund is that the attorney general can give the money out to consumers, but in the first instance, the office will fund their work on enforcement. I think we could well see that in a number of other state laws. It's somewhat controversial, but it's a compromise solution."
Editor's Note: An original version of this article incorrectly stated SB1392's status in the Virginia Senate. The bill remains under consideration.
The IAPP Westin Research Center compiled this updating tracker of proposed and enacted comprehensive privacy bills from across the country to aid our members’ efforts to stay abreast of the changing state-privacy landscape.
If you want to comment on this post, you need to login.