For years, U.S. lawmakers looking to craft their own privacy bills have only had two models to follow: the California Consumer Privacy Act and the European Union's General Data Protection Regulation.
But if all goes as expected in Virginia this month, the state could soon provide another blueprint that industry stakeholders, especially, would prefer to see replicated in other states and on the federal level.
Despite its short 46-day legislative session, Virginia lawmakers are quickly pushing through a comprehensive privacy bill that was introduced Jan. 13 and will be put to a vote on the full Senate floor as early as Friday -- after which it will head to the House, where a similar version of the bill has already been introduced.
“Virginia is in a unique position to be a leader on this issue,” state Sen. David Marsden (D) said last week when the bill was being presented to the state Senate Committee on General Laws and Technology.
In Virginia, lawmakers have settled on a framework that only pertains to businesses that have at least 100,000 customers in the state, or any business that makes 50 percent of its gross revenue from the sale of personal data and processes personal data for at least 25,000 consumers.
The bill, which would go into effect Jan. 1, 2023, if passed, also gives consumers the right to access, correct and delete the data that businesses collect about them, as well as the ability to opt out of data collection outright.
But the key piece contributing to its quick passage, and a major reason why industry stakeholders back it, is that the bill doesn’t give consumers the ability to sue companies when those data rights are violated, known as a private right of action. While the California and European Union privacy acts include that statute in certain cases, debate over whether to include a private right of action stalled progress on a privacy bill in Washington state last year and has continued to slow federal efforts.
Instead, enforcement in Virginia’s version would sit solely with the state attorney general’s office, and despite the state’s Democratic control, few lawmakers have publicly pushed back against the exclusion of the private right of actions.
Tom Foulkes, senior director of state advocacy at BSA | The Software Alliance, said the hope is that Virginia’s ability to establish and nearly pass a comprehensive bill in just one session could serve as a model for other states eyeing their own versions.
Virginia’s bill is modeled after a slimmed-down framework seen in Washington state, where lawmakers have spent the past three sessions debating its contents, specifically those regarding enforcement. The Virginia legislation has 10 sections across eight pages, while the EU’s GDPR includes nearly 100 articles and CCPA has 18 sections and a range of changes passed in a recent ballot measure to follow.
Foulkes said Washington’s template is easier for businesses to implement, and Virginia’s bill is similarly “more intentional without being more detailed.”
The bill has also caught the attention of tech giants like Microsoft Corp. and Amazon.com Inc., both of which had delegates weigh in at the Virginia Senate technology subcommittee meeting last week to support the bill’s passage. Both companies, which are headquartered in the Seattle area, have also backed Washington state’s framework.
In California, the tech industry attempted to push forward several amendments before the enactment of the law that would change the definition for personal information and what consumers had the right to see was collected about them.
While consumer privacy advocates celebrate whenever a state decides to prioritize privacy legislation, much like with the Washington legislation, many believe the bill in Virginia falls short in giving consumers the full scope of rights they need.
“We have concerns about where these types of bills place the balance of protecting consumers versus making things a little bit easier for companies,” said Hayley Tsukayama, a legislative activist at the Electronic Frontier Foundation.
Tsukayama said there are a number of areas where the bill can be strengthened with consumers in mind, such as including language that limits what companies can collect to begin with and ditching a provision that allows the attorney general to give companies a 45-day warning whenever they’re found to be in violation of the law.
Maureen Mahoney, a policy analyst at Consumer Reports, said she’d like to see the bill enable consumers to enlist the help of a proxy to navigate the opt-out process, which the group’s research has found to be tricky in California.
Since the bill wouldn’t go into effect until 2023, both industry representatives and consumer advocates say it’s possible that more amendments could be considered in the state’s legislative session next year, mirroring attempts to do so in California before its enactment. Marsden said during the subcommittee meeting last week that a stakeholder oversight group that helped draft the bill plans to stay intact to hash out any smaller issues with the legislation before 2023.
In the meantime, having a second state pass its own comprehensive privacy legislation could send a signal to Congress to prioritize its own discussions about a federal standard, Foulkes said, noting industry’s concerns about having to comply with a patchwork of state privacy laws.
Craig Albright, BSA’s vice president of legislative strategy, said, “States move fast, and I think the Hill is just absorbing it. Virginia acting is going to get people to focus.”