By Hyung Jun Lee

Capital News Service

RICHMOND, Va. — Information technology experts say a new Virginia consumer data protection law could be more robust, but it will force businesses to rethink how they handle consumer data.

“This is the first time in Virginia that consumers will have the right to understand what data a company collects about them, and how they use that data and who they share it with,” said Andrew Miller, the co-founder of Workshop Digital, a Richmond-based digital marketing agency.

Senate Bill 1392 and House Bill 2307 are known as the Consumer Data Protection Act, or CDPA. The governor signed both bills into law this month.

The CDPA allows Virginia residents to retrieve a copy of their personal online data and delete the data. Consumers can opt out of allowing businesses to sell their data. 

Personal data is information that can be linked to a consumer’s profile, according to Joseph Jerome, director of state advocacy at San Francisco-based Common Sense Media. The nonprofit rates movies, TV shows and other media for age appropriateness and learning potential. 

“It’s important to have a broad understanding of personal data,” said Jerome, a lawyer whose expertise includes cybersecurity and data privacy.

What data will be affected

The law defines personal data as information that is linked or reasonably linkable to a person. 

“Consumers tend to think of personal information as something like their Social Security number or an email address, but new privacy regulations are really trying to get at the sorts of data that go into customer profiles,” Jerome said.

A company can attach traits to a user, such as the individual’s perceived race, education level and political affiliation, according to Jerome. 

“The issue isn’t so much what one single company collects, but rather how companies share data among themselves and use that information to infer even more about us,” he said.

Some companies track consumers’ location.

“If a person is at location A at time Y and location B at time Z, if those two locations are coordinates for your home and office, it’s pretty easy to infer who that person is,” Jerome said.

The CDPA impacts companies which handle the data of at least 100,000 consumers annually, or which control or process the data of at least 25,000 consumers and make over half of their gross revenue from selling data.

CDPA exceptions

There are exceptions. Companies won’t have to participate if they are protected by the Health Insurance Portability and Accountability Act which restricts the release of medical information or the Gramm-Leach-Bliley Act to protect health and financial data. The GLBA requires financial institutions to safeguard sensitive banking information.

“So in certain scenarios, Google is a business associate under HIPAA,” Jerome said. “Apple offers financial products on its iPhone, you know, has the Apple credit card.”

The Virginia measure is different from the 2018 California Consumer Privacy Act. The California law also regulates how companies buy, sell, license and share data but with stricter parameters in place. California voters recently voted to amend and strengthen the privacy act, with the changes going into effect in 2023. Unlike the Virginia law, California consumers can pursue legal action for a breach of certain information. In Virginia, the attorney general’s office would handle the enforcement of the CDPA, from consumer complaints to the enforcement of fines. 

The California law impacted businesses in Virginia, such as Richmond-based IT consulting firm CapTech. The company helps clients bring IT systems into compliance with the California law, said CapTech Principal Peter Carr. 

“It affected our business in that it gave us more opportunities to sell into our clients and to help them with their problems around privacy,” Carr said. 

Businesses predict impact

CapTech is preparing for Virginia’s new data protection law to go into effect. 

“I briefed my partners on the law, we made some projections as to how much business we could generate from this law and how many clients this could apply to,” Carr said.

Other experts in the data field speculate that the CDPA could force businesses to rethink the value of consumer data. Miller, the co-founder of Workshop Digital, said companies can highlight how they protect consumer data to stand out from competitors.

“When you’re telling your customers that we actually care about your data, we keep it secure, here’s how you can access it and what you can ask for us to remove, then I think it shows that the business is aligned with the customer,” Miller said.

He also said the CDPA could move the focus from collection of data to the protection of consumer data.

“If it passes as it’s written now, it’ll mostly affect larger businesses or companies that aggregate and collect a lot of data about Virginia consumers or citizens,” Miller said. “It’ll force companies to rethink how they capture data, what they use it for, how much data they actually need and start to pivot towards having a privacy-driven message to their consumers.”

Consumers will have the ability to exert some control over how their data is used by businesses and across the internet, according to Randy Franklin, the vice-president and general manager at Terazo, a Richmond-based software and platform development company. 

“This bill is important for consumers because consumers are increasingly aware of the fact that they are tracked in their online activities,” Franklin said. “They want to understand that the information that these providers and businesses are collecting on them is used in a manner that aligns with how they would like to see that information be used.”

Concerns over data protection act

Jerome said Common Sense Media has concerns about the bill and said several things are still unclear. People do not read privacy policies and can be overwhelmed by choices such as requesting or deleting personal information, he added.

“We’re not entirely sure how it’ll be enforced, there are a number of provisions in the law that are, for a lack of a better word, squishy,” Jerome said. “That said, you know, it certainly creates a baseline set of protections that don’t exist for Virginians.” 

Furthermore, to be effective, Miller said the bill requires that Virginia consumers are informed about their rights to access their data.

“The way it’s written now is it puts the emphasis on the consumer to request their data or request their data be deleted,” Miller said. “It doesn’t obligate a company to do that proactively without the consumer requesting it.”

Miller and Jerome hope the CDPA will encourage discussion in Congress and help create a broader national data protection law.

“It’s the first step towards figuring out what a national data protection or data privacy law could look like, which would benefit consumers everywhere rather than just having a patchwork of state specific laws and regulations,” Miller said.

The Consumer Data Protection Act will take effect January 2023. The chairman of the Joint Commission on Technology and Science will establish a work group to review the bill and report any issues related to its implementation by Nov. 1.


Capital News Service is a program of Virginia Commonwealth University’s Robertson School of Media and Culture. Students in the program provide state government coverage for a variety of media outlets in Virginia.