• by Wendy Davis  @wendyndavis, February 8, 2021

Virginia is on the verge of passing a broad privacy law that is partially modeled on the one in California, although considered weaker by some advocates.

The Virginia Consumer Data Protection Act (SB 1392) would require companies to allow consumers to access, correct and delete personal data.

The bill would require companies to obtain consumers' affirmative consent before processing “sensitive” data -- including information about race, religious beliefs, health, sexual orientation or immigration status, as well as precise geolocation information and some biometric data.

The law would also give consumers the right to opt out of the use of non-sensitive data for targeted advertising.

Lawmakers in the state Senate and House have voted overwhelmingly in favor of the bill, which could be finalized later this week.

The Virginia bill doesn't provide for consumers to sue over privacy violations. Instead, the state Attorney General would have sole authority to prosecute companies that violate the statute, and could seek fines of $7,500 per violation.

If enacted, the law will take effect in 2023.

Last week, advocacy group Consumer Reports urged state lawmakers to strengthen the bill in several respects -- including by closing a loophole that arguably could allow some companies to serve targeted ads to consumers who have opted out of the processing of their data.

The Virginia law's opt out provision “should cover all data transfers to a third party for a commercial purpose,” Consumer Reports said in a letter to Virginia state Senator David Marsden.

The organization adds that the current language is “ambiguous,” and “could allow internet giants like Google, Facebook, and Amazon to serve targeted ads based on their own vast data stores on other websites.”

The bill defines “targeted advertising” as "displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests showing ads to people based on predictions gleaned from their activity over time and across nonaffiliated sites or apps."

The measure also excludes ads based on people's “activities within a controller's own websites or online applications” from the definition of targeted advertising.

Justin Brookman, director of consumer privacy and technology at Consumer Reports, says one potential ambiguity centers on retargeted ads, or ads for products that consumers have previously researched online.

Brookman argues that tying targeted advertising's definition to "predictions" about consumers “could be construed to exclude retargeting based on demonstrated past interests.”

He also says the bill's definition of targeting could allow publishers, in the future, to arrange for a large company like Google or Facebook to target ads just based on data collected by Google or Facebook on their own sites. 

"Going forward I don't want to give them loopholes to exploit their relatively large data sets," Brookman says.

Consumer Reports also argues the Virginia law should provide for consumers to opt out through a browser control, as opposed to on a company-by-company basis. 

In California, the state attorney general issued regulations that require companies to honor opt-out requests sent through browser controls. 

The ad industry opposes that requirement, arguing that the attorney general exceeded his authority by promulgating that regulation.