“If it’s free… you’re the product.” That saying has never been truer at any point in time than in 2021. If you use Facebook, Google, Snapchat, TikTok, or Amazon, then you are the product, no matter what service they provide you, and you’re the best-selling product they’ll ever have. Against such large multinational corporations what can you, as a consumer, do to protect your data?
General Data Protection Regulation (GDPR) in the European Union
Luckily (some) politicians and interest groups have noticed and are beginning to act against the misuse of our personal data. The European Union passed the General Data Protection Regulation (“GDPR”), which allows EU residents to have a say in how their personal data is collected, for what purposes, and its sale to other entities.
Private Right of Action Online
The GDPR also has what is called a “private right of action” which means that individuals, not just the government, are allowed sue and seek monetary damages for misuse of the individual’s data.
The GDPR does not grant any protections to American Citizens, or anybody outside of the European Union. So why does the GDPR matter to an American? The GDPR has become a sort of “guideline” for American companies (think Google, Microsoft, and Facebook) as well as some states, especially California and Virginia.
In fact, if you have been on some websites with a popup bar near the bottom (location varies) asking for your consent to place “cookies” on your computer, you have the GDPR to thank!
What is the Commonwealth of Virginia Doing to Protect Your Data?
The General Assembly of Virginia recently passed legislation which was signed into law by Governor Northam on March 2, 2021. The law, The Virginia Consumer Data Protection Act, goes into effect on January 1, 2023, and gives the Attorney General of Virginia investigative power and exclusive authority to enforce the Act.
Enforcement may include injunctions to stop violations and/or monetary penalties up to $7,500 per violation. Knowing how politicians like to make smaller numbers bigger, the amount per violation may be increased in the future.
Who Exactly Does The Virginia Consumer Data Protection Act Apply to?
The law states exactly who it applies to, but there is some ambiguity which hopefully the General Assembly of Virginia will clarify. The law (in part) appears below with an attempt to clarify the language:
- This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that
- (i) during a calendar year, control or process personal data of at least 100,000 consumers OR
- (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.
Understanding the Virginia Consumer Data Protection
After translating from legalese to “English”, the law applies to a person (natural and legal persons) that provides services (Google/Bing) or products (Walmart) to people living in Virginia in a calendar year, and process 100,000 or more consumers’ data.
It also applies to those who provide services and/or products in Virginia, and control or process personal data of 25,000 [Virginians we presume, but the law needs clarification] and have half of their gross revenue from the sale of personal data.
What Data is Protected?
There are two types of “data” defined in the law, “personal” and “sensitive,” with personal data being a catch-all, and “sensitive data” being specifically defined. Personal data is information that is linked or linkable to a natural person.
Any publicly available information is fair game and not considered personal or sensitive data. Sensitive data includes, but is not limited to, a person’s race, religion, or sexual orientation. Sensitive information also includes a person’s precise location and a child’s information.
What are Your New Digital Rights in Virginia?
Consumers can now ask how their data is used, correct inaccuracies, delete data, or obtain a copy of their data. Consumers can also opt-out of targeted advertising and the sale of their data. Entities responsible for responding to consumers’ requests will have 45 days, with one extension available.
If an entity declines to take action, it must inform consumers that they can appeal (to the entity) and instruct the consumer how to do so, and if their appeal is denied, instruct them how to file a complaint with the Virginia Attorney General.
Legal Representation for Constitutional Rights, Civil Rights, Business, and Commercial Law
Contact us today to learn more about how we can help. We have offices located in Fairfax, Virginia and our lawyers have over 100 years of combined experience.