Last week, Virginia’s Joint Commission on Technology and Science held its second meeting of the Consumer Data Protection Work Group.

Instead of following a detailed rulemaking process for implementation like that provided for in the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA) is being reviewed over the next few months by a group of state officials, business representatives, and advocates. This group will publish recommendations by November 1, 2021, which the state legislature can consider if it amends the law before the VCDPA goes into effect on January 1, 2023. A stated goal of the group is to align the VCDPA with other privacy laws that states are enacting around the country.

At the meeting, the group heard public comments as well as a presentation by Deputy Attorney General Samuel Towell on behalf of the Office of the Attorney General of Virginia (OAG). The presentation covered issues that the OAG sees with the VCDPA’s implementation and proposed a number of recommendations for the group to consider:

  • Fund Two Attorneys and Two Staff Positions to Enforce the VCDPA: In order to meet staffing requirements, Mr. Towell recommended that the state establish positions for two attorneys and two staff members who can develop subject matter expertise, evaluate claims, manage investigations, issue civil investigative demands and litigate failures to comply with such demands, negotiate settlements, litigate enforcement measures, and oversee compliance of the VCDPA.
  • Replace the Soon-To-Be-Created “Consumer Privacy Fund” with the Existing Revolving Fund: Towell also raised an issue with the self-funding structure established by the VCDPA. Instead of creating the new Consumer Privacy Fund, which would fund VCDPA enforcement work through civil penalties incurred from violations of the law, he recommended that the existing “Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund” serve as the funding mechanism, which already supports the OAG’s Consumer Protection Section. In the OAG’s view, using the Revolving Fund would allow the OAG to budget enforcement work year to year and allow appropriators to decide how to use excess funds.
  • Allow for the OAG to Pursue Actual Damages on Behalf of Consumers: Although the law includes civil penalties that the OAG can pursue, he noted that the VCDPA does not provide a remedy for damages suffered by consumers who have had their data mishandled in violation of the law. Because the VCDPA lacks a private right of action, he proposed that the OAG seek actual damages on behalf of such consumers if a consumer could come up with a quantifiable amount associated with the violation, which the OAG could return to them. By contrast, the CCPA and CPRA enable the California Attorney General and newly-constituted California Privacy Protection Agency to seek only statutory damages.
  • Limiting the Ability To Cure Alleged Violations: Powell raised concerns about VCDPA’s 30-day cure provision, claiming that it does not create industry-wide deterrence. He also suggested that violations involving data sales or certain data breaches might not be able to be cured. The California Consumer Privacy Act (CCPA), by contrast, grants businesses a 30-day cure period for noticed violations.
  • The OAG’s Role in Providing Business Guidance: Finally, he recommended that the OAG play a role, but not take lead responsibility for educating businesses of their obligations under the VCDPA. He suggested that trade groups are better suited for such a role, even though trade groups would not have the same authority in how the OAG will interpret and enforce the law.

Should the Working Group adopt any of these recommendations, they would not become law unless enacted through legislative amendment. The next meeting of the Consumer Data Protection Work Group is scheduled for August 17, 2021 at 2:00 PM, with two more scheduled on September 13 and October 13.

Print:
EmailTweetLikeLinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the…

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.

Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.

Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.

Andrew Longhi

Andrew Longhi is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Communications and Media Practice Groups. Andrew advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, commercial transactions…

Andrew Longhi is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Communications and Media Practice Groups. Andrew advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, commercial transactions involving personal information and cybersecurity risk, and responses to regulatory inquiries. Andrew is Admitted to the Bar under DC App. R. 46-A (Emergency Examination Waiver); Practice Supervised by DC Bar members.