Senators Marsden and Dunnavant introduced Senate Bill No. 1392 this session, a bill providing a “Consumer Data Protection Act” for Virginia. Code of Virginia §§ 59.1-579 – 580. The Act authorizes consumers to determine, by inquiry to a controller, whether or not their personal data is being processed by a data controller or processer and, if it is, on a qualified basis (only “commercially reasonable efforts” required) to correct inaccuracies, obtain a copy of the data, and opt out of future processing, and to delete the data. The bill has a delayed effective date of January 1, 2023.
Terms utilized in the Act and their lengthy definitions have the ring of the European General Data Protection Regulation (GDPR), however, in comparison, the Act’s effect is much more modest.
Which Businesses Qualify?
The Act limits its application to data controllers and processers conducting business in the Commonwealth or businesses which produce products or services targeted to Virginia residents and which control or process personal data of at least 100,000 consumers, or control or process data of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal data. The Act’s coverage is not, thus, strictly limited to businesses which process and sell personal data. The Act exempts, however, state and federally governed entities, fourteen different categories of data implicated by federal law and regulations, and several specific uses addressed by the Act.
Consumers wishing to exercise their rights under the Act may request the action they seek of the data controller. Controllers have a total of ninety days to respond to the request, and may demand additional information from the consumer where they are initially unable to fulfill the request using “commercially reasonable efforts.” Consumers, however, may appeal a controller’s refusal to take the requested action under procedures to be established by the controller.
Enforcement, Funding & Damages
The Act provides no mechanism for private enforcement of its requirements. Enforcement authority is conferred exclusively on the Office of the Attorney General of Virginia, which estimates, according to the bill’s fiscal impact statement, the annual burden of enforcement will require the time of three additional individuals and cost over $330,000.
Funding for initial enforcement work is not provided in the Act but is supposed to come later through fines collected in future enforcement actions.
Before initiating an enforcement action under the Act, the Attorney General is required to provide a controller thirty-day written notice of the specific violation of the Act at issue. To preclude an enforcement action, the controller must (i) cure the specific violation; and (ii) issue a declaration stating the alleged violations have been cured and no future violations will occur. Only then, after a controller’s continued violation of the Act in breach of this declaration, may an action be initiated by the Attorney General. Damages for violations recoverable by the Attorney General are capped at $7500 per violation, plus investigation and preparation costs, and attorney fees.
The Act does require controllers to conduct a data protection assessment concerning several processing activities involving personal data, for example:
- those involving targeted advertising;
- the sale of personal data;
- the processing of sensitive data; and
- processing of data which present a “heightened risk of harm” to consumers.
These assessments may be requested by the Attorney General in connection with the investigation of a controller.
New Burdens and Costs on Businesses
By adding new consumer rights, e.g., to discover and correct their data and to have it deleted, and to opt-out, the Act imposes new burdens on Virginia businesses which process personal data. To this extent, data tracking capabilities, along with consumer response and appeal processes, will have to be developed and implemented by covered businesses, along with the creation of data protection assessments. Notably, published comments concerning the bill have not criticized the bill for the added cost or business processes required to fulfill the new, broad processor obligations. Instead, comments have focused on specific aspects of the bill.
Public Comment from the Advertising Industry
In correspondence commenting on the Act, six associations representing the advertising industry applaud the absence of a private right of action to enforce the Act, arguing “[a]llowing private action would flood the courts with frivolous lawsuits driven by opportunistic trial lawyers searching for technical violations, rather than focusing on actual consumer harm.” See Final Joint Advertising Trade letter on the Virginia Consumer Data Protection Act, January 6, 2021. Read Full Text.
1) The advertising industry representatives, however, object to the Act’s requirement that data protection assessments be turned over to the Attorney General in connection with an investigation. Similarly, the advertising industry objects to the Act’s requirement that processers submit to controller audits and make their compliance information available to controllers, claiming the requirement is “overly burdensome.”
2) The industry also objects to the scope of the consumer’s right of deletion, preferring a narrower definition of what a consumer may request be deleted, and argues Virginia should ensure that its consumers’ right of access and right to deletion mirrors those same rights in other states’ laws. The industry prefers the California Data Protection Act formulation (i.e. data collected from the consumer) over the Virginia Act’s broader formulation (i.e. data concerning the consumer).
3) The industry also objects to consumers having a right to appeal a controller’s denial of their request because the process would “force them [controllers] to justify their lawful policies and will not provide greater privacy protections for consumers.”
In testimony given January 27, 2021, before the Virginia Senate Committee on General Laws and Technology, as reported by the International Association of Privacy Professionals, Senator Marsden, the bill’s sponsor characterized the Act as containing “all the key elements to protect consumers and is cleaner, simpler and easier to understand than what was passed in California. . . [and] sets a baseline to give consumers control over their personal data, provide companies clear expectations and leverage best practices without creating excessive or unreasonable compliance burdens.” Read Full Testimony.
According to the International Association of Privacy Professionals, Amazon and Microsoft were on hand to provide supporting testimony for the bill. Other committee witnesses criticized the lack of a private enforcement action, and deemed the enforcement mechanism “unworkable.”
The Virginia Senate Committee on General Laws and Technology voted 13-0 with one abstention in favor of moving the bill forward to the Senate Finance Committee for further consideration and debate. Despite the criticism, the bill appears to have traction as it was re-referred to the Finance and Appropriations committee.
‘‘California Lite’’ vs. GDPR
If passed, VA’s data protection law may be cast as “California Lite”. Large industry’s support for the bill signals its approval of data privacy legislation containing, for example:
- no private right of enforcement;
- no right to a list of third parties to whom data is shared; and
- no provisions for instances of data breach- all components of California’s Consumer Privacy Act.
While the GDPR is viewed by some as having gone too far in the way of protection of individual data and burdening controllers and processers, it may nevertheless provide some perspective to identify a few differences between requirements of the Virginia Act and the GDPR: [Are You Within the Reach of the GDPR?]
- The Virginia Act requires no demonstrable legal justification (e.g., consent) for the processing of personal data, or affirmative steps to maintain the security of personal data.
- No duties are imposed on controllers or processers in the event of a personal data security breach.
- No specific record keeping of personal data processing is required by the Virginia Act.
- No duty is provided to pass data corrections on to downline recipients.
- No individual right of action is provided in the Act for enforcement of the Act.
Where an enforcement action is initiated by the Virginia Attorney General, the civil penalty is capped at $7,500 per violation, plus investigative and preparation costs and attorney fees. Enforcement of the Act is initially unfunded. The request, denial, appeal, investigation, cure and declaration, declaration breach and initiation of action process ensure a lengthy temporal gap between Act violation and enforcement.
Read Mike's earlier articles following the implementation of GDPR and it's legal impact on U.S. businesses:
Mike has broad litigation experience including matters involving personal injury and property damage, insurance and coverage, commercial matters, trucking, professional liability, product liability, immigration/removal, and worksite enforcement. He has successfully defended design professionals in construction defect matters. His product liability experience includes a focus on industrial machinery, warnings and labels, product development and introduction, and associated commercial issues. He obtained the first post-Kumho Tire exclusion of an Accident Reconstruction Expert in a trucking matter. Mike has successfully defended and asserted trade secret claims in State and Federal Courts.