Keypoint: The VCDPA Work Group’s final report contains 17 “points of emphasis” derived from six Work Group meetings; however, the Work Group’s recommendations for modifying the VCDPA will not be presented until the legislature opens in January 2022.

On November 1, 2021, the Virginia Consumer Data Protection Work Group issued its 2021 Final Report. By way of background, § 59.1-581.2 of the Virginia Consumer Data Protection Act (VCDPA) required the Chairman of the Joint Commission on Technology and Science to create a work group to “review the provisions of [the VCDPA] and issues related to its implementation.” The Chairman was required to “submit the work group’s findings, best practices, and recommendations regarding the implementation of [the VCDPA] to the Chairmen of the Senate Committee on General Laws and Technology and the House Committee on Communications, Technology and Innovation no later than November 1, 2021.”

The Work Group met six times from June to August 2021. A summary of those meetings is contained in the Final Report and copies of materials relating to those meetings are available on the Joint Commission’s webpage.

Ultimately, the Work Group identified 17 “points of emphasis” from its six meetings but stated that the Work Group’s “recommendations based on these points of emphasis” would be presented by Delegate Hayes and Senator Marsden (the VCDPA’s sponsors) during the upcoming legislative session.

Below is a summary of the points of emphasis along with some analysis. For ease of reference, we have grouped the points of emphasis into seven categories.

Enforcement:

  • Submit a budget amendment to fund two staff members and two attorneys to lead enforcement from day one
  • Allow the Attorney General to pursue actual damages based on consumer harm, should they exist
  • Sunset the “right to cure” after an initial period
  • Employ an “ability to cure” option for violations, should a potential cure exist
  • Request an annual report from the Attorney General on enforcement
  • Replace the Consumer Privacy Fund with the existing general funds

Enforcement was the most cited topic in the points of emphasis. That should really come as no surprise as enforcement has been a central issue in negotiation of state consumer privacy bills (not to mention potential federal legislation). Business advocates will be relieved to see that adding a private right of action is not one of the points of emphasis.

That said, the potential sunsetting of the “right to cure” is notable. Under the California Consumer Privacy Act (CCPA), businesses have thirty days to cure alleged violations. However, that right to cure will disappear when the California Privacy Rights Act (CPRA) comes into effect in January 2023. The Colorado Privacy Act (CPA) will initially have a right to cure when it goes into effect on July 1, 2023, but it will sunset on January 1, 2025. If Virginia keeps its right to cure, it would impact its ability to engage in multistate enforcement actions since businesses could conceivably cure a violation in Virginia but not in California or Colorado.

Consumer Rights:

  • Authorize consumers to assert and require companies to honor a global opt-out setting as a single-step for consumers to opt-out of data collection
  • Encourage the development of third-party software and browser extensions to allow users to universally opt out of data collection, rather than individually from each website
  • Amend the “right to delete” provision to be a “right to opt out of sale” provision in order to promote compliance and restrict further dissemination of consumer personal data

The first two recommendations must be placed into context. In July, the California Attorney General’s office publicly stated that businesses that sell personal information must honor Global Privacy Control signals. The CPRA also requires rulemaking on technical specifications for an opt-out preference signal to indicate a consumer’s intent to opt out of the sale or sharing of personal information and limit the use or disclosure of the consumer’s sensitive personal information. Similarly, the CPA requires the Colorado Attorney General to adopt technical specifications for one or more universal opt-out mechanisms to signal a consumer’s intent to opt out of targeted advertising or sales. Incorporating such concepts into the VCDPA would further align the three laws. It also would make a stronger case for including such a provision in other state bills that will be considered in 2022.

Rulemaking Authority:

  • Direct an agency to promulgate regulations because the current VCDPA does not allow the Attorney General to promulgate regulations

The absence of rulemaking authority in the VCDPA could prove problematic in the coming years as the text of the VCDPA inevitably will need to be applied to changes in technology. Granting rulemaking authority to a state agency could help deal with those issues.

Children’s Data:

  • Study specific data privacy protection provisions for children

Regulating the collection and use of children’s data is a topic that finds widespread support. However, regulating in this area can be complicated because of the federal Children’s Online Privacy Protection Act.

Definitions:

  • Recruit nonprofit consumer and privacy organizations to address concerns with the definitions of “sale,” “personal data,” and “publicly available information” in the VCDPA
  • Consider whether the definition of “sensitive data” should include general demographic data used to promote diversity and outreach to underserved populations

The second bullet point deals with the argument that it is beneficial to underserved populations to have their sensitive demographic data collected and processed by businesses. The VCDPA currently requires consent for the collection of sensitive data, which would limit such activities.

Exceptions:

  • Consider a narrow exemption for § 501(c)(4) nonprofit organizations established to detect or prevent insurance-related crime or fraud

Education:

  • Consider leadership, outside of the Attorney General’s office, to lead an educational initiative to assist small to medium-sized businesses in complying with the VCDPA
  • Create a website dedicated to educating consumers about their rights under the VCDPA
  • Post and promote sample data protection forms on an educational website to provide guidance to smaller businesses seeking to comply with the VCDPA

Although the last point of emphasis is geared towards small businesses, the development of sample data protection forms would be useful to businesses of all sizes, especially if those forms address how to manage multi-state (and international) disclosure obligations while maintaining transparency and readability.

The Virginia legislature is scheduled to convene on January 12, 2022.