Consumer and Privacy Groups Urge Virginia Governor to Veto or Send Privacy Bill Back to Legislature

Media Contacts

Consumer Data Protection Act as Passed Inadequately Protects Virginians and Allows Discrimination against Those Who Exercise Rights


Washington, D.C. — This week, the Virginia Citizens Consumer Council, Consumer Federation of America, the Electronic Frontier Foundation, Privacy Rights Clearinghouse, and U.S. PIRG sent a letter to Virginia Governor Ralph Northam urging him to veto the Consumer Data Protection Act (CDPA) or to consider adding a reenactment clause, which would send the bill back to the legislature for reconsideration in January 2022 because it falls far short of adequately protecting Virginians’ privacy and allows unfair discrimination against those who exercise the few rights it provides. “Today, California is the only state in the nation with a form of this legislation and consumers there still have problems. As is typical, Virginia has taken a business-first perspective that codifies business-designed obstacles to consumers having meaningful control of their personal information. This is not privacy protection and will just frustrate consumers,” said Irene Leech, President of the Virginia Citizens Consumer Council.

These groups appreciate that Governor Northam’s office has engaged with the concerns of consumer groups and committed to a robust stakeholder process to improve this bill. Yet the fundamental problems with the CDPA are too big to be fixed after the fact. As Susan Grant, Director of Consumer Protection and Privacy at Consumer Federation of America noted, “Consumer representatives were not given a fair hearing as this bill was rushed through the legislative process. We’re telling Governor Northam that it’s better to get this right than to sign a law that doesn’t really protect Virginians’ privacy.”

Among other problems, the groups contend that the legislation:

  • Adopts an “opt-out” framework that disempowers consumers and poses equity concerns.
  • Lacks a strong data minimization requirement that limits data collection and sharing to what is reasonably necessary to provide the services consumers have
  • Does not cover personal information gleaned about consumers from sources such as social media if consumers have failed to adequately restrict it.
  • Provides no overall right for consumers to avoid being profiled.
  • Would have no effect on the business models of companies such as Facebook and Google, who profit from tracking consumers’ activities on their websites and target them for ads on behalf of other companies.

Significantly, the CDPA allows companies to charge consumers higher prices or provide them with a lower quality of goods or services if they have exercised their rights – for instance, to opt-out of seeing targeted advertising – creating two classes of Virginians; those who can pay to protect their privacy, and those who cannot.

 It also creates a “right to cure” which offers companies a “get-out-of-jail-free” card for violating the law, and prevents consumers from taking legal action to enforce their rights.

“California’s first-in-the-nation state privacy law challenged other states to protect consumers better. Instead, Virginia chose to give its consumers fewer protections from the corporate surveillance business model that should be reined in, not unleashed,” said Ed Mierzwinski, Senior Director, Federal Consumer Programs, U.S. PIRG.