Last week a committee of the Virginia House of Delegates voted to send several privacy-related bills to a legislative commission for study after the current legislative session. Among those bills is the Virginia Privacy Act, proposed as a less onerous version of the California Consumer Privacy Act. Other bills referred for study address topics such as requirements for the destruction of records, online advertising and digital services directed to minors, and safe keeping of biometric data.
The Communications, Technology and Innovation Committee voted to “continue” the these privacy-related bills and directed the chairman of the committee to request the Joint Commission on Technology and Science (JCOTS) to study the legislation in advance of the 2021 legislative session. JCOTS consists of 13 legislators and its purpose is to evaluate emerging technology and science with the goal of promoting the development of sound public policies on those topics.
JCOTS will take the first serious look at comprehensive privacy legislation in Virginia. Businesses potentially affected by legislation on the topics covered by these bills should follow the work of the JCOTS during the balance of 2020. As several politicians are known to say: “if you are not at the table, you’re on the menu.”
Typically, JCOTS will have its staff present information on the current state of the law on a given topic and will occasionally solicit presentations from the private sector. Possible outcomes of the evaluation of these bills could include recommending specific legislation after receiving stakeholder input, not choosing a specific legislative proposal but expressing a need for a legislative solution on a given topic, or determining existing regulatory structures sufficiently address a topic.
Legislation referred to JCOTS for study, includes:
- HB473 (Delegate Sickles): Personal data; Virginia Privacy Act. Gives consumers the right to access their data and determine if it has been sold to a data broker. The measure requires a controller (defined in the bill as a person that, alone or jointly with others, determines the purposes and means of the processing of personal data) to facilitate requests to exercise consumer rights regarding access, correction, deletion, restriction of processing, data portability, objection, and profiling. The measure applies to any legal entity that conducts business in the Commonwealth or produces products or services that are intentionally targeted to residents of the Commonwealth and that (a) controls or processes personal data of not fewer than 100,000 consumers or (b) derives over 50 percent of gross revenue from the sale of personal data and processes or controls personal data of not fewer than 25,000 customers.
- HB884 (Delegate Subramanyam): Safe destruction of records containing personal identifying information. Requires a commercial entity that is in possession of, or has within its custody or control, records that (i) contain consumers’ unencrypted, unredacted personal identifying information and (ii) are no longer needed by the commercial entity, to take reasonable steps to destroy, or arrange for the destruction of, the records by shredding, erasing, or otherwise destroying or modifying the personal identifying information in the records to make it unreadable or indecipherable.
- HB952 (Delegate Ayala): Digital services; protection for minors. Requires the operator of a digital service, which is defined as a website, online service, online application, or mobile application, to permit minors to remove, or to request and obtain removal of, content or information posted on a digital service. The measure prohibits an operator of a digital service directed to minors from marketing or advertising to minors specified products or services that minors are prohibited from buying. The measure also prohibits marketing or advertising certain products on the basis of personal information specific to a minor or knowingly using, disclosing, compiling, or allowing a third party to do so.
- HB954 (Delegate Ayala): Cybersecurity; care and disposal of customer records; security for connected devices. Requires any business to take all reasonable steps to dispose of, or arrange for the disposal of, customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable.
- HB955 (Delegate Ayala): Children’s online privacy protection. Prohibits any person who operates a website for commercial purposes and who collects or maintains personal information from or about the users of or visitors to such website or online service from releasing personal information collected from minors for any purpose, except where the personal information is provided to a person other than an operator that provides support for the internal operations of the website, online service, online application, or mobile application of the operator, but excluding any activity relating to targeted marketing directed to minors, and does not disclose or use that personal information for any other purpose.
- HB956 (Delegate Ayala): Virginia Consumer Protection Act; advertising or offering for sale of Internet-connected devices targeting children; prohibition. Prohibits the advertising or offering for sale of Internet-connected devices for which the target market consists of consumers below 18 years of age by making it unlawful under the Virginia Consumer Protection Act.
- HB1215 (Delegate Tran): Biometric data; employer policy on storage, protection, and destruction; civil penalty. Establishes the parameters for the capture and safekeeping of biometric data by employers. The bill defines “biometric data” as a retina or iris scan, fingerprint, voiceprint, record of hand or face geometry, or any other means of information, regardless of how it is captured or stored, that is used to identify an individual based on biological identifiers.
* Summaries of legislation provided by the Virginia Division of Legislative Services as posted on the Legislative Information Services website. To view the full legislative text, use the hyperlinked bill number for each bill.
JCOTS meets throughout the year and will likely receive presentations on how other states are addressing these topics, the challenges companies face in complying with such requirements, and the anticipated benefits to consumers if such a regulatory scheme were enacted.
If your business could be affected by any of these bills, you should monitor the activities of JCOTS from the outset of its work and not wait for problematic legislation to be introduced later.