Consumer Data Protection Act & Personal Data Privacy Law
Virginia became the second state to adopt a much-needed data privacy legislation law, with aims to protect consumers from data theft and data misuse. Under the consumer data law, consumers gain important privacy rights, including the right to access, correct, delete, make portable their own information, and to avoid discrimination.
Consumers will also be able to opt-out of targeted advertising and prohibit the sale of their personal data. The law also describes several instances in which an entity may not be required to comply with consumer requests when compliance would be “unreasonably” difficult.
The Consumer Data Protection Act has broad support from the tech industry, as it is similar to an existing California law that went into effect in 2020. Although based on the same privacy principles, the Virginia law is seen as more industry-friendly than the California law. The new Virginia law does not allow individuals to bring lawsuits against tech companies for privacy violations. The law is expected to take effect in 2023. Violations of the law can result in fines up to $7,500 per violation.
The Lyon Firm is investigating data misuse claims and has experience legally engaging corporations following data breach events and personal data violations.
Consumer Data Laws
The passage of the privacy law is seen as a victory for consumers to crack down on personal data theft and data misuse. On example of a change in law is companies will be required to get permission before collecting certain types of data related to racial or ethnic origin, genetic data and location. The idea is to hold tech corporations accountable for protecting consumer data.
Other states, including Utah, Washington and New Jersey, are weighing their own data privacy legislation. The differing intricacies of the laws is likely to put more pressure on Congress to move toward federal privacy legislation. There have been attempts to pass data privacy bills but they have largely failed. The tech industry may apply its own pressure for a federal standard so they don’t have to navigate so many different state regulations.
Where is my data going?
Consumers want to know how their data is stored and where it ends up. That is not always an easy task, as personal data is sold to third parties by vendors and data winds up in the hands of several marketing agencies, not only big tech databases.
Because of such issues, consumers have pushed for a requirement for a broad opt-out browser setting that alerts companies that they want as little of their data collected as possible. The Virginia law is not set in stone, and lawmakers expect some revisions and additions as technology evolves in the coming years. One area of major concern is data privacy concerns related to various biometric, artificial intelligence collections and facial recognition technology.
Many companies will be accountable for understanding and enacting the new privacy laws, though some entities will be exempt, including the following:
- Public entities
- GLBA-covered entities
- HIPAA-covered entities
- Nonprofit organizations
- Higher education institutions
Several types of data are also exempted from the full scope of the law, including:
- Employer Data
- Protected Health Information under HIPAA
- Data regulated by the Family Educational Rights and Privacy Act
- Various other health-related data
Personal Data Protection
Companies will have several obligations under the new consumer data privacy law that include:
- Data Minimization: limiting the collection of personal data to only what is adequate, relevant, and necessary for the purpose of the data collection.
- Security: businesses must establish and maintain workable data security practices to protect consumers’ personal data.
- Data Security Assessments: Businesses must evaluate the risks associated the sale of personal data, the processing of data, and the distribution of data to marketing firms.
Consumer Data Privacy Rights
Lawmakers and consumer safety attorneys have highlighted specific consumer privacy rights, which include:
- Right to Access
- Right to Rectification
- Right to Deletion
- Right to Data Portability
- Right to Object to Data Processing
- Right to be Free from Discrimination