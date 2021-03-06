However, besides not applying to small businesses with less than 100,000 customers, the new law exempts two of the most critical privacy categories: health care data and financial information used to determine an individual’s creditworthiness. That information can still be bought and sold—and most certainly will be. Also exempted are state agencies, political subdivisions, financial institutions, nonprofits and institutions of higher learning, which can continue to sell personal data to whoever will buy it.

So when Sen. Marsden commented that his bill would allow Virginians to “have control over your data,” he should have said “some control over some of your data.”

But some control is better than none.

Another flaw in the legislation is that it gives the state attorney general “exclusive authority to enforce violations,” which can result in a $7,500 fine per violation. This means that unlike Californians, Virginians who discover that even after opting out, their personal data has been sold anyway, cannot sue the offending company and receive compensation for the unlawful data breach. Marsden said his intention was to prevent a new class of lawsuits from clogging up the courts, but it also reduces the incentive companies have to obey the law.