The Consumer Data Protection Act establishes a framework for controlling and processing personal data.
RICHMOND – Virginia State Sen. Dave Marsden is 72 and yet he still gets calls offering to help him refinance college debt.
“That’s the kind of stuff that people go through,” Marsden said.
There’s the unsolicited call, the random email or even the letter in your mailbox. Oftentimes, the promise of a discount or the necessity of a service come with a price. That’s the selling of personal information. However, most people don’t realize they give out as much information as they do.
From signing up for a convenience store rewards card to driving off with a new registration at the DMV, a variety of places ask for everything from an email address to a home address. Without first considering the implications, many people freely expose information they would normally not display.
While the 10% discount at the clothing store in exchange for an email address might seem tempting, the store doesn’t only pass along its generosity. Sometimes, it also passes on the consumer’s information, selling it to a third party.
“Data can be a funny thing. I mean, it could be your gas rewards card or your grocery store rewards cards. And these are good things. These are things that people want. You know, you want these guys to have your data, to give you your discounts,” said Marsden. “You don’t want them necessarily selling that data or abusing it in some way.”
He decided to do something about that.
Consumer Data Protection Act
In January, the senator proposed Senate Bill 1392, the Consumer Data Protection Act. It established a framework for controlling and processing personal data.
On Tuesday, Gov. Ralph Northam signed the bill, making it a law. However, the new law has a delayed effective date of January 1, 2023.
The law applies to those conducting business in Virginia who either control or process personal data of at least 100,000 consumers or derive over 50% of gross revenue from personal data sales and control or process personal data of at least 25,000 consumers.
The law outlines responsibilities and privacy protection standards for data controllers and processors. It also grants consumer rights to access, correct, delete, obtain a copy of your personal data. You can also opt out of the processing of personal data for targeted advertising purposes.
“For the first time, it will give Virginians an opportunity to view their data, make changes to their data and not have to be able to opt out of having their data sold for advertising purposes,” Marsden said. “And it gives them greater control and it provides direction for the controllers. Those are the owners of the data and the processes, the people that actually process it. [It] gives them a set of rules and regulations to follow.”
The law also provides that the attorney general has exclusive authority to enforce violations.
“[That’s] so that everybody will have an enforcement mechanism, not just those with the wherewithal to contact and hire attorneys,” Marsden said.
JOIN THE CONVERSATION: Sign Up For Dogwood’s Newsletter
While the Consumer Data Protection Act may not halt all personal information sales, it will put a stop to many.
“I think this is a great first step in starting to gain control of this marketplace of personal information that seems to exist in our country,” Marsden said.
However, just because Northam signed the bill into law does not mean it will go into effect immediately. It will take time.
“It’s really a monumental effort for businesses to adjust to this, you know, do the computer work necessary and what have you. It’s time consuming and what have you, but it is a paradigm shift in what we need to do,” Marsden said.
The senator will not iron out the wrinkles by himself.
“We have a work group this year through the administration. I’ll be on the work group as well as my counterpart, Del. Cliff Hayes, who passed the House version of the same bill,” Marsden said. “We’re going to be on that work group to further refine how we can make it stronger for consumers and fair for businesses who do deal with this data.”
In the 2022 regular session, Mardsen hopes to add the results of the work group.
“The important thing was to get started and put something on the books and it’s something serious,” Marsden said. “And it is.”
Exceptions For Consumer Data
There are a few exceptions to the law.
The law does not apply to state or local governmental entities or certain types of data and information governed by federal law.
“With this bill, we’ve tried to not create a burden on small business. So we’ve exempted people with less than 100,000 data sets because in the data world, that’s not very much,” Marsden said. “[We] exempted nonprofits and some other things because, you know, we don’t want them to have the burden of coming into compliance with this law, that it might be really hard for them. But for the big guys, that’s what we’re taking a big slice out of.”
And while the law’s perfection might depend on who’s speaking, Marsden expressed it’s a step in the right direction.
“For those who complain, ‘we didn’t go far enough,’ you know, the only thing I can say is yesterday, you had nothing. Gov. Northam signed the bill [and] today you’ve got significant protection,” Marsden said.
Amie Knowles reports for Dogwood. You can reach her at [email protected]