Consumer advocacy groups are urging Virginia lawmakers to revise a proposed privacy bill, arguing that the current version of the measure won't adequately protect people's data.
The Virginia Consumer Data Protection Act (SB 1392), much like California's broad privacy law, would require companies to allow consumers to access, correct and delete personal data.
The bill currently has broad support in the statehouse, but can still be revised before a final vote.
The current version of the proposed Virginia law would give consumers the right to opt out of the use of non-sensitive data for targeted advertising, and would require companies to obtain consumers' affirmative consent before processing “sensitive” data -- including information about race, religious beliefs, health, sexual orientation or immigration status, as well as precise geolocation information and some biometric data.
The proposed law gives the state Attorney General sole authority to sue violators.
In a column published Tuesday in the Virginia Mercury, the Consumer Federation of America argues that the measure should be revamped, arguing that it is “based on the outdated 'notice and opt out' framework which underpins the current system of commercial surveillance.”
The organization is proposing a host of changes, including that the law should require companies to obtain consumers' opt-in consent before using their information.
Consumer Federation also says the law should enable consumers to prevent data collection, and not merely the use of data for targeted ads. In addition, the group argues that consumers should be able to sue over violations.
The group Consumer Reports has also urged lawmakers to rethink several aspects of the proposed law, including provisions relating to targeted advertising.
The bill currently defines targeted advertising as serving ads to people based on predictions gleaned from users' activities over time and across nonaffiliated sites and apps.
Among other concerns, Consumer Reports says the current definition could potentially “allow internet giants like Google, Facebook, and Amazon to serve targeted ads based on their own vast data stores on other websites, in spite of the opt out.”
Late last week, the digital rights group Electronic Frontier Foundation urged Virginia residents to object to the bill in its current form, for similar reasons as other privacy advocates.
“A strong privacy bill would protect people’s privacy by default by letting them opt-in to data sale and use, rather than having to go to each company to ask them to stop using their information,” the EFF wrote in a blog post. “It would require companies to commit to strict standards for what information they ask to collect in the first place. And it would also have real teeth to make sure that companies don’t get away with violating privacy rights.”
On Monday, Virginia's House Communications, Technology and Innovation committee approved some revisions, including one that would create a working group to recommend changes before the bill would go into effect.
On Tuesday, the bill advanced in the state Senate, and a House committee is expected to hear the bill Wednesday.
If passed, the measure will take effect in 2023.