The General Assembly is promoting legislation that encourages Virginia customers to protect their internet data better, but critics argue that the bill does not include people’s right to file private litigation against corporations that misuse the new regulation.
In both chambers of the state legislature, the measure is known as the Consumer Data Protection Act. On Thursday, House 89-9 passed the Senate version, sponsored by Sen. David Marsden, D-Fairfax. Edition of The Home, supported by Del. Cliff Hayes, D-Chesapeake, is awaiting a final vote, but Thursday was adopted for the day.
“Consumers should have the right to know what they are collecting,” Hayes said when the bill was introduced.
The Data Protection Act allows consumers to retrieve, amend or delete a copy of their online data and to opt out of allowing large companies to sell the data.
Hayes requires corporations to treat customer knowledge responsibly.
“The bottom line is that when it comes to the protection of individual data, we want the controllers to know what their role is,” Hayes said during a meeting of the House committee. “We believe that no matter who you are as an organization, you need to be responsible when it comes to handling of data of consumers.”
The bills apply to companies that control or process at least 100,000 consumers’ personal data per year. It also affects companies that process data from at least 25,000 customers per year and generate more than half of their gross income from the sale of personal data. The companies must be located or serve Virginians in Virginia.
Under the Consumer Data Protection Act, enforcement of this legislation would be handled by the attorney general’s office. From consumer complaints to the enforcement of fines, the office would manage anything.
“The office of the Attorney General will have the depth and breadth, the experience, the investigative tools needed to understand and follow business trends and to ensure that they bring the muscle of that office to the table,” Hayes said.
Microsoft’s Senior Director of Public Policy Ryan Harkins testified in favor of the proposed law.
“Over the past few decades, we’ve seen dramatic changes in technology and U.S. law has failed to keep pace,” Harkins said. “It has fallen behind much of the rest of the globe and has failed to address growing privacy challenges.”
Harkins said that since 2005, Microsoft has been advocating for data protection legislation. He said the public has lost confidence in technology, and passing comprehensive legislation on data protection can help win back the trust of the public.
Harkins said the measure stands alongside leading legislation on data protection, such as the Consumer Privacy Act of California and aspects of the General Data Protection Regulation of the European Union.
“It would go further in some respects and provide the most extensive and robust privacy laws in the United States,” Harkins said.
Attorney Mark Dix spoke on behalf of the Virginia Trial Lawyers Association in protest against the bill. He said that the measure would harm Virginians because “it will close the doors of the courthouse.”
“It offers the consumer, the individual who is actually hurt, no cause for action whatsoever,” Dix said. “It provides no remedy for the consumer whatsoever.”
Dix argued that the enforcement of this legislation is restricted to the consumer by the attorney general’s office. Using a hypothetical scenario, Dix asked what would happen to Virginians if there were a change in administration and data protection was not prioritized by the Attorney General.
In January 2023, the Consumer Data Protection Act will come into effect. Marsden told a Senate subcommittee that allows time to “deal and field any other tweaks to the bill or difficulties that someone figures out.”