There are times where it seems there are far too many technology policy developments to stay on top of, and that is just in the United States (U.S.) And while I have written at some length about the Washington legislature making yet another run at enacting privacy legislation for the third straight year, I apparently should have been paying attention to the state of my residence, Virginia. Last month, the legislature start working on privacy bills and over the last week or so, both chambers have passed bills with identical text, meaning enactment is all but assured. And so, as this will be only the second universal privacy regime passed by a state and with no sign that 2021 is the year Congress and the White House agree on federal legislation, this may be the most significant development on privacy this year.
In mid-January, the “Consumer Data Protection Act” (SB 1392/HB 2307) was introduced and quickly made its way through both chambers of the Virginia legislature. In the last week, identical bills were passed by the Senate and the House of Delegates with only the formality remaining of reconciling the two bills before it is sent to the Governor. If it is enacted, as seems very likely, the bill becomes effective on 1 January 2023, giving entities covered by the bill just shy of two full years to prepare.
Big picture, this bill is one of the weaker privacy bills within sight of enactment. It would permit many of the same data collection and processing activities currently occurring in Virginia to continue largely in the same fashion in 2023. The bill uses the opt out consent model but only in limited circumstances, for if entities disclose how they propose to process personal information, there limited cases in which people could opt out. There is no private right of action, and the attorney general would have to give entities a 30 day window to cure any potential violations and would be barred from proceeding if his office receives an express written statement that the violations have been cured. Given how much weaker this bill than others, it is little wonder it is sailing through the Virginia legislature.
Those entities subject to the act are:
- An entity that controls or processes the personal data of 100,000 or more residents; or
- An entity that controls or processes the personal data of 25,000 or more residents and earned more than 50% of its gross revenue in the previous year from selling personal data
However, the bill has more carveouts characteristic of a number of privacy bills introduced over the last few years, including those covered by some of the following federal privacy regimes, among others:
- Health Information Portability and Accountability Act of 1996 (HIPAA)/Health Information Technology for Economic and Clinical Health (HITECH) Act
- Financial Services Modernization Act of 1999 (aka Gramm-Leach-Bliley)
- Fair Credit Reporting Act (FCRA)
- Family Educational Rights and Privacy Act (FERPA)
- Children’s Online Privacy Protection Act (COPPA)
A key difference between this bill and others with similar language is that an entity merely needs to be covered by one of these laws and not necessarily compliant. Most other privacy bills require compliance with these and other federal regimes in order to be exempted.
The Consumer Data Protection Act uses the same terminology as the European Union’s (EU) General Data Protection Regulation (GDPR) regarding entities that determine how personal data will be processed and those that do the processing: controllers and processors respectively.
A number of definitions are crucial in the bill. Personal data excludes publicly available data and de-identified data, the latter of which creates a safe harbor incentive for entities to de-identify the personal data they collect, maintain, and process, for many of the new obligations entities covered by this bill face pertain to personal data. The definition of personal data is fairly broad as it includes “any information that is linked or reasonably linkable to an identified or identifiable natural person.” There is a subset of these data subject to more stringent protection: sensitive data which includes:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
- The personal data collected from a known child; or
- Precise geolocation data.
The definition of “Sale of personal data” may be so narrow that some common practices in the data world would be outside the definition, and this would matter because people are given the right to opt out of the sales of data and not necessarily the sharing of their personal data. Companies like Facebook have gone before Congress and stated they do not sell the personal data of its users, and this seems to be accurate. Instead, they trade and share personal data, activities which would seem to fall outside the definition in this bill which involves “the exchange of personal data for monetary consideration by the controller to a third party.” Had it been just “consideration,” then activities like Facebook would have been subject to the limitation that people can use to opt out. On the other hand, a fair reading of monetary consideration would seem to be cash or its equivalent, and it is arguable whether a controller trading personal data with a third party qualifies. This may get sorted out by a Virginia court.
There are the by now expected exceptions to the strictures against collecting and processing data without the consent of residents, some of which controllers and processors may bend out of all shape.
The Consumer Data Privacy Act would create the same sorts of rights for people that other privacy bills would. And as with almost all the other privacy bills, a person could submit a request to a controller that must be responded to within 45 days, which is not to say that action must occur within that timeframe. If the request is complex or there is some other reason why 45 days is not enough the controller may alert the person and then take another 45 days. If the controller denies the request, the person may use the appeal system each controller must have, and if they are still denied they may file a complaint with the state attorney general’s office.
