Industry-Approved Privacy Bill Nears Passage in Virginia

We’ve joined leading privacy and consumer groups (our latest letter sent via email) attempting to try and convince the Virginia legislature not to rush to enact a privacy bill which Microsoft and Amazon have testified in favor of, but leading privacy and consumer groups look at as an industry wish-list which will perpetuate a version of the antiquated notice and opt-out regime that serves the corporate surveillance business model well, but “relies on users to hunt down and navigate divergent opt-out processes for hundreds of companies,” as our letter says. While the bill has some strong definitions, its clever exceptions and carveouts largely swallow the rules.

Oh, did I mention that the proposed law is based on a predecessor Washington State law (home state of Microsoft and Amazon) and is so narrowly written that its limited protections against targeted advertising and tracking may not even cover the business models of Facebook and Google? Did I mention that it would legalize pay-for-privacy, which would unfairly separate Virginians into two classes; privacy “haves” and “have nots?”

Or did I mention that the bill gives consumers no private right of action to defend themselves in court? Not to worry; it also stomps on the state attorney general’s power to defend you against unfair practices, too, since it gives companies a “get-out-of-jail-free” card if they do somehow manage to break the law. 

Materials in quotes above are excerpted from our group letter. Here’s a longer excerpt:

“The definition of personal data does not include information gleaned from sources such as social media if consumers have failed to adequately restrict who can see that information. This is not a reasonable exception in light of the fact that many consumers do not understand social media privacy settings or anticipate that their information could be harvested for commercial purposes. Furthermore, the definition of personal data does not include information that is linked or can be linked to a particular household or device, a major gap considering today’s complex data ecosystem in which information from the use of smart devices is used to target users and households, without knowing their exact identities.”

The Electronic Frontier Foundation co-signed the group letter today. Here’s an excerpt from EFF’s blog on the Virginia bill, which also discusses the recent California and Washington laws:

“But not all privacy laws are the same. While California’s law is itself not perfect, a bill in the style of the Washington Privacy Act is a step in the wrong direction—particularly the version of the bill under consideration in Virginia. Bills that follow this model allow companies to appear to be doing a lot to protect privacy but are full of carveouts that fail to address some of the industry’s worst data privacy abuses.”

The Consumer Federation of America (CFA) also co-signed the group letter today. Here’s an excerpt from its press release, “Virginia Legislature, Ignoring Consumer  Groups, Steamrolls Bad Privacy Bill Toward Enactment:” 

“The Consumer Data Protection Act should be called the business data protection act because it cements in place the current system of corporate surveillance,” said Susan Grant, CFA’s Director of Consumer Protection and Privacy. “Even worse, it allows companies to discriminate against consumers who exercise the limited rights they would have, throws roadblocks in the way of the state attorney general to enforce the law, and prevents consumers from taking enforcement action on their own.” In a hearing yesterday of the Virginia House of Delegates Committee on Communications, Technology & Innovation, consumer groups that had signed up to testify were not  called upon, nor was there any acknowledgement of the letters and comments that CFA and others submitted expressing serious concerns about the legislation. In her online comments, Ms. Grant pointed out that the opt-out framework in the bill places the burden on consumers to navigate today’s incredibly complex data ecosystem.”

Susan Grant of CFA and Irene Leech of the Virginia Citizens Consumer Council also had an op-ed in the Virginia Mercury:

“The legislature should hit the pause button and work with consumer and privacy groups to craft a bill that truly protects Virginians’ privacy. It is not enough to say that the law doesn’t go into effect for two years and changes can be made next year. Our experience is that it is difficult to strengthen consumer protections after legislation has already been enacted. If addressing these issues means that passing the bill has to wait until the next session, that’s fine.  It’s better to get it right than to count on going back and changing mistakes.”  

When powerful special interests have too much money and power, consumers lose. In case you missed it, here’s a new video blog of our U.S. PIRG colleague R.J. Cross explaining how dating apps exploit your personal information. Oh, all apps exploit your personal information in ways that the Virginia law won’t do much to stop, but the dating apps are particularly good at it.

We need  strong privacy and digital rights laws that put consumers, not corporations, first.

Cover graphic courtesy Flickr VCU Libraries Commons, Public Domain.