Virginia: The CDPA Work Group's final recommendations
At the time of the Consumer Data Protection Act's ('CDPA') passage, the Virginia General Assembly directed that a working group should be established to 'review the provisions of the [CDPA] and issues related to its implementation'. The Consumer Data Protection Act Work Group ('the CDPA Work Group') was directed to deliver it's findings by 1 November 2021. While the CDPA Work Group delivered a final report, it left many questions unresolved, therefore we must wait to see what happens when Virginia's General Assembly convenes on 12 January 2022. John Pilch and Beth Waller, from Woods Rogers PLC, review the highlights from the CDPA Work Group's findings and the next steps in the journey of Virginia's implementation of a data privacy protection act.
Virginia State Government framework
Virginia's General Assembly, the legislative body of the Commonwealth of Virginia, is set to convene on 12 January 2022. The General Assembly meets annually for sixty days in even-numbered years and for thirty days in odd-numbered years. Control in the Virginia House of Delegates appears to have shifted from a Democratic party majority to a Republican majority, although two state elections are in the midst of recounts. Regardless, there has been a shift in the makeup of the Virginia General Assembly from the last session, when it convened and passed the CDPA.
Makeup of the CDPA Work Group
The CDPA Work group was made up of a small group of individuals, two of whom were the bill's sponsors. The implementing bills for the CDPA directed that "the Chairman of the Joint Commission on Technology and Science shall create a work group composed of the Secretary of Commerce and Trade, the Secretary of Administration, the Attorney General, the Chairman of the Senate Committee on Transportation, representatives of businesses who control or process personal data of at least 100,000 persons, and consumer rights advocates". It so happened that the Chairman of the Senate Committee on Transportation was Senator David Marsden, who sponsored the CDPA in the Virginia Senate. The Chairman of the Joint Commission on Technology and Science was Cliff Hayes, Jr., the CDPA's sponsor in the Virginia House of Delegates.
In addition to the CDPA's sponsors and ex-officio members, the remaining members of the Work Group included the following individuals appointed by the Chairman:
- Keir Lamont, representing the Computer & Communications Industry Association;
- Jim Halpert, representing State Privacy & Security Coalition;
- Stacey Gray, representing the Future of Privacy Forum;
- Elizabeth Falcone, representing U.S. Senator Mark Warner;
- Dana Wiggins, representing the Virginia Poverty Law Center; and
- Gill Bland, representing the Urban League of Hampton Roads.
As noted above, the CDPA Work Group was tasked with "review[ing] the provisions of the act and issues related to its implementation". The bills directed that "the Chairman of the Joint Commission on Technology and Science shall submit the Work Group's findings, best practices, and recommendations regarding the implementation of this act to the Chairmen of the Senate Committee on General Laws and Technology and the House Committee on Communications, Technology and Innovation no later than November 1, 2021".
The work of the CDPA Work Group
The CDPA Work Group met six times and rendered its findings.1 The CDPA Work Groups Final Report2 summarises the meetings, public comments, and presentations from various interested parties ranging from national consumer interest groups to the Virginia Attorney General's ('AG') office.
The CDPA Final Report contains a number of bullet points and states that Delegate Hayes and Senator Marsden will present the Work Group's recommendations based on these points of emphasis during the upcoming legislative session. These 'points of emphasis', as the CDPA Work Group described them, can be broken into general topics.
AG related issues
Points of emphasis
- Direct an agency to promulgate regulations because the current CDPA does not allow the Office of the AG to promulgate regulations.
- Consider leadership, outside of the Office of AG, to lead an educational initiative to assist small to medium-sized businesses in complying with the CDPA.
- Submit a budget amendment to fund two staff members, and two attorneys through general funds to lead enforcement of the CDPA from day one of enactment.
- Replace the Consumer Privacy Fund with the existing general funds.
- Allow the Office of the AG to pursue actual damages based on consumer harm, should they exist.
- Request an annual report from the Office of the AG on enforcement of the CDPA.
A number of the points of emphasis dealt with the practicalities of enforcement residing solely with the Virginia AG's office. This office is not currently staffed at a level to handle privacy claims. The representative of the Virginia AG's office noted that it, in contrast to the California AG's office, does not have the ability to promulgate regulations under the CDPA. The point of emphasis seeking to have an agency selected to promulgate regulations is perhaps one of the most critical notes in the document.
Right to cure and rights generally
Points of emphasis
- Employ an 'ability to cure' option for violations, should a potential cure exist.
- Authorise consumers to assert and requiring companies to honour a global opt-out setting as a single-step for consumers to opt-out of data collection.
- Sunset the right to cure provision after the initial years of CDPA enactment to prevent companies from exploiting this provision.
- Amend the provision on the right to delete to the right to opt out of sale in order to promote compliance and restrict further dissemination of consumer personal data.
- Consider a narrow exemption for §501(c)(4) non-profit organisations established to detect or prevent insurance-related crime or fraud.
- Study specific data privacy protection provisions for children.
- Recruit non-profit consumer and privacy organisations to address concerns with the definitions of sale, personal data, and publicly available information in the CDPA.
- Consider whether the definition of sensitive data should include general demographic data used to promote diversity and outreach to underserved populations.
- Encourage the development of third-party software and browser extensions to allow users to universally opt out of data collection, rather than individually from each website.
A number of the points of emphasis dealt with the ability to cure violations and the implementation of consumer rights. Note that there is a point of emphasis sunsetting the right to cure after the first years of implementation of the CDPA.
Issues related to educating the public and businesses
Points of emphasis
- Post and promote sample data protection forms on an educational website to provide guidance to smaller businesses seeking to comply with the CDPA.
- Create a website dedicated to educating consumers about their rights under the CDPA.
Several of the points of emphasis related to education of the general public regarding CDPA and assisting businesses on how to conduct a Data Protection Impact Assessment.
What is missing?
Delegate Hayes mentioned in one Work Group session that the CDPA does not refer to or regulate facial recognition technology, as that was an important factor in the failure of the privacy bill in the state of Washington. The CDPA also steered away from controversies over a private right of action and the protection of employee data. Those topics were not addressed by the Work Group either. These topics will undoubtedly be picked up at a future date.
The CDPA Work Group met six times and considered significant input that they boiled down to a number of 'points of emphasis'. Ultimately, though, the Work Group did not put forward any concrete recommendations. Instead, the Work Group deferred to the CDPA's original sponsors and noted that Delegate Hayes and Senator Marsden will present the Work Group's recommendations based on these points of emphasis during the upcoming legislative session. The next few weeks will be critical for those watching Virginia's blossoming data privacy legislation, as new bills can be proposed amending the CDPA. This could happen in rapid fire starting 12 January 2022, as the Virginia legislative cycle is extremely short. On the other hand, bills addressing data privacy may be quashed, as the political landscape in the Virginia General Assembly has shifted from a Democratic majority across all levels of state government to Republican control. Privacy and business advocates will have to watch closely, and break out the popcorn, to see what happens next to the Virginia CDPA.
John Pilch Cybersecurity/Privacy Analyst
Beth Waller Chair, Cybersecurity, and Data Privacy Practice
Woods Rogers PLC, Richmond
1. Recordings of those meetings are available at: https://studies.virginiageneralassembly.gov/studies/557
2. Available at: https://rga.lis.virginia.gov/Published/2021/RD595/PDF