Virginia Gov. Ralph Northam on Tuesday signed a comprehensive consumer data privacy bill, making the commonwealth the second state to implement such a policy.
The new Consumer Data Protection Act, which will take effect in 2023, will allow Virginians to opt out of having websites collect or sell their personal information and ask those companies to see what data they’ve collected, with the option to edit or delete it. In doing so, Virginia follows California in offering its residents expansive protections from online data collection.
The Virginia act will also require companies to obtain users’ permission when collecting “sensitive” data, related to racial or ethnic origin, religion, mental or physical health conditions, sexual orientation or citizenship and immigration status.
However, the Virginia law does not go as far as the California Consumer Protection Act in the legal remedies it offers to residents who feel their personal data is being used wrongfully. Unlike the CCPA, which gives individual Californians the right to bring personal lawsuits against companies, the Consumer Data Protection Act leaves all enforcement in the hands of the Virginia attorney general’s office.
But that condition made the Virginia law more palatable to the tech industry than California’s. Both Microsoft and Amazon — which is building a $5 billion office campus the Northern Virginia suburbs of Washington, D.C. — testified in support of the bill in January as it moved through the state legislature.
Privacy-rights groups like the Electronic Frontier Foundation warned last month that the bill was too industry-friendly, especially for including language that it argued could let companies change the “price, rate, level, quality or selection of goods and services” offered to customers who opt out of data collection.
“That means punishing people for protecting their privacy—a structure that ends up harming those who can’t afford to protect themselves against data protection. Privacy should have no price tag,” Hayley Tsukayama, an EFF legislative activist, wrote in February.
In adopting the new law, Virginia advances the trend of states adopting their own consumer data privacy regulations in the absence of a federal statute. While only two states have succeeded so far, several others have made attempts. A Washington state bill, which partly inspired the Virginia measure, failed to make it through the state Senate there last year after lawmakers disagreed over whether individuals should be allowed to sue companies.
More recently, Florida Gov. Ron DeSantis proposed a privacy bill aimed at any company doing at least $25 million in revenue and that would give Floridians the individual right to sue over how their data is being used.