Del. Cliff Hayes, who crafted the House version of the policy, led the Virginia Consumer Data Protection Act Working Group in studying the implementation question during several sessions from June 2021 to October 2021. The working group released its final report on Nov. 1.
The 10-person working group included representatives from various parts of government as well as from a data privacy think tank and a technology industry association — viewpoints that typically fall on the opposing side of the privacy debate.
A variety of organizations appealed to the working group during its sessions to seek exemption from some of the law’s provisions, Hayes told Government Technology. But he and working group member Sen. Dave Marsden, who wrote the Senate version of the legislation, thought granting such requests would change the nature of the law beyond what the Legislature and governor had agreed to.
LexisNexis, for example, said it was concerned it might comply with consumers’ data deletion requests only to obtain information about them again through later data collections. The firm requested to be able to retain — but not sell — some information on these individuals to allow it to identify those desiring greater levels of privacy when it came across them again, per the report. Marsden said more time would be needed to consider such a request and any unintended consequences, however.
With data privacy policy, success relies on staying focused on a limited, core objective, the legislators said.
“Until this Act gets up and going, it’s fragile, it’s new,” Marsden said. “We want to make sure we don’t make mistakes. We’ve got everybody on board with what we’ve got right now.”
The working group report summarizes exemption requests but largely does not advocate for them. It highlights key topics that arose and its recommendations center on educating the public about the new privacy rights, furnishing the attorney general with new resources to enforce the law and indicating areas for further consideration.
The report recommends supplying the attorney general’s office with two more attorneys, two more staffers and general fund monies, and Marsden currently is working on a Senate bill that would furnish new resources by July 2022 — six months before the office assumes its new responsibilities.
Legislative change-up in early November means that Hayes is unlikely to continue heading the relevant House committee. Hayes and Marsden had acted in lockstep to getting the original privacy act passed, and while that law’s enactment is guaranteed, the extent to which the working group recommendations will be taken up is more uncertain, Hayes said.
PATH TO LEGISLATION
Hayes and Marsden took Government Technology back through the journey to creating a privacy law in the first place, something they said hinged on compromise and a limited scope.
Hayes took Washington state’s unsuccessful legislation as a model, and said he learned from what went wrong — and right — there.
“Their bill went a long way before it died on the floor,” Hayes said.
But one problem was Washington tried to tackle the thorny issue of facial recognition as part of its overall privacy push. Legislators need a lot of time to fully familiarize themselves with that technology and its implications, which could slow progress on any broader privacy bill that addresses it or see policymakers rejecting the whole thing outright due to concerns over that slice, Hayes said.
A simpler bill may leave some goals on the wayside, but legislation that fails to garner the votes it needs leaves behind all goals, Hayes reminded.
“I hear people talking about stuff that’s not in our bill, that we should’ve put in our bill and all of that kind of stuff. But the very ones who say that, they don’t have a bill — they don’t have protection,” Hayes said.
Compromise was also key, Marsden said.
“Is this the bill that the data advocacy groups wanted?” Marsden said. “A lot of it is, yeah. But a lot isn’t. Is it what the business community wanted? No. But we had to take into consideration some of their concerns. This is compromise legislation.”
Hayes said another key strategy was to keep the House and Senate versions of the bill identical. Otherwise, the policy might become tangled up in protracted reconciliation debates, preventing anything from passing.
“I said to [Marsden], ‘If you change a comma, let me know, and you have to defend why you’re changing it, so I can change the comma in mine, so we can have exact bills.’ Because some people do not want to see this happen — do not want to see legislation be successful in this matter,” Hayes said.
NAMING AN ENFORCER
States vary in how they enforce their privacy laws, with some permitting residents to sue companies that violate their data protection rights and others relying on the attorney general holding the business community to task. Washington’s bill left enforcement to the attorney general, but sparked pushback from some groups like the American Civil Liberties Union (ACLU).
Marsden said he believed some Washington lawmakers’ commitments to pushing for a private right of action contributed to the bill’s failure, and he said Virginia’s choice to rely on state enforcement helped get engagement from businesses that would otherwise oppose consumer data privacy legislation. Firms were more willing to provide feedback and help hammer out policy if it meant heading off the threat of a future version that might instead permit private right of action, he said.
That’s not the only reason Marsden and Hayes turned to the attorney general for enforcement, however. Hayes said he believes the office has the clout to make big firms change their ways, whereas individual consumer lawsuits may fall short. The issue was also one of equity, with wealthier residents more likely than low-income ones to be able to afford to sue, Marsden said.
OPT-OUT OR -IN?
Privacy laws vary over how organizations must seek consumer consent to use their data. Maine passed a law that would prohibit ISPs from using data on consumers unless they opt in, while Californians must opt out of letting businesses sell their data, for example.
The picture can get more complex, and a Federal Trade Commission (FTC) report released last month raised concerns that some Internet service providers (ISPs) design their opt-out processes in counterintuitive or misleading ways that prevent consumers from successfully completing the process.
Virginia decided consumers should opt out, something Marsden said protects the financial viability of companies that rely on digital advertising or similar data-based revenue.
“So much of our commerce in this country depends on digital advertising and online purchasing,” Marsden said. “We didn’t want to just wipe that out.”
The working group report also notes that several stakeholders proposed encouraging third parties to develop tools like browser extensions that would strengthen opt-out capabilities by providing consumers with a universal opt-out option to spare them from having to indicate their preferences on each individual website.
