A very weak consumer data privacy bill is sailing through the Virginia legislature with backing from Microsoft and Amazon, which have both testified in support of the bill. The bill, SB 1392 and its companion HB 2307, are based on a Washington privacy law backed by tech giants that has threatened for two years to lower the bar for state privacy bills. If you’re a Virginia resident who cares about privacy, please submit a comment to the House Committee on Technology, Communications, and Innovation before it meets on Monday, Feb. 15.
EFF has long advocated for strong privacy legislation. Consumer privacy has been a growing priority for legislatures across the country since California in 2018 passed the California Consumer Privacy Act—a sweeping, first-of-its kind piece of privacy legislation in the country. Since then, several states have considered broad data privacy laws; California amended its privacy law in 2020.
But not all privacy laws are the same. While California’s law is itself not perfect, a bill in the style of the Washington Privacy Act is a step in the wrong direction—particularly the version of the bill under consideration in Virginia. Bills that follow this model allow companies to appear to be doing a lot to protect privacy but are full of carveouts that fail to address some of the industry’s worst data privacy abuses.
A strong privacy bill would protect people’s privacy by default
The Virginia bill stacks the deck against consumers even more under its “right to cure” provision: If the Attorney General sues a business for violating people’s privacy, the business has a chance to fix what it did wrong, which would make the Attorney General's lawsuit go away. Considering how much time and work goes into bringing a lawsuit, giving the other side a cheap and easy out clearly illustrates how a right to cure allows you to look like you care about privacy without actually having to care.
Virginia’s privacy law also explicitly allows companies to engage in “pay for privacy” schemes, which punish consumers for exercising their privacy rights. In Virginia’s case, the bill says that consumers who opt-out of having their data used for targeted advertising, having it sold, or for profiling, can be charged a different “price, rate, level, quality or selection of goods and services.” That means punishing people for protecting their privacy—a structure that ends up harming those who can’t afford to protect themselves against data protection. Privacy should have no price tag.
A strong privacy bill would protect people’s privacy by default by letting them opt-in to data sale and use, rather than having to go to each company to ask them to stop using their information. It would require companies to commit to strict standards for what information they ask to collect in the first place. And it would also have real teeth to make sure that companies don’t get away with violating privacy rights.
EFF has joined with other national privacy groups, as well as with consumer advocates in Virginia, to ask the legislature to consider amendments that prioritize their constituents’ rights over empty promises from businesses.
Virginia’s lawmakers have made it clear that they want to hear from their own constituents who may be concerned about this matter. Tell your lawmakers to hit the brakes on this bill, and work to craft a better law for the people they serve.