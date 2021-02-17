Nearly one year into the COVID-19 pandemic, Virginians are leaning more on online services.
In some cases, these changes are by consumer choice — for example, a person with a high-risk health condition decides to forgo a trip to a crowded grocery store, and schedule curbside pickup or home delivery. In other cases, there is no choice — say your local bank branch has closed and you reluctantly deposit checks with your smartphone after years of avoiding that option.
With or without a pandemic, some of these shifts already were in motion. As technology keeps advancing, Virginians deserve a real say in the exchange and use of their information online. The Consumer Data Protection Act (CDPA) is a necessary first step toward better protections.
On Tuesday, The Roanoke Times reported that lawmakers are on the verge of passing the legislation carried by state Sen. David Marsden (Senate Bill 1392), D-Fairfax, and Del. Cliff Hayes (House Bill 2307), D-Chesapeake. The CDPA “establishes a framework” — emphasis on framework — “for controlling and processing personal data” in the commonwealth.
In May 2018, the European Union (EU) set the tone for a consumer voice with the General Data Protection Regulation (GDPR). Self-billed as the “toughest privacy and security law in the world,” the GDPR applies to any entity processing data of EU citizens, even if located outside of the EU.
The GDPR offers robust definitions for key actors and exchanges in cyberspace, including “personal data” (names, email addresses, location information, ethnicity, gender, biometric data, religious beliefs, web cookies and even political opinions); “data subject” (a customer or site visitor); and “data controller” (the arbiter why and how personal information is processed, such as a site owner).
In June 2018, in the absence of a federal law, California became the first U.S. state to pass comprehensive data privacy legislation. Per the attorney general’s office, the California Consumer Privacy Act (CCPA) emphasizes four key principles: the right to know what information is collected and how it is used/shared, the right to delete that information (with some exceptions), the right to opt out of personal information being sold and the right to nondiscrimination for exercising privacy rights.
A Tuesday National Law Review (NLR) piece explained how the CDPA establishes some of these definitions and principles in Virginia. The bill spells out “personal data rights” including the ability to confirm if information is being processed, to access or obtain a copy of it, to delete or correct data provided and to opt out of certain practices (sale or advertising).
The CDPA also strengthens the definition of “sensitive data” to include racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data used to identify someone; personal data collected from a known child; or precise geolocation data.
Controllers and processors of personal data also face stiffer requirements, including limiting collection to “what is adequate, relevant and reasonably necessary,” keeping practices in line with what consumers have consented to, and bundling all terms in a “reasonably accessible, clear and meaningful” privacy policy, among other points.
But per The Roanoke Times report, some of the bill’s components give advocates pause. The CDPA would not apply to all data controllers. The bill affects “businesses that conduct business in Virginia, or produce products or services that target Virginia residents.” Consumers are defined as Virginia residents, not people “acting in a commercial or employment context.”
Within a calendar year, the business has to “control or process personal data of at least 100,000 ‘consumers’” or of “at least 25,000 ‘consumers’ and derive over 50% of gross revenue from the sale of personal data,” the bill says. Additionally, some sectors such as banking and health care fall under “exemptions for industries that already have to adhere to rigorous federal data and privacy protection laws,” the Times reported.
Consumer groups warn the onus is on Virginians to work with businesses to understand how data is being collected and used. Moreover, unlike California’s law, Virginians would not have a private right of action, with violations instead handled by the attorney general’s office.
Personal data is too important to be left in a chaotic state. While the CDPA has some issues, it represents progress, not perfection — a necessary first step toward better protections.
“Because of the time we’re in, any and everybody needs to be conscious of the fact of the data in which you hold, process and control doesn’t belong to you,” Hayes said in The Roanoke Times report. “That personal identifiable information belongs to the people.”
We agree. By finally giving Virginians a say in how their personal data is used, we expect more improvements in the years ahead. This past November, Golden State voters passed Proposition 24 — the California Privacy Rights Act (CPRA). Effective January 2023 (the same time as Virginia’s law would go into effect) the CPRA updates the original CCPA by “extending enforcement exemptions, defining the term ‘consent’ and imposing additional privacy policy disclosures,” the NLR reported in November.
Through the work of lawmakers (or even ourselves at the ballot box) we have the right to be involved in how our personal data is handled. The CDPA is a necessary first step for Virginia.