On March 2^nd, Virginia Governor Ralph Northam signed a comprehensive data privacy bill into law, making it the second state behind California to enact formal privacy regulations[1]. While it’s difficult to argue this development is a bad thing, the fact that it had widespread approval from Big Tech opens it to scrutiny. Here, we look at the law’s provisions, compare it with California’s measures, and assess the areas where it’s lacking.

Who does this affect?

The Virginia Consumer Data Protection Act (VCDPA) will significantly affect entities known as ‘data brokers.’ A data broker can be one of the high-profile corporations from Big Tech (i.e., Google, Amazon, etc.) or the lesser-known companies operating in the shadows that gather, analyze, package, and sell consumers’ personal information. According to the VCDPA, data brokers must hit specific thresholds for the law to apply to them. These stipulations include:

“Persons” (remember folks, corporations are people too) must do business in Virginia or sell products and services that target Virginia residents.
The organizations have to control the data of at least 100,000 Virginia residents. (This number is decreased to 25,000 residents if the company receives half or more of its revenue from selling personal information)

There are several exemptions, however. For example, organizations do not have to abide by these regulations if:

The data they collect from individuals pertains to employment or other commercial information. This means employees aren’t protected from their company’s data collection, and business-to-business data is still a free-for-all.
They are in the financial services, research, credit reporting, healthcare, or educational industries.
They are a designated non-profit.

So, already there appear to be some loopholes.

What are the new privacy provisions?

The VCDPA outlines new expectations that applicable data brokers must follow.

Data brokers must gain explicit consent before processing “sensitive data.” This would include racial makeup, religious beliefs, health records, sexual orientation, genetic data, or a person’s precise geolocation.

It also grants consumers a variety of new data rights.

The right of access. Now, Virginians can request to know all the information a company collects on them.
The right of correction. Consumers can request a company correct wrong information, and they have to comply.
The right of deletion. Individuals can request the deletion of their data.
The right to opt-out of targeted advertising, data selling, and profiling.

Unfortunately, there are more exemptions for these too. Organizations can get out of many of these information requests if they feel it cause an “unreasonable burden.” They also do not need to comply if the data collected is pseudonymized (meaning they replaced identifying info with pseudonyms.)

Starting in 2023, any company found in non-compliance with the terms of the VCDPA will have 30 days to correct their course or be subject to a $7,500 fine for each violation.

Compared to the CPRA

California is the other state with data privacy laws on the books. The recently passed California Privacy Rights Act (CPRA) set the national standard. How does the VCDPA stack up? Overall, they’re very similar. There are a few key differences, though:

VCDPA is more limited in scope. It’s a bit semantic, but where the CPRA exempts specific personal data types, the VCDPA exempts entire industries like healthcare and education. This slightly shrinks the net of data protections.

VCDPA doesn’t apply to employees or commercial data. Under the CPRA, employees have the same protection as consumers. Unfortunately for Virginians, the VCDPA explicitly excludes employee or business-to-business data.

VCDPA has no private right of action. This means that residents aren’t allowed to sue offending companies for damages. California’s privacy law enables individuals the right to sue for up to $750 for violations.

Criticism

Privacy groups like the Electronic Frontier Foundation (EFF) levied scathing critiques of the bill[2]. Other than the lack of private right to action as mentioned above, it was also slammed for facilitating ‘pay-for-privacy’ programs, where businesses could charge consumers not to collect and sell their information.

Another complaint is that the law would force consumers to opt-out of collection rather than opt-in. Obviously, this creates an unnecessary barrier to privacy and makes the default invasive. Most people are too busy to go searching for opt-out links. It’s why some privacy advocates believe it protects the interests of companies more than consumers. The fact that Big Tech behemoths Amazon and Microsoft both offered support for the bill[3] backs up this assertion.

Regardless, it’s better than nothing. And, like the CPRA following up the CCPA after only a few years, it is possible to improve on privacy regulations in the future. Nothing is perfect, and in squabbling over the details, sometimes advocacy groups lose sight of the forest for the trees.

Any regulatory improvement is good, and the process is likely to be iterative over time. The VCDPA may not be a giant leap toward the end goal of robust data privacy laws, but it’s a healthy first step. One they can build upon and provide an example to the rest of the country. At some point, federal data privacy laws will be on the table, and having test programs like this will inform lawmakers about what works and what doesn’t.

