The General Assembly is advancing legislation that allows Virginia consumers more protection with their online data, though opponents say the measure does not include the ability for people to file private lawsuits against companies that breach the proposed law.
The measure is known as the Consumer Data Protection Act in both chambers of the state legislature. The Senate version, sponsored by Sen. David Marsden, D-Fairfax, passed the House 89-9 on Thursday. The House version, sponsored by Del. Cliff Hayes, D-Chesapeake, is awaiting a final vote but was passed by for the day Thursday.
“The consumers should have the right to know what is being collected about them,” Hayes said when introducing the bill.
The data protection act allows consumers to retrieve a copy of their online data, amend or delete this data and opt out of allowing large businesses to sell the data.
Hayes wants businesses to responsibly handle consumer information.
“The bottom line is, we want the controllers to know what their role is when it comes to the protection of individual’s data,” Hayes said during a House committee meeting. “We believe that no matter who you are as an organization, you need to be responsible when it comes to handling of data of consumers.”
The bills apply to businesses that control or process personal data of at least 100,000 consumers per year. It also impacts businesses that handle data of at least 25,000 consumers per year and make more than half of their gross revenue from selling personal data. The businesses must be located in Virginia or serve Virginians.
Under the Consumer Data Protection Act, the attorney general’s office would handle the enforcement of this legislation. The office would handle anything from consumer complaints to the enforcement of fines.
“The attorney general’s office will have the depth and breadth, experience, the investigative tools necessary to know and to follow trends of companies and to make sure that they bring the muscle of that office to the table,” Hayes said.
Microsoft’s Senior Director of Public Policy Ryan Harkins testified in favor of the proposed law.
“We’ve seen dramatic changes in technology over the past couple of decades and U.S. law has failed to keep pace,” Harkins said. “It’s fallen behind much of the rest of the world and failed to address growing challenges of privacy.”
Harkins said that Microsoft has advocated for data protection laws since 2005. He said that the public has lost trust in technology, and passing comprehensive data protection legislation can help win the public’s trust back.
Harkins said that the measure stands alongside leading data protection legislation such as California’s Consumer Privacy Act and aspects of the European Union’s General Data Protection Regulation.
“In some respects, it would go further and provide the most comprehensive and robust privacy laws in the United States,” Harkins said.
Attorney Mark Dix spoke in opposition of the bill on behalf of the Virginia Trial Lawyers Association. He said the measure would hurt Virginians because it is “going to close the courthouse doors.”
“It provides no cause of action whatsoever for the consumer, the person who is actually hurt,” Dix said. “It provides no remedy whatsoever for the consumer.”
Dix argued that having the attorney general’s office handle the enforcement of this legislation limits the consumer.Using a hypothetical scenario, Dix asked what would happen to Virginians if there was an administration change and the Attorney General did not prioritize data protection.
The Consumer Data Protection Act would take effect in January 2023. Marsden told a Senate subcommittee that allows time to “deal and field any other tweaks to the bill or difficulties that someone figures out.”