Among the rights people would get visa vis controllers under the Consumer Data Privacy Act are:
- Requesting whether a controller is processing their personal data, and if so, obtaining access to such personal data
- Correcting inaccuracies in personal data depending the nature of the information and the purposes of the processing, suggesting for lower stakes processing and information of lesser importance controllers may be free to deny such requests
- Asking that personal data be deleted
- Receiving one’s data in portable format
- Opting out of processing:
- for the purpose of targeted advertising
- the sale of personal data; and
- “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer”
Taking the last right first, it appears people could not opt of most processing of their personal data. There are some other circumstances under which people in Virginia would be able to opt out but these are limited. Consequently, it appears the default would be controllers are able to collect and process within certain limits to be discussed below. The rights to delete, correct, and port are fairly standard.
Controllers must “[l]imit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.” Moreover, it is made clear that processing without consent is permissible so long as it is reasonably necessary or compatible “with the disclosed purposes for which such personal data is processed.” Processing for purposes beyond those reasonably necessary or compatible is permitted but only with the consent of the person. And so, there will be fights about the purposes that would be exempted from the consent requirement as controllers will almost certainly seek to push the boundaries of what is “reasonably necessary” or “compatible. Of course, a controller may also write a disclosure notifying people of the very broad processing of personal data and so people would be on notice about this processing.
The Consumer Data Privacy Act uses boilerplate language about security requirements. Controllers must “[e]stablish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data…[and] [s]uch data security practices shall be appropriate to the volume and nature of the personal data at issue.” The implicit sliding scale in this formulation is elegant in style, but how difficult will it be for controllers, processors, the attorney general, people, and courts to determine where the lines lie for certain classes of information.
The bill bars processing of personal data in violation of federal and state anti-discrimination laws. Controllers cannot retaliate against people who exercise the rights established by the act with some important caveats. This provision states that nothing “prohibit[s] a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised his right to opt out pursuant to § 59.1-573 (i.e., opting out of targeted advertising, the sale of one’s personal data, or for profiling to make decisions with legal effects.) Hence, exercising the opt out right could get costly as controllers would be free to offer different tiers of services or products. There is also a carveout for loyalty and rewards programs. And yet, sensitive data may not be processed without consent.
There is a provision nullifying contractual language ostensibly forcing people to forgo any of the rights bestowed by the bill.
Controllers must provide privacy policies that identify the categories of personal data being processed and the purposes of the processing, inform people how they can exercise their rights, and name the categories of personal data shared with third parties and the categories of third parties with whom personal data are shared. Controllers who process for targeted advertising or sell data must make these facts conspicuous in their privacy policies. There is no language on the complexity, comprehensibility or length of such policies. Given the dense and impenetrable privacy policies currently available to people, it stands to reason that this will continue to be the norm in Virginia.
Processors are bound to follow the direction of the controllers that share personal data with them, and this and other obligations must be set down in a contract between the parties. Processors will also need to help controllers in a number of ways, including helping them respond to requests and assisting them in the event of a data breach. Processors will be required to assist controllers which perform audits. Moreover, processors must return or delete personal data to the controller upon request and will have a duty of confidentiality.
For certain classes of processing, controllers will need to conduct data protection assessments:
- Selling data
- Targeted advertising
- Profiling but only if there are “reasonably foreseeable risks” of
- unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (ii) financial, physical, or reputational injury to consumers; (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers;
- Sensitive data; and
- “Any processing activities involving personal data that present a heightened risk of harm to consumers”
Controllers must conduct these assessments according to a number of factors and considerations:
Data protection assessments…shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller.
The Attorney General may request and receive these data protection assessments in the course of an investigation, but they must be kept confidential and would not be subject to a freedom of information request.
Regarding de-identified data, controllers holding this type of data must commit to not re-identifying it and make reasonable efforts to ensure these data cannot be associated with people. Additionally, if a controller holds personal data in pseudonymous form with “any information necessary to identify the consumer” being held safely and securely separate from the pseudonymous data, then the controller does not need to respond to a number of consumer requests.
Naturally, this privacy bill contains a long list of exceptions, including compliance with federal and state law and court orders and warrants. Many of these are fairly standard, but there are some that may lend themselves to creative, expansive interpretations by controllers and processors looking to get out of complying with the act such as:
- Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action;
- Conduct internal research to develop, improve, or repair products, services, or technology;
- Effectuate a product recall;
- Identify and repair technical errors that impair existing or intended functionality; or
- Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer’s existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.
The Virginia Attorney General would be able to enforce the act. However, before bringing an action, the Attorney General must “provide a controller or processor 30 days’ written notice identifying the specific provisions of this chapter the Attorney General, on behalf of a consumer, alleges have been or are being violated.” And amazingly, if the controller or processor provides “an express written statement that the alleged violations have been cured and that no further violations shall occur,” the Attorney General cannot bring an action for statutory damages unless there are further violations. In this case, the Attorney General could seek $7500 per violation.
There was a private right of action in the House’s version of the bill last year. It would have utilized the right of action currently available in the Virginia Consumer Act that would have been available to residents in the event the act is violated.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.