Building solutions and bringing awareness to data custody

AXEL is committed to providing data custody to its users. We never sell your information to third parties or mine your account for data. Our developers design privacy-based software solutions that keep your content away from the greedy hands of data brokers and Big Tech. AXEL Go is a blockchain-backed file-sharing and storage platform with optional encryption features. You can share and store files online without the worry of who else can see them. Take data privacy into your own hands. Ditch Big Tech and try AXEL Go today.

[1] Cat Zakrzewski, “Virginia governor signs nation’s second state consumer privacy bill, The Washington Post, March 2, 2021, https://www.washingtonpost.com/technology/2021/03/02/privacy-tech-data-virgina/

[2] Hayley Tsukayama, “Virginians Deserve Better Than This Empty Privacy Law”, EFF.org, Feb. 12 , 2021, https://www.eff.org/deeplinks/2021/02/virginians-deserve-better-empty-privacy-law

[3] Cat Zakrzewski, “The Technology 202: Virginia is poised to pass a state privacy law”, The Washington Post, Feb. 11, 2021, https://www.washingtonpost.com/politics/2021/02/11/technology-202-virginia-is-poised-pass-state-privacy-law/

On November 3, 2020, California voters approved the California Privacy Rights Act (CPRA or Prop 24), a ballot initiative expanding consumer privacy protections. It easily passed, securing over 56% “Yes” votes. We look into some of its major provisions and examine how it differs from a previous California privacy law.

An amendment to current regulations

In 2018, the California Consumer Privacy Act (CCPA) passed and became law. While it outlined a framework for many consumer privacy protections, many felt it was inadequate given the current state of corporate data collection. So, a mere two years later (and less than one year after the CCPA officially went into effect), the CPRA has made significant changes to these stipulations.

An overview of the changes

Here is a brief summary of the significant changes. You can view the full bill here if you enjoy reading 50 pages of legalese (hey, everyone has their preferences).

A higher threshold for mandated compliance

The CCPA required businesses that used 50,000 consumers’ or households’ personal information to comply with the bill’s privacy standards. The CPRA actually increases this number to 100,000 consumers or households. So, it lessens the regulatory burden on small to medium-sized businesses who traffic in personal information.

Is this a win for privacy advocates? It’s unclear. Nobody wants to shutter small businesses due to onerous regulation, but could these exemptions lead to exploitation? While the biggest privacy offenders such as Facebook and Google will fall under the regulatory umbrella, smaller companies get a free pass. Could this create a loophole where corporations spin their data collection arms off into smaller shell companies to avoid compliance? Until governments and organizations address these possibilities, it remains a concern.

A wider net

CCPA restrictions applied to companies receiving 50% or more of their revenue from selling personal data. This seemingly straightforward wording created a giant loophole for the serial data offenders. In many cases, corporations argued they didn’t actually “sell” personal information. They simply gave it away to increase advertising revenue.

The CPRA closes this loophole by injecting the term “sharing” into the clause. As defined by the bill: “sharing, renting, releasing, disclosing, disseminating, making available, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary, or other valuable consideration…” results in mandatory compliance (assuming the other qualifiers are also met). This is a much more encompassing definition and an overall win for privacy advocates.

New data categories

Whereas the CCPA treated most personal information generally, the CPRA creates more granular data categories with distinct regulatory differences. Specifically, the CPRA defines certain types of data as being “Sensitive Personal Information.” This includes:

Government identifiers such as social security numbers or driver’s licenses
Financial accounts and login information
Detailed geolocation data
Info regarding race, religion, philosophical beliefs, or sexual preference
Union membership status
The content of private mail, email, and text messages
Genetic information
Biometric data
Health records

Consumers can now request that businesses limit the use of their Sensitive Personal Information to only what is necessary to provide the desired services. Companies would then no longer be able to sell or share sensitive information without prior consent and authorization.

It also sets up disclosure and opt-out standards for the use of Sensitive Personal Information that organizations must follow. This includes providing opt-out links on their businesses’ homepage and respecting opt-out signals sent by the consumers when they visit their site.

Expanded consumer rights

The CPRA outlines new privacy rights and modifies others already defined in the CCPA. Examples include:

The right to correction. Consumers can now demand businesses update their personal information if it’s inaccurate.

The right to opt-out of profiling. Data collectors use your personal information to construct a “profile” of you, then utilize automated decision-making technology to serve advertisements based on the profile. The CPRA allows consumers to opt-out of this practice.

