The Consumer Federation of America (CFA)lambasted legislation passed by the Virginia legislature that advocates say only purports to protect privacy while actually protecting Big Business and eroding consumer rights.
The Consumer Data Protection Act (HB 2307/SB 1392) is, according to those monitoring these issues, nearly identical to the Washington Privacy Act. The bill passed both chambers in the Virginia legislature on Feb. 5th with broad, bipartisan support and now must be reconciled by Feb. 27th.
Susan Grant, CFA’s Director of Consumer Protection and Privacy, said of the bills:
The Consumer Data Protection Act should be called the business data protection act because it cements in place the current system of corporate surveillance.
Even worse, it allows companies to discriminate against consumers who exercise the limited rights they would have, throws roadblocks in the way of the state attorney general to enforce the law, and prevents consumers from taking enforcement action on their own.
Grant outlined a long list of concerns with the legislation and warned that actions in Virginia and Washington indicate a national effort to take away privacy protections.
Among the concerns raised by Grant:
· Gives consumers no rights concerning the personal data that may be gleaned from social media and other “channels of mass media” if they didn’t adequately restrict access to that information.
· Gives consumers no control over businesses selling their personal information to affiliated companies.
· Requires opt-in for processing consumers’ “sensitive data” but not for uses of their personal information that may be sensitive.
· Allows consumers to opt-out of seeing targeted advertising based on tracking their activities over time on multiple websites and apps and profiling them, but that opt-out does not stop the tracking and profiling from occurring.
· Does not apply to advertising based on tracking consumer’s activities over time on a company’s own website or app and profiling them — the business model of Google and Facebook, which profit from profiling and targeting consumers on behalf of other businesses.
· Only gives consumers the right to opt-out of profiling when it is used “in furtherance to decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.” There is no overall right to stop being tracked and profiled.
· Does not apply to consumers’ personal information when it is in the hands of financial services companies or other businesses that are covered by other laws, even if the privacy protections of those laws are much weaker.
· Allows parents and legal guardians to exercise consumer’s rights but does not enable consumers to designate others to act on their behalf, as an aging parent who doesn’t understand technology might want.
· Allows businesses to charge consumers more or provide them with lower-quality products or services if they exercise the limited rights they have to opt-out of targeted advertisements, their personal data being sold, or being profiled. In other words, if consumers want privacy, they have to pay more, a blatantly discriminatory policy.
· Lets companies that hold and process consumers’ personal data avoid any responsibility when third parties to which they disclose the data violate the law unless they knew those parties intended to violate the law. (So Facebook would have no liability for what Cambridge Analytica did with users’ personal information.)
· Prevents consumers from taking legal action to enforce their rights.
· Creates a “right to cure” that hampers the ability of the attorney general to take action to stop bad practices and obtain remedies for consumers.
Consumers and consumer advocates are advised to beware of similar attempts to undermine privacy in state legislatures this year.
For more on issues related to consumer protection, follow Andy Spears