Data Privacy Legislation Update
In the February edition of the Technology & Intellectual Property Update, we wrote about the Virginia Consumer Data Protection Act (“CDPA”) being sent to Gov. Northam to sign into law. He did just that on March 2, 2021. Virginia is now the second state to adopt a comprehensive data privacy law, following California with the California Consumer Privacy Act (“CCPA”) and the newly enacted California Privacy Rights and Enforcement Act (“CPRA”).
The CDPA, which will go into effect on January 1, 2023, differs from the California laws in important respects, and companies doing business in Virginia or marketing to Virginia residents will need to review their collection and use of consumer personal information and modify their compliance efforts accordingly. The CDPA grants Virginia residents the rights to access, correct, delete, know, and opt-out of the sale and processing for targeted advertising purposes of their personal information, similar to the CCPA and CPRA. However, the CDPA departs from its California counterparts and aligns with the European Union’s General Data Protection Regulation in a few key respects, including through the use of “controller” and “processor” terminology, and with respect to the adoption of data protection assessment requirements. The CDPA also departs from the CCPA and CPRA by leaving enforcement entirely up to the attorney general and not providing a private right of action for consumers.
For the third year in a row, a comprehensive privacy bill titled the Washington Privacy Act found support in both legislative houses in Washington State, but failed to be reconciled between houses and as such was not enacted. As was the case in 2019 and 2020, the inclusion of a private right of action for violations of the law proved to be an obstacle to passage of the bill.
While a number of data privacy-related bills have been introduced, the most likely candidate that continues to gain traction appears to be the Information Transparency and Personal Data Control Act, introduced by U.S. Rep. Suzan DelBene (D-WA). This bill has been endorsed by the U.S. Chamber of Commerce and would require companies to obtain consumer opt-in for selling or sharing sensitive information. The bill would also require:
Companies produce their privacy policies in “plain English” within 90 days of the bill’s passage.
Users “opt in” before companies can use their sensitive personally identifiable information (“PII”). Users must also be made aware of how the information may be used and how it is not to be used. Companies would have 90 days to comply with this requirement if the legislation becomes law.
Companies must be transparent when it comes to sharing user information – stating the who, what, where, how and why.
The Federal Trade Commission (“FTC”) will be given the authority to fine companies on their first offense and empower state attorneys general to pursue offenders. If the FTC doesn’t act on a complaint within 60 days, the state attorney general may pursue legal remedies.
Trust, yet verify by requiring, every two years, a “neutral” privacy audit to ensure companies (with information from 250,000 or more people) are handling PII in accordance with the provisions of the act.
The bill also provides the FTC an additional 50 full-time employees, 15 of which must be technical experts (not further defined), and initial funding for the program of $35 million.