Virginia Passes Privacy Bill Amid Enforcement, Compliance Concerns
Virginia could soon become the second state with a comprehensive privacy law, after California. The Senate voted 32-7 Friday to send HB-2307 to Gov. Ralph Northam (D), who's expected to sign (see bulletin). Business privacy attorneys are watching New York and Washington as possible next states and monitoring bills in Connecticut, Florida, Minnesota, Oklahoma and Utah, they said in interviews last week. The Virginia and Washington bills are weaker than California’s mandate and would do more harm than good, privacy advocates told us.
Virginia would let consumers access, correct, delete and obtain copies of personal data, plus opt out of targeted advertising. The state attorney general would enforce the bill after giving 30 days to cure violations. The bill doesn’t include a private right of action. The House voted 89-9 Thursday for SB-1392, the Senate's same version (see 2102180061). The Senate concurred Friday with House changes to add a work group to review the law and implementation issues and report to the legislature by Nov. 1, before the law takes effect Jan. 1, 2023. The governor's office didn’t comment.
The Northam administration suggested the study group “so for the next year, we can continue to look at any deficits that this bill may have” and make any necessary changes, said SB-1392 sponsor Sen. David Marsden (D) at the livestreamed floor session. Sen. Scott Surovell (D) said the plan is “completely backwards” because it puts burden on consumers rather than companies. It won’t be enforceable, protested Sen. Chap Petersen (D). Sen. John Cosgrove supports the bill even though he prefers having a private right of action, said the Republican: “Half a loaf is better than none.”
Virginia isn’t known as a “heavily regulatory state,” but “elections have consequences,” said Kelley Drye's Alysa Hutnik, referring to the Democrats taking power of both chambers in 2019. Two states with privacy laws means businesses’ “operational nightmare” about a state patchwork is becoming reality, she said. It could provide momentum for more state laws, but because the Virginia law doesn’t take effect until 2023, there’s time for Congress to consider passing a preemptive federal statute, she said.
The legislation could reach Northam as soon as this week, and he’s expected to sign, said Wiley's Joan Stewart. The bad news for businesses is they will have to comply with two separate state laws, she said. While “heavily borrowed from" the California Consumer Privacy Act, "it doesn’t match exactly.”
States to Watch
After Virginia, a Washington state bill appears furthest along among comprehensive privacy bills. SB-5062 cleared two committees (see 2102160040 and 2101210054), but the House has an alternative bill (see 2101290053) that differs on enforcement, a sticky issue that halted the Senate bill in two previous years (see 2101220043). Connecticut's SB-156 is scheduled for hearing Thursday in the Joint Committee on General Law.
Washington, a state once leading the pack behind California, looks to be falling behind, said Husch Blackwell’s David Stauss. He noted that lack of a private right of action has been a major “bugaboo” stopping the state from passing a new law.
It's still the most likely state to next pass a privacy bill, though “some danger points” are in the House, said Stewart. Virginia's passage of a similar bill might increase pressure, she said. Stewart highlighted a growing trend of red states such as Florida, Oklahoma and Utah “trying to slap back at big tech.”
Robinson+Cole's Deborah George is closely watching New York, where Gov. Andrew Cuomo (D) included a comprehensive privacy measure in the budget (S-2505/A-3005) and several other bills are pending, she said. “It’s clearly a priority for the governor.” The lawyer sees broader industry support this year for the Washington Senate bill.
Washington "made several runs at it,” and New York tends to be active on consumer protection, said Hutnik. Like Stewart, the attorney flagged several red states floating comprehensive privacy bills, some in early stages. The proposals share similar concepts -- such as giving consumers rights to access, delete and correct personal information -- but details and definitions differ enough to create potential compliance issues, said Hutnik. The most restrictive state could ultimately become the standard, because it’s tough for companies to have different operational practices for each state, she said.
California voters' backing of a CCPA sequel in November (see 2011040028) increased pressure for a national law, said Hutnik. There's no “precedent for broad-scale preemption of a consumer protection law,” said the attorney, who “can’t see a situation” where House Speaker Nancy Pelosi, D-Calif., eliminates California’s privacy law.
Consumer advocates slammed the Virginia and Washington bills over opt-out consent and not allowing consumers to sue violating companies with a private right of action. They criticized the bills for including a “right to cure” allowing companies to fix a problem to avoid enforcement. They took issue with the bills exempting data covered by federal laws.
Microsoft and Amazon are wrong for supporting the bills in each state, the advocates said. Amazon backs privacy legislation that "requires transparency about data practices; allows consumers to opt-out of the sale of personal data; and ensures consumers have the right to request access to and deletion of their personal information," a spokesperson emailed, saying bills in Virginia and Washington accomplish those goals. Microsoft didn’t comment.
The Virginia and Washington bills are “almost identical,” as Virginia’s was modeled after Washington's, but the former is slightly worse, said Susan Grant, Consumer Federation of America consumer protection and privacy director. One provision included in Virginia and struck in Washington lets companies offer goods and services at lower quality if consumers opt out of targeted ads. Companies are “essentially saying if you want your privacy, you have to pay more,” she said.
"If people can’t actually enforce their rights, how meaningful are any rights facilitated in the bill?” asked Jennifer Lee, American Civil Liberties Union Washington technology and liberty project manager. She called her state’s legislation “really weak” and “riddled with language” that doesn’t give consumers meaningful control. Exempting a federal privacy law is “unnecessary” and weakens protections, she said. ACLU Washington supports Democratic Rep. Shelley Kloba’s People’s Privacy Act (HB 1433), which requires opt-in consent and a private right of action.
Electronic Frontier Foundation Legislative Activist Hayley Tsukayama agreed Virginia’s bill is weaker than Washington’s. California is effectively the baseline, and other states are trying for weaker standards, she said, noting Virginia’s Marsden is pitching his bill as a model for a federal law. Microsoft supported state bills similar to the one in Virginia, she said.
Cuomo’s plan would legitimize and standardize current data collection and sharing practices and undermine current protections, wrote the New York Civil Liberties Union, EFF and Fight for the Future. It “confers liability protections on manufacturers without providing any additional protections to individuals,” they wrote: It lacks a “meaningful enforcement mechanism,” relying on the secretary of state without a private right of action.