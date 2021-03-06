WITH THE General Assembly’s passage of the Consumer Data Protection Act (SB 1392), Virginia has become just the second state in the nation besides California to address the ongoing problem of businesses and other organizations selling customers’ personal information without their knowledge or consent.
The bill, patroned by Sen. David Marsden, D–Fairfax, and signed into law by Gov. Ralph Northam on March 2, applies to companies that “process personal data of at least 100,000 consumers or derive over 50 percent of gross revenue from the sale of personal data … of at least 25,000 consumers.” The new law will not go into effect until Jan. 1, 2023 to allow the Joint Commission on Technology and Science to come up with recommendations on how it should be implemented.
The legislation gives consumers the right to obtain a copy of their data that is being collected, processed, and sold to targeted advertising and consumer profiling firms, which have become big businesses, and opt out if they so choose. Under the law, businesses in Virginia may continue to collect customers’ personal data only for specific and legitimate business purposes.
Consent is required before any “sensitive data”—defined as racial or ethnic origin, religion, mental or physical health information, sexual orientation, citizenship or immigration status, biometric data, personal data collected from a known child and a person’s precise geolocation—is provided to a third party.
However, besides not applying to small businesses with less than 100,000 customers, the new law exempts two of the most critical privacy categories: health care data and financial information used to determine an individual’s creditworthiness. That information can still be bought and sold—and most certainly will be. Also exempted are state agencies, political subdivisions, financial institutions, nonprofits and institutions of higher learning, which can continue to sell personal data to whoever will buy it.
So when Sen. Marsden commented that his bill would allow Virginians to “have control over your data,” he should have said “some control over some of your data.”
But some control is better than none.
Another flaw in the legislation is that it gives the state attorney general “exclusive authority to enforce violations,” which can result in a $7,500 fine per violation. This means that unlike Californians, Virginians who discover that even after opting out, their personal data has been sold anyway, cannot sue the offending company and receive compensation for the unlawful data breach. Marsden said his intention was to prevent a new class of lawsuits from clogging up the courts, but it also reduces the incentive companies have to obey the law.
In 2017, Bruce Schneier, a fellow with the Berkman Klein Center for Internet & Society at Harvard’s Kennedy School, warned that “surveillance is the business model of the internet. Everyone is under constant surveillance by many companies, ranging from social networks like Facebook to cellphone providers. … We’re the product, not the customer.”
Sen. Mark Warner, who has introduced federal legislation to prohibit large online social media platforms from using “deceptive user interfaces to trick consumers into handing over their personal data,” called the Virginia law “an important first step.”
“My hope,” said Warner, “is that Governor Northam and the legislature will improve this law in the near future in important ways, including incorporating my important bipartisan work on dark patterns and enhancing privacy protections around online advertisements, making it easier for Virginia citizens to invoke their privacy rights, such as through a global privacy control.”
One can only hope that there’s any personal and private information left to protect by then.