Virginia is poised to become the second state in the nation to pass a broad consumer privacy bill. Virginia’s Consumer Data Protection Act has passed through the General Assembly and the governor is expected to sign it any day. The bill’s patron insists the law will give individuals control over their digital data, restoring trust in technologies and data-driven companies that have been irresponsible with people’s privacy.
It’s a noble aim, but efforts to regulate how companies collect and use data is notoriously complicated. Common Sense was on the frontlines in California, working to pass its landmark privacy law in 2018 and a ballot initiative last November that strengthened that law. We have seen firsthand how tech companies fight tooth and nail to defeat anything that would change their business practices and then find ways to sneak around and slip away from following the law once anything is passed.
That is why we are worried that in lawmakers’ eagerness to take a victory lap for protecting Virginians’ privacy, they have raced to enact a law that has serious loopholes, big gaps in protection, and no real way of ensuring companies follow the law.
Virginia’s Consumer Data Protection Act privacy law was taken verbatim from a proposal in Washington state that was defeated last year, and this law lacks many of the improvements proposed in Washington and elsewhere across the country.
The law’s chief innovation is requiring consent before companies collect some limited types of sensitive information. Like laws in California, it also includes some individual rights to access and delete information, and it gives people the right to opt out of some types of data sales and targeted ads.
The problem is that it introduces a slew of exceptions that make it unclear whether many big name companies even need to apply. The law was passed so quickly it’s unclear whether these exceptions are accidents or intentional efforts to let companies off the hook for privacy violations. All sorts of companies and types of data are excluded.
The law also purports to include limits on how companies can collect and use data, which are known as data minimization and purposes specification provisions. These are designed to stop practices like phone flashlight apps from secretly selling location data, but the law’s provisions aren’t very restrictive. Many requirements are conditioned on being disclosed to consumers, which sounds empowering in theory, but really just means the privacy policies no one reads will just get longer.
The Consumer Data Protection Act also diverges from efforts in California and Washington and around the globe that expand privacy protections for kids. It offers little additional protections for current and outdated federal law. It opens the door for tech companies to manipulate kids, designing products and permissions that trick and encourage kids to share more and more of their data. The law also lets companies ignore whether their products are being used by teenagers, something expressly prohibited by California’s privacy laws and international regulations like the United Kingdom’s Age Appropriate Design Code.
Finally, it’s worth thinking about how this law will be enforced. Sen. David Marsden, D-Fairfax County and the bill’s sponsor, insists the state’s Attorney General is up to the task, but has anyone asked Attorney General Herring’s opinion? Some press reports suggest the attorney general will be given $400,000 to enforce the law.
That’s worth comparing to a proposed allocation of $1.2 million for enforcement of a similar proposal in Washington, which provides for about three new attorneys capable of doing just three investigations per year. Worries about policing the biggest tech companies in the world were one of the primary reasons Californians have dedicated $10 million annually to a new privacy protection agency. Those numbers make Virginia’s Consumer Data Protection Act look like a privacy paper tiger.
There is a window of opportunity to improve this law. As part of a last minute compromise, the privacy law sets up a work group that will review the law and summit recommendations for amending the law before it goes into effect in 2023. If history teaches us anything, companies will use that work group to weaken an already weak law. Consumer rights advocates get a seat at the table, but we need more voices in Virginia to join us in calling for commonsense improvements to this law. We hope Gov. Northam and Attorney General Herring will join us in pushing for amendments to strengthen the Consumer Data Protection Act.
Steyer is CEO and Founder of Common Sense Media, an organization that “provides education and advocacy to families to promote safe technology and media for children.” It is based in San Francisco.