By: Michael H. Gladstone, Esq.
Senators Marsden and Dunnavant introduced Senate Bill No. 1392 this session, a bill providing a “Consumer Data Protection Act” for Virginia. Code of Virginia §§ 59.1-579 – 580. The Act authorizes consumers to determine, by inquiry to a controller, whether or not their personal data is being processed by a data controller or processer and, if it is, on a qualified basis (only “commercially reasonable efforts” required) to correct inaccuracies, obtain a copy of the data, and opt out of future processing, and to delete the data. The bill has a delayed effective date of January 1, 2023.
Terms utilized in the Act and their lengthy definitions have the ring of the European General Data Protection Regulation (GDPR), however, in comparison, the Act’s effect is much more modest.
The Act limits its application to data controllers and processers conducting business in the Commonwealth or businesses which produce products or services targeted to Virginia residents and which control or process personal data of at least 100,000 consumers, or control or process data of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal data. The Act’s coverage is not, thus, strictly limited to businesses which process and sell personal data. The Act exempts, however, state and federally governed entities, fourteen different categories of data implicated by federal law and regulations, and several specific uses addressed by the Act.
Consumers wishing to exercise their rights under the Act may request the action they seek of the data controller. Controllers have a total of ninety days to respond to the request, and may demand additional information from the consumer where they are initially unable to fulfill the request using “commercially reasonable efforts.” Consumers, however, may appeal a controller’s refusal to take the requested action under procedures to be established by the controller.
The Act provides no mechanism for private enforcement of its requirements. Enforcement authority is conferred exclusively on the Office of the Attorney General of Virginia, which estimates, according to the bill’s fiscal impact statement, the annual burden of enforcement will require the time of three additional individuals and cost over $330,000.
Funding for initial enforcement work is not provided in the Act but is supposed to come later through fines collected in future enforcement actions.
Before initiating an enforcement action under the Act, the Attorney General is required to provide a controller thirty-day written notice of the specific violation of the Act at issue. To preclude an enforcement action, the controller must (i) cure the specific violation; and (ii) issue a declaration stating the alleged violations have been cured and no future violations will occur. Only then, after a controller’s continued violation of the Act in breach of this declaration, may an action be initiated by the Attorney General. Damages for violations recoverable by the Attorney General are capped at $7500 per violation, plus investigation and preparation costs, and attorney fees.
The Act does require controllers to conduct a data protection assessment concerning several processing activities involving personal data, for example:
These assessments may be requested by the Attorney General in connection with the investigation of a controller.
By adding new consumer rights, e.g., to discover and correct their data and to have it deleted, and to opt-out, the Act imposes new burdens on Virginia businesses which process personal data. To this extent, data tracking capabilities, along with consumer response and appeal processes, will have to be developed and implemented by covered businesses, along with the creation of data protection assessments. Notably, published comments concerning the bill have not criticized the bill for the added cost or business processes required to fulfill the new, broad processor obligations. Instead, comments have focused on specific aspects of the bill.
In correspondence commenting on the Act, six associations representing the advertising industry applaud the absence of a private right of action to enforce the Act, arguing “[a]llowing private action would flood the courts with frivolous lawsuits driven by opportunistic trial lawyers searching for technical violations, rather than focusing on actual consumer harm.” See Final Joint Advertising Trade letter on the Virginia Consumer Data Protection Act, January 6, 2021. Read Full Text.
Objections
1) The advertising industry representatives, however, object to the Act’s requirement that data protection assessments be turned over to the Attorney General in connection with an investigation. Similarly, the advertising industry objects to the Act’s requirement that processers submit to controller audits and make their compliance information available to controllers, claiming the requirement is “overly burdensome.”
2) The industry also objects to the scope of the consumer’s right of deletion, preferring a narrower definition of what a consumer may request be deleted, and argues Virginia should ensure that its consumers’ right of access and right to deletion mirrors those same rights in other states’ laws. The industry prefers the California Data Protection Act formulation (i.e. data collected from the consumer) over the Virginia Act’s broader formulation (i.e. data concerning the consumer).
3) The industry also objects to consumers having a right to appeal a controller’s denial of their request because the process would “force them [controllers] to justify their lawful policies and will not provide greater privacy protections for consumers.”
In testimony given January 27, 2021, before the Virginia Senate Committee on General Laws and Technology, as reported by the International Association of Privacy Professionals, Senator Marsden, the bill’s sponsor characterized the Act as containing “all the key elements to protect consumers and is cleaner, simpler and easier to understand than what was passed in California. . . [and] sets a baseline to give consumers control over their personal data, provide companies clear expectations and leverage best practices without creating excessive or unreasonable compliance burdens.” Read Full Testimony.
According to the International Association of Privacy Professionals, Amazon and Microsoft were on hand to provide supporting testimony for the bill. Other committee witnesses criticized the lack of a private enforcement action, and deemed the enforcement mechanism “unworkable.”
The Virginia Senate Committee on General Laws and Technology voted 13-0 with one abstention in favor of moving the bill forward to the Senate Finance Committee for further consideration and debate. Despite the criticism, the bill appears to have traction as it was re-referred to the Finance and Appropriations committee.
If passed, VA’s data protection law may be cast as “California Lite”. Large industry’s support for the bill signals its approval of data privacy legislation containing, for example:
While the GDPR is viewed by some as having gone too far in the way of protection of individual data and burdening controllers and processers, it may nevertheless provide some perspective to identify a few differences between requirements of the Virginia Act and the GDPR: [Are You Within the Reach of the GDPR?]
Where an enforcement action is initiated by the Virginia Attorney General, the civil penalty is capped at $7,500 per violation, plus investigative and preparation costs and attorney fees. Enforcement of the Act is initially unfunded. The request, denial, appeal, investigation, cure and declaration, declaration breach and initiation of action process ensure a lengthy temporal gap between Act violation and enforcement.
Read Mike's earlier articles following the implementation of GDPR and it's legal impact on U.S. businesses:
GDPR Effective Date Imminent. Is Your Business Ready?
An Approach for U.S. Companies to the GDPR
GDPR Issues in U.S. and International Litigation and Arbitration