When Gov. Ralph Northam signed the Consumer Data Protection Act into law on Tuesday, Virginia joined a growing list of states that have acted to pass comprehensive consumer data protections. States such as Virginia have been forced to act because the federal government has failed to pass a comprehensive data protection act, and 70% of the public feel their personal information is less secure than it was five years ago.
While the Virginia Legislature should be commended for prioritizing consumer data protection, the passage of CDPA will further exacerbate the ZIP code lottery of data protections that also raises compliance costs for businesses seeking to do business across state lines. To eradicate this ZIP code lottery and provide much-needed clarity to businesses, the federal government needs to step in and pass a comprehensive data privacy act.
Virginia’s CDPA allows consumers access to “correct, delete, [and] obtain a copy of personal data and to opt-out of personal data for the purposes of targeted advertising.” These measures would apply to companies who “control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.”
While Virginia has taken steps to enhance consumer data protection, most states do not currently have robust protections, leaving the vast majority of people’s consumer data vulnerable to identity theft and other cybercrimes. West Virginia, for example, only requires companies that have suffered a data breach to notify consumers. Companies are only required to report breaches to consumer reporting agencies if the breach affects more than 1,000 people. North Carolina has equally weak data protection laws that only require consumers to be notified of a breach compromising their personal information that is not publicly available, such as a social security number.
The multiple state privacy bills enacted or proposed also create a patchwork of inconsistent state laws across the country, which raises the cost of compliance for companies seeking to do business across state lines. The Washington Legal Foundation recently contended that “these laws create operational inefficiencies and distort interstate markets for data, products, and services.” The increased compliance costs occur because companies must expend significant resources understanding 50 different data protection standards and alter their practices accordingly. The increased costs are then passed onto the consumer through higher prices for goods and services.
A federal data privacy standard would alleviate unnecessary compliance costs, as companies doing business across state lines would only have to deal with a single standard rather than 50 laws that continually evolve. It would also allow businesses to operate with confidence that they are complying with the law and aren’t likely to face litigation from consumers or attorneys general for non-compliance.
Comparing data privacy statutes in Virginia, West Virginia, and North Carolina, it is clear a ZIP code lottery exists when it comes to data privacy. With this ZIP code lottery, Virginia residents enjoy more robust data protections and control over their data than those in many states across the country, as 26 states have weak data protection laws.
As cybercriminals will likely become bolder over the next decade, the need for a comprehensive federal data standard only increases. While some states have recognized the emerging data privacy threats, most state legislatures have failed to take the threat seriously. The patchwork of data privacy laws has not only created a ZIP code lottery for levels of data protection, but it has also placed unnecessary compliance costs on companies that increase costs for consumers.
Edward Longe is a research associate at the American Consumer Institute, a nonprofit educational and research organization. Follow the institute on Twitter @ConsumerPal.
