The Virginia Consumer Data Privacy Act and the Emerging “Patchwork” Privacy Regime

By Ahmed Eissa

The states have long been regarded as the laboratories of democracy, free to “try novel social and economic experiments without risk to the rest of the country.” Currently, the latest experiment is comprehensive data privacy legislation – laws that seek to give consumers more control over their data and limit what businesses can do with consumers’ information. 

Virginia Governor Ralph Northam signed the Consumer Data Protection Act (VA-CDPA) into law on March 2, 2021, making it the second state behind California to enact an omnibus data privacy law. The VA-CDPA goes into effect on January 1, 2023, giving the affected businesses and organizations a little under two years to come into compliance with the new consumer protection scheme. 

The law only affects businesses that control or process personal data of at least 100,000 consumers within a calendar year, or businesses that control or process personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data. In other words, the VA-CDPA targets businesses seemingly at home in Virginia, and businesses who are primarily involved in the sale of Virginians’ personal data. 

Generally, the VA-CDPA is meant to hold businesses and organizations - otherwise known as “data controllers,” a term stemming from the European Union’s (EU) General Data Protection Regulation (GDPR) - responsible for what they do with consumer data, while simultaneously expanding consumers’ rights regarding that data. The law includes rights for consumers to receive copies of their data, amend and/or delete their data, and opt-out of data-sharing agreements between the data controller and third parties.

Notably, the VA-CDPA also requires businesses to obtain permission before collecting sensitive data, which includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, precise geolocation data, and more. Businesses are also compelled by the VA-CDPA – as data controllers – to conduct data protection assessments of the personal and/or sensitive data they collect to identify and assess the potential benefits associated with collection and processing against the potential risks to consumer rights associated with that processing.

In addition, the law lacks a private right of action - i.e., the legal right for consumers to sue after violations. Privacy advocates argue that a private right of action empowers consumers to act in their own interest following a statutory violation, rather than having to rely on the state to bring them justice. Instead, the VA-CDPA delegates enforcement to the Virginia Attorney General (rather than a separate and independent enforcement agency) and specifies that any fines collected as a result from a civil enforcement matter will go toward a “consumer privacy fund” in the state treasury. Amounts paid into the fund will be used to support the Attorney General’s enforcement efforts, rather than being paid out to harmed consumers.

But for all the good the VA-CPDA intends to do, it is not without criticism. Indeed, the privacy law has come under heavy scrutiny from various civil society groups focused on consumer privacy rights. For example, only days before the bill was signed into law, the a joint press release was issued by the Virginia Citizens Consumer Council, the Consumer Federation of America, the Electronic Frontier Foundation, Privacy Rights Clearinghouse, and US Public Interest Research Group urging Governor Northam to veto the VA-CDPA, or to send the bill back to the legislature for consideration during the next legislative session. 

The fundamental concern for these groups is that the VA-CDPA falls short of adequately protecting Virginians’ privacy. The chief shortcomings with the law, the groups contend, are that: 1) the law adopts an “opt-out” framework, whereas opt-in frameworks have greater privacy protections; 2) the law lacks a robust data minimization requirement; 3) the law does not account for collection of personal data from third party sources (e.g., social media); 4) the law lacks an overall right for consumers to avoid being profiled; and 5) the law would have no significant effect (if any) on large tech companies that serve targeted advertisements on their own platforms on behalf of other companies.

Outside of the substantive criticisms, there are also strong objections to the role that industry played in crafting the VA-CDPA. It was no secret that large tech companies backed the law; Microsoft and Amazon, for example, openly testified in support of the bill. But press reports indicate even closer involvement in bringing the law to fruition. Indeed, an Amazon employee originally presented Virginia Senator David Marsden - the chief co-patron of the legislation - the text of the bill. “Amazon gave us the first cut of a draft to look at that was based on other work,” Marsden told the press. 

The emergence of Virginia and California consumer privacy laws are stoking fears of an eventual “patchwork” regulatory system, where businesses may be forced to comply with 50 separate consumer privacy regimes. Privacy bills in Washington, New Jersey, Utah, and Oklahoma, for example, have been the subject of wide discussion in data protection and privacy circles, while more than dozen other states have active developments with their privacy bills. 

A patchwork system is not inherently bad - especially in the absence of a unified federal law - but as previously noted, the main worry is over complying with different and/or conflicting requirements of the various state laws. This requires businesses to - before the effective date of any given privacy law - conduct a comprehensive data mapping to understand where personal data is coming from and where it’s going, update policies and procedures to ensure consumer requests are handled diligently, identify and review data-sharing contracts, and redraft and update public privacy documents. Ultimately, these efforts have the potential to consume a significant amount of businesses resources and may require engineers, lawyers, product managers, and business executives to work together in ways they haven’t before. Some states, like Virginia, may elect to establish a working group to assess a privacy law’s implementation in order to aid in compliance efforts.

One theory is that a patchwork of different state privacy laws will increase the pressure on Congress to create a federal alternative - especially because it would lessen the compliance burdens on affected businesses - and yet another theory holds that dozens of independent laws will lower the chances of a federal law, since the states have seemingly “solved” the problem. There is already some credence to the latter theory, even in the privacy and information security space: every state has its own data breach notification law, and Congress has never succeeded in passing a superseding, federal counterpart (the last bill on this topic was introduced in 2017, and was the third iteration on the matter).

Given the federal government’s resource constraints for protecting consumer privacy at scale, its inability to pass unifying legislation, and the momentum that California and Virginia have initiated - state privacy law experiments are poised to continue moving forward in the coming years. What remains to be seen, however, is which states will produce the most effective privacy schemes and how businesses respond.