Consumer Reports appreciates that the Joint Commission on Technology and Science, Consumer Data Protection Work Group is considering making recommendations to the legislature to further implementation of the new law.
We offer several suggestions to strengthen the CDPA to provide the level of protections that Virginians deserve. At the very least, the CDPA should be modified to bring it up to the standard of the California Consumer Privacy Act (CCPA), which was recently strengthened by the passage of Proposition 24, the California Privacy Rights Act (CPRA). In particular, the CCPA as refined by CPRA takes important steps such as adding to the statute a requirement to honor browser privacy signals as an opt out (currently required by regulation) and removing the “right to cure” provision in administrative enforcement. The CCPA also includes authorized agent provisions so that consumers can delegate third parties to exercise rights on their behalf, which should be replicated in this bill.
Privacy laws should set strong limits on the data that companies can collect and share so that consumers can use online services or apps safely without having to take any action, such as opting in or opting out. We recommend including a strong data minimization requirement that limits data collection and sharing to what is reasonably necessary to provide the service requested by the consumer, as outlined in our model bill. A strong default prohibition on data sharing is preferable to an opt-out based regime which relies on users to hunt down and navigate divergent opt-out processes for potentially thousands of different companies. Consumer Reports has documented that some California Consumer Privacy Act (CCPA) opt-out processes are so onerous that they have the effect of preventing consumers from stopping the sale of their information.
For the full letter, please see the attached PDF.