On March 2nd, Virginia Governor Ralph Northam signed a comprehensive data privacy bill into law, making it the second state behind California to enact formal privacy regulations[1]. While it’s difficult to argue this development is a bad thing, the fact that it had widespread approval from Big Tech opens it to scrutiny. Here, we look at the law’s provisions, compare it with California’s measures, and assess the areas where it’s lacking.
Who does this affect?
The Virginia Consumer Data Protection Act (VCDPA) will significantly affect entities known as ‘data brokers.’ A data broker can be one of the high-profile corporations from Big Tech (i.e., Google, Amazon, etc.) or the lesser-known companies operating in the shadows that gather, analyze, package, and sell consumers’ personal information. According to the VCDPA, data brokers must hit specific thresholds for the law to apply to them. These stipulations include:
- “Persons” (remember folks, corporations are people too) must do business in Virginia or sell products and services that target Virginia residents.
- The organizations have to control the data of at least 100,000 Virginia residents. (This number is decreased to 25,000 residents if the company receives half or more of its revenue from selling personal information)
There are several exemptions, however. For example, organizations do not have to abide by these regulations if:
- The data they collect from individuals pertains to employment or other commercial information. This means employees aren’t protected from their company’s data collection, and business-to-business data is still a free-for-all.
- They are in the financial services, research, credit reporting, healthcare, or educational industries.
- They are a designated non-profit.
So, already there appear to be some loopholes.
What are the new privacy provisions?
The VCDPA outlines new expectations that applicable data brokers must follow.
- Data brokers must gain explicit consent before processing “sensitive data.” This would include racial makeup, religious beliefs, health records, sexual orientation, genetic data, or a person’s precise geolocation.
It also grants consumers a variety of new data rights.
- The right of access. Now, Virginians can request to know all the information a company collects on them.
- The right of correction. Consumers can request a company correct wrong information, and they have to comply.
- The right of deletion. Individuals can request the deletion of their data.
- The right to opt-out of targeted advertising, data selling, and profiling.
Unfortunately, there are more exemptions for these too. Organizations can get out of many of these information requests if they feel it cause an “unreasonable burden.” They also do not need to comply if the data collected is pseudonymized (meaning they replaced identifying info with pseudonyms.)
Starting in 2023, any company found in non-compliance with the terms of the VCDPA will have 30 days to correct their course or be subject to a $7,500 fine for each violation.
Compared to the CPRA
California is the other state with data privacy laws on the books. The recently passed California Privacy Rights Act (CPRA) set the national standard. How does the VCDPA stack up? Overall, they’re very similar. There are a few key differences, though:
VCDPA is more limited in scope. It’s a bit semantic, but where the CPRA exempts specific personal data types, the VCDPA exempts entire industries like healthcare and education. This slightly shrinks the net of data protections.
VCDPA doesn’t apply to employees or commercial data. Under the CPRA, employees have the same protection as consumers. Unfortunately for Virginians, the VCDPA explicitly excludes employee or business-to-business data.
VCDPA has no private right of action. This means that residents aren’t allowed to sue offending companies for damages. California’s privacy law enables individuals the right to sue for up to $750 for violations.
Criticism
Privacy groups like the Electronic Frontier Foundation (EFF) levied scathing critiques of the bill[2]. Other than the lack of private right to action as mentioned above, it was also slammed for facilitating ‘pay-for-privacy’ programs, where businesses could charge consumers not to collect and sell their information.
Another complaint is that the law would force consumers to opt-out of collection rather than opt-in. Obviously, this creates an unnecessary barrier to privacy and makes the default invasive. Most people are too busy to go searching for opt-out links. It’s why some privacy advocates believe it protects the interests of companies more than consumers. The fact that Big Tech behemoths Amazon and Microsoft both offered support for the bill[3] backs up this assertion.
Regardless, it’s better than nothing. And, like the CPRA following up the CCPA after only a few years, it is possible to improve on privacy regulations in the future. Nothing is perfect, and in squabbling over the details, sometimes advocacy groups lose sight of the forest for the trees.
Any regulatory improvement is good, and the process is likely to be iterative over time. The VCDPA may not be a giant leap toward the end goal of robust data privacy laws, but it’s a healthy first step. One they can build upon and provide an example to the rest of the country. At some point, federal data privacy laws will be on the table, and having test programs like this will inform lawmakers about what works and what doesn’t.
Building solutions and bringing awareness to data custody
AXEL is committed to providing data custody to its users. We never sell your information to third parties or mine your account for data. Our developers design privacy-based software solutions that keep your content away from the greedy hands of data brokers and Big Tech. AXEL Go is a blockchain-backed file-sharing and storage platform with optional encryption features. You can share and store files online without the worry of who else can see them. Take data privacy into your own hands. Ditch Big Tech and try AXEL Go today.
[1] Cat Zakrzewski, “Virginia governor signs nation’s second state consumer privacy bill, The Washington Post, March 2, 2021, https://www.washingtonpost.com/technology/2021/03/02/privacy-tech-data-virgina/
[2] Hayley Tsukayama, “Virginians Deserve Better Than This Empty Privacy Law”, EFF.org, Feb. 12 , 2021, https://www.eff.org/deeplinks/2021/02/virginians-deserve-better-empty-privacy-law
[3] Cat Zakrzewski, “The Technology 202: Virginia is poised to pass a state privacy law”, The Washington Post, Feb. 11, 2021, https://www.washingtonpost.com/politics/2021/02/11/technology-202-virginia-is-poised-pass-state-privacy-law/