While we agree with Stuart Brotman that employees’ privacy is important and worthy of legislative action to protect (“Digital privacy laws and the pandemic,” Feb. 24 commentary), we must take exception to his characterization of support for the recently-passed Consumer Data Protection Act (CDPA) as being “bolstered” by a number of prominent advocacy groups. He cherry-picked a sentence in one letter from several consumer and privacy organizations citing some positive aspects of the legislation, while ignoring their recommendations for significant changes that were needed. To our knowledge, no consumer or privacy groups endorsed the legislation.
In fact, in subsequent letters, op-eds and press releases, some of these same advocacy groups made clear how woefully inadequate the CDPA is. We also asked Virginia Gov. Ralph Northam to veto it or consider adding a reenactment clause, which would have sent it back to the legislature to be approved again next January because it falls far short of what’s needed to protect Virginians’ privacy and allows unfair discrimination against those who exercise the few rights it provides.
One of the main problems with the CDPA is that it is based on the outdated “notice and opt-out” framework which underpins the current system of commercial surveillance and fails to provide consumers with meaningful control over their personal information. Instead of requiring companies to get people’s permission before using their data, it places the burden on consumers to navigate today’s incredibly complex data ecosystem and take steps to opt-out of unwanted uses of their information (to the limited extent they are allowed to do so). Making “opt-out” the default disempowers consumers and poses equity concerns; consumers with less time and resources to figure out how their data is being used and how to opt-out will inevitably be subject to more privacy violations. Where the default lies matters, as marketers well-know.
Another serious concern is that he CDPA allows businesses to charge consumers more or provide them with lower-quality products or services if they exercise their rights to opt-out of targeted advertisements, their personal data being sold, or being profiled. In other words, if consumers want privacy, they have to pay more.
The process itself has been stacked against consumers from the beginning. Neither the Virginia Citizens Consumer Council nor any of the national consumer and privacy organizations were consulted as the bill was being drafted. Furthermore, groups that signed up to testify at hearings in February were not called upon to speak.
Virginia legislators were never given the opportunity to really learn about and discuss the problems with the CDPA. To their great credit, some legislators, especially Senators Surovell and Sutterlein, asked to slow the train down so they could ensure that the bill would provide the privacy rights and protections their constituents needed. Alas, the train continued to hurtle down the tracks and Governor Northam signed it on March 2. As it stands now, the CDPA codifies business-designed obstacles to consumers having meaningful control of their personal information. The result will be confusion and frustration, not privacy protection.
We appreciate that Governor Northam’s office has engaged with the concerns of consumer and privacy groups and committed to a robust stakeholder process to improve this law. Yet the fundamental problems with the CDPA are too big to be fixed after the fact.
If the Virginia legislature addresses employee privacy in the future, we hope that employees as well as consumer and privacy groups will be involved at the drafting stage and heard throughout the process. All of us need a seat at the table, not just businesses.
Leech is president of the Virginia Citizens Consumer Council. Grant is director of Consumer Protection and Privacy, Consumer Federation of America, Mierzwinski is Senior Director, Federal Consumer Program, U.S. PIRG (public interest research group).