March 10, 2021 - On March 2nd, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (VCDPA); a broad privacy law that gives consumers significantly greater control over what companies can do with their personal information. The law makes Virginia only the second state (the other is California) to provide European style data protection to American consumers. While the VCDPA is certainly good news for consumers, it also exempts one significant group of companies from its grasp. Financial instutuions as defined in the federal Gramm Leach Bliley Act (GLBA) will not have to comply with it.
The new law doesn’t' actually go into effect until 2023. The delay is to give companies time to develop systems and practices that will allow them to comply with its requirements.
VCDPA forces companies to tell consumers what data they have stored on them, make corrections to that data, and to delete data that they don't want made available. Consumers can also force companies not to sell or share their data for advertising purposes or to track their information on the internet.
While California's similar law provides a carve out for information that is regulated by GLBA - since federal law preempts state laws - VCDPA provides a much broader exemption. Rather than carving out "information" regulated by GLBA, it provides a carve out for financial institutions regulated by GLBA. That means that effectively banks, credit unions and insurance companies won't have to comply with it.
There is no doubt that VCDPA is a big step forward for consumer privacy. But it is unfortunate that the law didn't narrow the exemption for federal law. There is absolutely no reason that your bank should be free to sell your information to advertisers without first getting your permission. And that kind of a transaction isn't limited by GLBA.
by Jim Malmberg
Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.
|