An expanded right-to-know. Previously, the CCPA entitled consumers to information collected on them for the past 12 months. The CPRA entitles residents to all data collected.

Greater protection for minors. Businesses that collect and sell the personal information of minors under the age of 16 are subject to triple fines per incident, or $7500.

A more robust right to delete. The CPRA strengthens Californians’ right to delete their personal information. Companies now not only must delete the data but inform third parties they’ve shared or sold the data to of the deletion request as well. Note, the right to delete is subject to certain conditions and exemptions.

A new government agency

Under the CCPA, enforcement falls under the California Attorney General’s responsibilities. This bill creates a dedicated government agency that will handle enforcement and penalties. California sure does love their government agencies! It’s called the California Privacy Protection Agency (CPPA); don’t worry if you can’t keep all the acronyms straight. The CPPA will have a $5 million budget in 2021, which will increase to $10 million from 2022 on. Its creation will theoretically lessen the burden on the Attorney General’s office and make enforcement more feasible.

Regular audits

Another important provision of the bill is the requirement for companies to audit their cybersecurity practices. As the constant hacks over the past few years have shown, problems lie not only in data collection but also in data protection. Sensitive information needs to be secured with baseline standards to prevent future phishing attacks, cyber theft, and identity fraud.

Organizations must present the findings from these audits to the newly-formed CPPA on a “regular basis.” Hopefully, this incentivizes companies working with private data to invest more in their cybersecurity solutions and reduce data breaches.

Opposition

The CPRA is a controversial bill, with a diverse set of proponents and opponents. However, the opponents may not be who you’d imagine. While one might assume that the big technology corporations in Silicon Valley aren’t too happy with the bill, none came out in outright opposition. There are two common explanations for this:

Nobody in Big Tech wants to come out against consumer privacy explicitly. Facebook, Google, and the other tech players have all had their share of bad publicity regarding privacy concerns over the past few years. Saying, “Oh yeah, we want all of your data and don’t want you to have any recourse against it,” likely wouldn’t play well to the general user.
Big Tech has sunk its digital claws into the legislation and weakened it considerably. This is actually the standard line for many of those who have come out against it.

Surprising opponents include the California American Civil Liberties Union[1], Consumer Action[2], and the California League of Women Voters[3].

A Frequently cited concern

Those opposing the bill have similar problems with it. They conclude it’s a “pay-for-privacy” scheme that unfairly affects people without the financial means to pay. This is because a clause in the legislation says that a company can charge a consumer requesting privacy the amount of the collected data’s value. It helps tech organizations offset the advertising revenue lost and is a clear motivation for consumers to opt-in to data collection.

An unclear future

Though not everyone agrees that the CPRA is the best possible solution, it’s difficult to argue it isn’t more substantial than the CCPA. It will be fascinating to see the legislation’s future effects on the tech business and consumer privacy. If successful, it could set in motion a slew of similar bills in other states. If it becomes a bureaucratic quagmire, it might stall regulation throughout the country.

One quirk of the CPRA is that lawmakers can no longer amend it unless the amendment is to “further privacy rights.” That may sound good, but its nebulous wording could open up legal challenges down the road if aspects of it need adjustment.

AXEL’s commitment

At AXEL, we believe in everyone’s right to privacy. That’s why we develop file-sharing and cloud storage solutions that prioritize privacy and security. No government-enforced edicts are necessary for us to respect your personal information. It’s an integral component of our corporate philosophy. If you need to share or store files in a safe, private way, download AXEL Go for Windows, Mac, Android, or iOS. Get out from under the watchful eye of Big Tech and experience a better way to use the internet.

[1] Andrea Vittorio, “ACLU Among Activist Opposing Update to California Privacy Rules, Bloomberg Law, July 22, 2020, https://news.bloomberglaw.com/privacy-and-data-security/aclu-among-activists-opposing-update-to-california-privacy-rules

[2] Alegra Howard, Linda Sherry, “Consumer Action opposes California Proposition 24”, consumer-action.org, Aug. 19, 2020, https://www.consumer-action.org/press/articles/consumer-action-opposes-california-proposition-24

[3] “League of Women Voters Opposes Prop 24”, prnewswire, Oct. 28, 2020, https://www.prnewswire.com/news-releases/league-of-women-voters-opposes-prop-24-301162344.html