Last week, Virginia’s Joint Commission on Technology and Science held its second meeting of the Consumer Data Protection Work Group.
Instead of following a detailed rulemaking process for implementation like that provided for in the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA) is being reviewed over the next few months by a group of state officials, business representatives, and advocates. This group will publish recommendations by November 1, 2021, which the state legislature can consider if it amends the law before the VCDPA goes into effect on January 1, 2023. A stated goal of the group is to align the VCDPA with other privacy laws that states are enacting around the country.
At the meeting, the group heard public comments as well as a presentation by Deputy Attorney General Samuel Towell on behalf of the Office of the Attorney General of Virginia (OAG). The presentation covered issues that the OAG sees with the VCDPA’s implementation and proposed a number of recommendations for the group to consider:
- Fund Two Attorneys and Two Staff Positions to Enforce the VCDPA: In order to meet staffing requirements, Mr. Towell recommended that the state establish positions for two attorneys and two staff members who can develop subject matter expertise, evaluate claims, manage investigations, issue civil investigative demands and litigate failures to comply with such demands, negotiate settlements, litigate enforcement measures, and oversee compliance of the VCDPA.
- Replace the Soon-To-Be-Created “Consumer Privacy Fund” with the Existing Revolving Fund: Towell also raised an issue with the self-funding structure established by the VCDPA. Instead of creating the new Consumer Privacy Fund, which would fund VCDPA enforcement work through civil penalties incurred from violations of the law, he recommended that the existing “Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund” serve as the funding mechanism, which already supports the OAG’s Consumer Protection Section. In the OAG’s view, using the Revolving Fund would allow the OAG to budget enforcement work year to year and allow appropriators to decide how to use excess funds.
- Allow for the OAG to Pursue Actual Damages on Behalf of Consumers: Although the law includes civil penalties that the OAG can pursue, he noted that the VCDPA does not provide a remedy for damages suffered by consumers who have had their data mishandled in violation of the law. Because the VCDPA lacks a private right of action, he proposed that the OAG seek actual damages on behalf of such consumers if a consumer could come up with a quantifiable amount associated with the violation, which the OAG could return to them. By contrast, the CCPA and CPRA enable the California Attorney General and newly-constituted California Privacy Protection Agency to seek only statutory damages.
- Limiting the Ability To Cure Alleged Violations: Powell raised concerns about VCDPA’s 30-day cure provision, claiming that it does not create industry-wide deterrence. He also suggested that violations involving data sales or certain data breaches might not be able to be cured. The California Consumer Privacy Act (CCPA), by contrast, grants businesses a 30-day cure period for noticed violations.
- The OAG’s Role in Providing Business Guidance: Finally, he recommended that the OAG play a role, but not take lead responsibility for educating businesses of their obligations under the VCDPA. He suggested that trade groups are better suited for such a role, even though trade groups would not have the same authority in how the OAG will interpret and enforce the law.
Should the Working Group adopt any of these recommendations, they would not become law unless enacted through legislative amendment. The next meeting of the Consumer Data Protection Work Group is scheduled for August 17, 2021 at 2:00 PM, with two more scheduled on September 13 and October 13.