A new state legislative approach to protecting consumers’ privacy rights has emerged recently – one that offers a promising model for other states to follow and that may finally help make a federal consumer privacy law a reality in the United States. The recently enacted Consumer Protection Act in Virginia establishes clear, comprehensive, and easy to understand privacy rights for consumers and require companies to be transparent about how they collect, use, and disclose personal information relating to consumers. The legislation also sets reasonable limits on such processing activities without imposing complicated and administratively burdensome rules like those imposed under California’s Consumer Privacy Act (CCPA). Importantly, the state Attorney General serves as the backstop to arbitrate unresolved complaints without the need to resort to private litigation.
Rather than adopt the CCPA’s narrow focus on the buying, receiving, selling, or sharing of consumers’ personal information, the Virginia law covers all processing of consumers’ personal information and is much more akin to the types of protections found in data protection laws around the world. The Virginia law provides for more comprehensive consumer rights and protections. Furthermore, the law is written in a clear, succinct, and easier to understand manner with less prescriptive definitions and provisions.
If the goal of the law is to provide rules that are straightforward and consistent with the expectations around the world, other states and Congress would be well advised to follow the example of Virginia.
Unlike the CCPA which provides for four different types of notices, depending on whether personal information is being collected, sold, or shared, the Virginia law requires businesses to describe all of their processing activities (collection, use third party sharing, and sale of personal data). These obligations are imposed on businesses that are acting as “controllers” — those companies that alone or jointly with others, determine the purpose and means of processing personal information.
The Virginia law provides consumers with comprehensive and easy to understand privacy rights. Consumers may confirm whether or not a company is processing their personal information and if so, access their personal information. They have the right to correct inaccuracies or delete their information and obtain a copy of their personal information that they previously provided to the company in a portable and readily usable format that they can then easily provide to other companies. Moreover, they may opt out of targeted advertising, the sale of their personal information, and/or any profiling used to make important decisions about them.
Rules for collection, use, and disclosure
The Virginia law also provides clear and straightforward rules for processing of personal information. Controllers must limit the collection of personal information to what is adequate, relevant, and reasonably necessary for the disclosed purposes for which they process the information. As a general rule, consent is required to process sensitive personal information and to process personal information that is not reasonably necessary for or compatible with the purposes disclosed in the privacy notice. At the same time, this law ensures that companies are not hindered in carrying out essential and common sense processing activities, such as processing that is necessary to provide a product or service specifically requested by a consumer, comply with a legal requirement, protect the life or physical safety of the consumer, protect or respond to a data security incident, theft, or fraud, or cooperate with law enforcement.
Like many data protection laws around the world, the Virginia law requires controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal information. Such data security practices must be appropriate to the volume and nature of the personal data at issue.
The Virginia law also imposes obligations on companies (“processors”) hired by controllers to process personal information on their behalf. In particular, processors must be contractually obligated to adhere to the controller’s instructions and assist the controller in meeting its obligations, including responding to consumer rights requests, meeting the controller’s security and breach notification obligations, maintaining confidentiality of the personal information, and providing necessary information to enable the controller to conduct and document data protection assessments. This requirement ensures that the obligations and protections provided for under these laws are down streamed to all entities involved in the processing of personal information.
Data protection assessment
To ensure that the benefits of certain types of processing activities do not outweigh the risks to the rights of consumers, controllers will be required to conduct data protection assessments. In particular, such assessments are required for processing that involves sensitive personal information, targeted advertising, profiling, the sale of personal information, or any processing activities involving personal information that present a heightened risk of harm to consumers.
The state Attorney General (AG) has the exclusive authority to enforce the law. Prior to initiating any enforcement action, the AG must notify and give a controller or processor 30 days to cure the identified violation. Provided that no further violations occur, the AG will not initiate an action for statutory damages.
The Virginia law provides a better and more privacy protective model for protecting consumer data than other state and federal legislation and the CCPA. The law is more comprehensive and more comprehensible. If states or the federal legislators wish to adopt clear easy to understand rules that companies can implement, the Virginia law provides a good path forward.