State Privacy Law Tweaked Seven Months Before It Takes Effect (Free Preview)

State Privacy Law Tweaked Seven Months Before It Takes Effect (Free Preview)
Photo from Pixabay

This is the free version of yesterday's post on follow on legislation changing a state's data privacy law.

Subscribe today for all the paywalled material posted on The Wavelength. Subscriptions are available for $250 a month and less for an annual subscription. I think you'll find the value to cost ratio is high with The Wavelength.

You can find previously posted content on technology policy, politics, and law on Substack and my blog.

Virginia Governor Glenn Youngkin (R) signed two bills into law that will alter the state’s data privacy statute ahead of its 1 January 2023 operative date in ways that both weaken and strengthen the law. If the past is any guide, this will not be the only round of legislation to alter the state’s new data privacy law. Indeed, we can also expect to see follow on bills in Colorado and Utah but probably not in California for reasons discussed below.

The “Virginia Consumer Data Protection Act” (VCDPA) (HB 2307/SB 1392) was enacted in February 2021, making Virginia the second state with a data privacy statute (see here for more detail and analysis). However, this bill is considerably weaker than either of California’s laws (i.e. the soon to be sunset California Consumer Privacy Act (CCPA) and the soon to be effective California Privacy Rights Act (CPRA)). The VCDPA would permit many of the same data collection and processing activities currently occurring in Virginia to continue largely in the same fashion in 2023. The bill uses the opt out consent model but only in limited circumstances, for if entities disclose how they propose to process personal information, there limited cases in which people could opt out. There is no private right of action, and the attorney general would have to give entities a 30 day window to cure any potential violations and would be barred from proceeding if his office receives an express written statement that the violations have been cured.

In a sense, the VCDPA resulted from California pushing through the CCPA, a law too strong for many industry stakeholders. Consequently, many of the largest companies elected for a strategy of passing bills they see as more favorable in state legislatures where opposition is weaker than in Washington where federal data privacy legislation has been stalemated. In Virginia, an Amazon lobbyist presented one of the legislation’s sponsors with the initial draft, which tracked the “Washington Privacy Act” closely, while consumer rights and civil liberties groups were shut off from the first steps of the process. In the same vein, Reuters documented Amazon’s role in defeating or weakening bills in 25 states. However, this is just one of the tech giants as the others have also fought for weaker laws as have trade associations and industry groups. As a result, those people, like me, who thought strong data privacy laws would follow the CCPA, especially in states controlled by Democrats like Washington and Virginia, were wrong. Instead, industry and those favoring less regulation have worked effectively at the state level, getting three bills enacted that are more favorable to their positions than to those of Consumer Reports, the Electronic Frontier Foundation, and others.

Other Developments

Photo from Pixabay by Georg11

The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA) may have previewed its thinking on how to implement the “Cyber Incident Reporting for Critical Infrastructure Act of 2022” in a fact sheet titled “SHARING CYBER EVENT INFORMATION: OBSERVE, ACT, REPORT.”

The United States (U.S.) Department of the Treasury's Office of Foreign Assets Control (OFAC) issued a general license making clear that “all transactions ordinarily incident and necessary to the receipt or transmission of telecommunications involving the Russian Federation that are prohibited by the Russian Harmful Foreign Activities Sanctions Regulations, 31 CFR part 587 (RuHSR), are authorized” with some exceptions.

United States (U.S.) Federal Trade Commission Chair Lina Khan made remarks at the IAPP Global Privacy Summit, in which she “offer[ed] a few observations about the new political economy of how Americans’ data is tracked, gathered, and used; identif[ied] a few ways that the Federal Trade Commission is refining its approach in light of these new market realities; and share[d] some broader questions that I believe these realities raise for the current frameworks we use for policing the use and abuse of individuals’ data.”

Further Reading

Photo on Pixabay by afra32

How Democracies Spy on Their Citizens” By Ronan Farrow — The New Yorker

Microsoft’s Brad Smith says tech regulation is coming, so industry should participate in shaping it” By Lauren Feiner — CNBC

Cities ask Netflix, Hulu, stream services to pay cable fees” By Andrew Welsh-Huggins — Associated Press

Russia Is Leaking Data Like a Sieve” By Matt Burgess — WIRED

Chinese Tech Giants Lose Shine as Growth Stalls” By Clarence Leong — Wall Street Journal