Updated March 2: Gov. Ralph Northam signed the Consumer Data Protection Act on Tuesday. In a statement, sponsor Sen. David Marsden, D-Fairfax, said, “This is a huge step forward. By creating this omnibus bill, we take the lead in data privacy in the United States. This omnibus bill is clear, concise and holds companies accountable for protecting consumer data in providing protections for consumers.” Also, Utah plans to pass an identical bill by the end of the week, Marsden added.
Earlier:
Virginia is set to become the second state in the nation to enact a consumer data protection law, after Gov. Ralph Northam signs Virginia’s newly passed Consumer Data Protection Act. California was the first state to enforce data protection.
The act, which was passed by the General Assembly last month, would let consumers receive copies of their online data, amend or delete that data, and opt out of allowing big businesses to use the data for marketing or other purposes. It would take effect on Jan. 1, 2023. It affects only corporations that have personal data for at least 100,000 consumers in Virginia, or that make more than 50% of their income from the sale of personal data of at least 25,000 consumers in Virginia. If the bill is approved by the governor, the state’s Joint Commission on Technology and Science also will establish a work group to assess the bill’s implementation and release a study on its findings by this November.
Any fines collected from companies would go toward a “consumer privacy fund” in the state treasury, according to the bill.
That would keep all fines collected separate from the state’s General Fund, so they can be used for more specific purposes — similar to Virginia’s opioid abatement authority, which receives funds from lawsuits against opioid makers and distributors that are set aside for addiction prevention and treatment.
In terms of real-life impact, the bill will make it easier for people to opt out of sharing some personal details with big companies, notes Andrew Miller, vice president of strategy at Workshop Digital, a Richmond-based digital marketing firm. It also will place limits on large companies’ ability to use and sell details about Virginia users’ online lives, down to granular detail like which NFL team they prefer, which blender they bought last year or how often they listen to certain musical artists — if customers decide to opt out.
Virginia’s bill is “not on its face difficult from a compliance standpoint” for businesses, says Ashley L. Taylor Jr., a partner at Troutman Pepper who has a focus on federal and state government regulatory and enforcement matters. “The complexity is created by the fact that California is slightly different, Virginia is slightly different and there are rumblings in Oklahoma” for a data privacy law. But if more states follow the leads of Virginia and California, it could create a “patchwork of laws,” Miller notes.
More state data laws also means a lower chance of a federal bill that would supersede states’ acts and require more regulations, Taylor adds. Also fewer law firms will be willing or able to advise companies on compliance from state to state, since attorneys would have to be experts on how enforcement is taking place in multiple jurisdictions.
Civil enforcement of Virginia’s act, like California’s, would lie with the state attorney general’s office.
Virginia’s legislation would affect more than just the largest companies active here, despite the 100,000-customer benchmark. California’s Consumer Privacy Act of 2018, which allows California residents to opt out of the sale of their personal information and the right to delete some personal information already collected, has “touched every business, even a pizza place that has a rewards program,” Taylor notes. Every website or app that collects data is required to include an opt-out link under California’s law, and Virginia’s statute is similar, although a bit “scaled back,” he says.
Although California’s law, which is based on the European Union’s General Data Protection Regulation (GDPR) act, has had an impact on companies, corporate decisions to shift away from collecting more data also are affecting policies — and bottom lines.
“Google Analytics is way out in front with privacy,” Miller says. “Google and Google Analytics are planning a future … [in which] third-party cookies are going to be phased out in the next year. Chrome will stop allowing cookies to track people.”
Also, Apple has made recent moves to increase customer awareness of data collection, making its Identifier for Advertisers an explicitly opt-in setting with its operating system update set for this spring.
That means that unless an iPhone user selects the option that they want advertisers to track their purchases to measure ad effectiveness, marketers will not have access to that information. What this means for Google and Facebook is a potential loss of billions of revenue, financial analysts predict. Facebook has been in a standoff with Apple over the iOS update and another coming feature, the App Tracking Transparency program, which would require users to opt in to allow apps to track them across different apps and websites.
With these industry-driven changes and the possibility of other states soon following Virginia and California’s lead in consumer data protection, many companies will likely have to make some significant changes in their marketing practices in the next few years. California enacted its legislation, the state attorney general’s office reviewed companies’ websites, and if there wasn’t plain language showing users how to contact the company about data collection, “they got subpoenas,” Taylor says.
Virginia’s effective date of Jan. 1, 2023, should give companies plenty of time to comply, Taylor adds, as long as “the attorney general and the state give [companies] guidance on their regulations and expectations of business. You’ve got to have a target to shoot at. Maybe an open forum, a conference — some type of public conversation. That’s what I’m hoping for.”
Subscribe to Virginia Business.
Get our daily e-newsletter.