Last week, Virginia’s Joint Commission on Technology and Science held its second meeting of the Consumer Data Protection Work Group.

Instead of following a detailed rulemaking process for implementation like that provided for in the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA) is being reviewed over the next few months by a group of state officials, business representatives, and advocates. This group will publish recommendations by November 1, 2021, which the state legislature can consider if it amends the law before the VCDPA goes into effect on January 1, 2023. A stated goal of the group is to align the VCDPA with other privacy laws that states are enacting around the country.

At the meeting, the group heard public comments as well as a presentation by Deputy Attorney General Samuel Towell on behalf of the Office of the Attorney General of Virginia (OAG). The presentation covered issues that the OAG sees with the VCDPA’s implementation and proposed a number of recommendations for the group to consider:

  • Fund Two Attorneys and Two Staff Positions to Enforce the VCDPA: In order to meet staffing requirements, Mr. Towell recommended that the state establish positions for two attorneys and two staff members who can develop subject matter expertise, evaluate claims, manage investigations, issue civil investigative demands and litigate failures to comply with such demands, negotiate settlements, litigate enforcement measures, and oversee compliance of the VCDPA.
  • Replace the Soon-To-Be-Created “Consumer Privacy Fund” with the Existing Revolving Fund: Towell also raised an issue with the self-funding structure established by the VCDPA. Instead of creating the new Consumer Privacy Fund, which would fund VCDPA enforcement work through civil penalties incurred from violations of the law, he recommended that the existing “Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund” serve as the funding mechanism, which already supports the OAG’s Consumer Protection Section. In the OAG’s view, using the Revolving Fund would allow the OAG to budget enforcement work year to year and allow appropriators to decide how to use excess funds.
  • Allow for the OAG to Pursue Actual Damages on Behalf of Consumers: Although the law includes civil penalties that the OAG can pursue, he noted that the VCDPA does not provide a remedy for damages suffered by consumers who have had their data mishandled in violation of the law. Because the VCDPA lacks a private right of action, he proposed that the OAG seek actual damages on behalf of such consumers if a consumer could come up with a quantifiable amount associated with the violation, which the OAG could return to them. By contrast, the CCPA and CPRA enable the California Attorney General and newly-constituted California Privacy Protection Agency to seek only statutory damages.
  • Limiting the Ability To Cure Alleged Violations: Powell raised concerns about VCDPA’s 30-day cure provision, claiming that it does not create industry-wide deterrence. He also suggested that violations involving data sales or certain data breaches might not be able to be cured. The California Consumer Privacy Act (CCPA), by contrast, grants businesses a 30-day cure period for noticed violations.
  • The OAG’s Role in Providing Business Guidance: Finally, he recommended that the OAG play a role, but not take lead responsibility for educating businesses of their obligations under the VCDPA. He suggested that trade groups are better suited for such a role, even though trade groups would not have the same authority in how the OAG will interpret and enforce the law.

Should the Working Group adopt any of these recommendations, they would not become law unless enacted through legislative amendment. The next meeting of the Consumer Data Protection Work Group is scheduled for August 17, 2021 at 2:00 PM, with two more scheduled on September 13 and October 13.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Photo of Andrew Longhi Andrew Longhi

Andrew Longhi advises national and multinational companies across industries on a wide range of regulatory, compliance, and enforcement matters involving data privacy, telecommunications, and emerging technologies.

Andrew’s practice focuses on advising clients on how to navigate the rapidly evolving legal landscape of state…

Andrew Longhi advises national and multinational companies across industries on a wide range of regulatory, compliance, and enforcement matters involving data privacy, telecommunications, and emerging technologies.

Andrew’s practice focuses on advising clients on how to navigate the rapidly evolving legal landscape of state, federal, and international data protection laws. He proactively counsels clients on the substantive requirements introduced by new laws and shifting enforcement priorities. In particular, Andrew routinely supports clients in their efforts to launch new products and services that implicate the laws governing the use of data, connected devices, biometrics, and telephone and email marketing.

Andrew assesses privacy and cybersecurity risk as a part of diligence in complex corporate transactions where personal data is a key asset or data processing issues are otherwise material. He also provides guidance on generative AI issues, including privacy, Section 230, age-gating, product liability, and litigation risk, and has drafted standards and guidelines for large-language machine-learning models to follow. Andrew focuses on providing risk-based guidance that can keep pace with evolving legal frameworks.