With COVID-19 and economic recovery at the top of the policy agenda for the Biden Administration and the new Congress, it may take awhile until serious attention is devoted to enacting national digital privacy legislation. This continues to put states in a leadership position to craft their own approaches. Florida, Minnesota, New York, North Dakota, Oklahoma, and Washington are among the states that are in the process of developing their own bills for timely legislative approval.
And Virginia’s pending Consumer Data Protection Act is poised to be signed into law by Gov. Ralph Northam, after receiving very strong bipartisan support in both the Virginia House and the state Senate.
The Virginia law would cover entities that “control or process” personal information of 100,000 or more Virginia residents in a calendar year. Entities that generate 50 percent or more of their gross revenue from the sale of personal data that hold information about at least 25,000 residents also would be covered. In short, big data brokers and companies with a major online presence would all be covered, but small businesses would not be. Under the law, entities that determine “the purpose and means of processing personal data” are called “controllers.”
There are a number of enforceable mandates that these controllers will need to follow under the law. They will be required to confirm to consumers if they have personal consumer data, and must afford them the opportunity to correct any inaccuracies in it. They will need to delete personal data obtained about an individual consumer, and honor consumer requests to opt out of having personal data used for targeted advertising, for sale to a third party, or for “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”
These consumer-friendly benefits suggest why the bill has received such widespread support across Virginia’s political divide. This has been bolstered by a number of prominent advocacy groups, including the Electronic Frontier Foundation, the Electronic Privacy Information Center, and Consumer Reports, which commented in a collective letter, “The CDPA would grant important new rights to Virginia citizens that the residents of most states do not currently enjoy.”
Unfortunately, the new law will not adequately reflect the realities of COVID-19 and the post-pandemic world that we will live in for years to come. During the pandemic, when business locations and offices have closed physical operations, vast numbers of Americans have continued as employees in work-from-home environments.
According to Statista, a leading provider of market and consumer data, 17 percent of U.S. employees worked from home five days or more per week before March 2020, a share that has increased to 44 percent during the coronavirus pandemic. Many, if not most, of these people are using their own laptops, tablets, mobile phones, and other devices on home broadband networks, managing all aspects of their personal and professional lives. Work and leisure now are merged as a practical matter. Our lives have converged into a new digital reality where we toggle back and forth between these two worlds with increasing seamlessness.
Virginia, however, has failed to recognize this new normal. That’s because it explicitly will cover only consumers operating on their own or in a “household context.” In contrast, the law will not cover any online activities “in a commercial or employment context.” But as a practical matter, those working from home are operating simultaneously in a “household context” and “a commercial or employment context.” The lines between these two are blurred and seem destined to remain so in a world where working from home is an established pattern of life that is destined to continue.
The larger lesson both for this legislation and for the other states with comparable bills in process is simple: Digital privacy protection needs to be envisioned for pandemic times, where exponentially more personal data is being generated with an inevitable intermixing between what used to be considered work and what was considered to be leisure.
It seems that the concept of multitasking now is on steroids, so it makes good sense to have new laws enacted that reflect this reality. Let’s start with a better understanding of how people are providing personal information online. It is critical to craft ways that encompass their usage without relying on rapidly declining notions of what constitutes business and what comprises leisure. We must be able to power up and on at home with a greater sense of digital privacy.
Stuart N. Brotman is a Distinguished Fellow at The Media Institute and is a member of the Institute’s First Amendment Advisory Council. He is the author of Privacy’s Perfect Storm: Digital Policy for Post-Pandemic Times.