Virginia becomes second US state to enact baseline privacy law

Virginia’s governor signed the state’s privacy legislation into law, following California to become the second US state to enact a baseline privacy law, lawmakers said.

“The governor has signed the bill and we’re excited here in the Commonwealth that we have a comprehensive way of protecting consumers,” Delegate Cliff Hayes, Jr., told MLex. Hayes is a Democratic lawmaker who chairs the state House Communications Technology Innovation Committee and sponsored the Virginia Consumer Data Protection Act.

The new Virginia law will give residents new rights to access, correct, delete and obtain a copy of personal data, and to opt out of the processing of personal data for targeted advertising. It also assigns new obligations to “controllers” and “processors” — much like Europe’s General Data Protection Regulation — such as transparency, purpose limitation, data minimization, and data-security requirements.

At least 18 US state legislatures have proposed comprehensive consumer privacy bills this year giving their residents more control over their personal online information.

In addition to the new Virginia law, which takes effect in 2023, similar bills are moving forward quickly in Utah and Oklahoma. Proposals in Florida and New York have the backing of their state governors, a Republican and a Democrat, respectively. Many of the bills hew closely to legislation that has become law in California, or that has been proposed in Washington state.

Both houses of the Virginia legislature approved the privacy legislation by wide margins. The Virginia Senate passed its version, SB 1392, almost unanimously in February, after the Virginia House of Delegates approved its nearly identical companion bill, HB 2307, on Jan. 29.

Hayes told MLex soon after Virginia’s bill was signed today by Governor Ralph Northam that one key to lawmakers’ success in passing legislation was deciding to keep controversial privacy issues, such as facial recognition, separate from what became the approved law. The Virginia law also lacks a private right of action that would allow consumers to bring their own lawsuits over a privacy violation or data breach.

Hays said he and Senator James Marsden, who led the privacy bill effort in the other chamber of the Virginia legislature, looked at the failure of Washington state lawmakers over several years to pass a baseline privacy law, and decided to keep things as simple as possible.

The issue of consumer privacy “is so vast that you cannot try to boil the ocean,” Hayes said. Instead, Virginia lawmakers opted to fashion a bill around basic privacy principles as “a framework you can build around,” he said.

Partly because of the omission of a private right of action, the Virginia bill has drawn the criticism of some privacy advocates, including Alastair Mactaggart, the key backer of the California Consumer Privacy Act which took effect last year, and the new California Privacy Rights Act which voters approved in November.

“That thing is a wolf in sheep’s clothing,” Mactaggart told MLex today, adding the Virginia law “is so much weaker than ours.”

Mactaggart said he is also concerned that the Virginia law puts the onus on consumers to opt out of the sale of their data, rather than following California’s model of using third-party companies, apps or even browser settings to opt-out of the sale of personal data.

But Mactaggart agreed that having states like Virginia and California passing laws, as well as states such as Florida — where he said he's talking to privacy proponents — considering even stronger privacy legislation is likely to focus the attention of the US Congress on the issue.

There “should be national privacy law, but don’t preempt” state laws like California’s, Mactaggart said.