Caveat 3.24.21
Ep 70 | 3.24.21

Virginia privacy law and what it means for you.


Heather Federman: If we couldn't get our act together in the last several years, when we've seen some of the biggest breaches of our time, then I'm not quite sure if we're going to be able to get our act together for federal privacy legislation.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner. And joining me is my co-host, Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, Ben looks at potential reactions from the Biden White House to the SolarWinds hack. I look at growing momentum behind a Google antitrust suit. And later in the show, my conversation with Heather Federman from BigID on the impact of Virginia's new Consumer Data Protection Act. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's dig into some stories. Why don't you start things off for us this week? 

Ben Yelin: My story this week comes from CyberScoop, written by Tim Starks, and it's about the Biden administration considering efforts to respond to both the SolarWinds attack and also the more recent exploitation of Microsoft Exchange Server, which affected millions of Americans, myself included. 

Dave Bittner: Oh. 

Ben Yelin: So one of the ideas that's been percolating in the administration is to come up with a ratings system for U.S. software. And that's very similar to a couple of things. One is a system they have in Singapore that assigns labels or grades to internet of things devices based on their security features. So, you know, if you have a IoT refrigerator, on a voluntary basis, they can try and get, you know, some sort of what - the equivalent to an Energy Star rating. 

Dave Bittner: Or maybe a crash test rating for cars, you know? 

Ben Yelin: Exactly. 

Dave Bittner: This car is five-star rated. 

Ben Yelin: Yeah. So this is, you know, five-star cybersecurity rated. 

Ben Yelin: The other similarity is to a system that exists in New York City. And if you've been to New York City, you know, walk around some neighborhoods, you'll see that there's a little letter embedded in the window of every storefront - or every restaurant, bar, I should say. And that contains a letter grade, hopefully somewhere between A and C. And that's a grade on their cleanliness inspection. So somebody from, you know, New York City's Inspections goes into the restaurant, sees if there are rats in the kitchen... 

Dave Bittner: Right (laughter). 

Ben Yelin: ...Cracks in the toilet, anything that might cause some sort of sanitary concern. 

Ben Yelin: And this system has actually been pretty successful. I was refreshing myself on articles related to the New York system, and it seems as if there was, like, a notable decrease in salmonella cases after they instituted this rating system. 

Dave Bittner: Oh, interesting. 

Ben Yelin: So this offers a lot of promise. There are kind of a couple of interesting angles I was thinking about with this story. One is as it relates to liability, this could potentially be a defense for a company that suffers a cyber breach. If you've received some sort of A rating from this rating system, that decreases the chances that you're acting negligently because you're up, you know, on the latest standards. You've encouraged your users to download patches. You know, you're using the most up-to-date technology. 

Dave Bittner: Right. 

Ben Yelin: That could cut against your liability in any potential lawsuit. 

Ben Yelin: The problem I see with this, and this also came out in the New York City rating system, is corruption. What happened in New York is well-connected people and well-connected restaurants would make a call to dispute their C ratings, call their friends at city hall and say, why don't you, you know, shift some things around - hint, hint? 

Dave Bittner: Come on out and have a second look at our restaurant. 

Ben Yelin: Yeah, exactly. 

Dave Bittner: (Laughter). 

Ben Yelin: If you want to try some of our, you know, delicious sirloin steak while you're here... 

Dave Bittner: (Laughter) Right, right. 

Ben Yelin: ...Absolutely. 

Dave Bittner: Yeah. 

Ben Yelin: So that definitely happened. This was when Mike Bloomberg was mayor. And that was actually a pretty big, significant public relations hit for the entire system. 

Ben Yelin: You worry about that a little bit here. If this rating system becomes the type of thing where Microsoft and Google can get in on the ground floor and try and lobby whomever the authority is - it's probably going to be a board set up by Congress - to try and improve their ratings, and that could potentially increase their market share, and that might actually be disadvantageous to the smaller companies who don't have that level of influence. 

Ben Yelin: But I think it is still, nonetheless, a very interesting idea. It was actually based on a recommendation from the Solarium Commission to set up a type of board, and we'll have to see if they actually go through with it. 

Dave Bittner: What about (laughter) coming at it from the opposite direction? I'm thinking - and this is absurd, but bear with me (laughter) - the liability side, that what if a company has a lousy rating and something bad happened, so they can go back and say, well, I mean, come on; we had a D rating, and they used us anyway? You can't blame us. It's not like they weren't warned (laughter). 

Ben Yelin: It's all right there, yeah. I have a feeling that's not going to bode well for their chances in court on liability. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: One thing we see - you know, talking about any type of tort, any type of civil lawsuit, the best evidence you can have are two things. One, if you don't comply with some sort of statute, that's evidence that you're being negligent, that you're breaking the law. 

Dave Bittner: Right. 

Ben Yelin: The other is if you're not complying with industry custom. If you're in an industry where your competitors are getting A's and B's and you're getting D's and F's, that to me would be pretty compelling evidence that you're acting negligently and exposing your users to potential harm. And so that's not going to bode well for your chances in court. I do like your idea, though, where it's like, look; you've been warned, you know? It's like... 

Dave Bittner: (Laughter). 

Ben Yelin: I don't know about you, Dave, but I've been to a lot of hole-in-the-wall restaurants... 

Dave Bittner: Yeah (laughter). 

Ben Yelin: ...Where let's just say the sanitation conditions on first glance aren't what we would interpret as probably having an A rating. 

Dave Bittner: Right. 

Ben Yelin: Those places sometimes have great food. 

Dave Bittner: Right, exactly. They're legendary in the neighborhood. Like, you cannot miss the - I don't know, whatever - the cheesesteak subs in this hole-in-the-wall place, you know, where the (laughter)... 

Ben Yelin: The floor is covered in dust and - yeah. 

Dave Bittner: Right, right. Exactly. The - you know, they're feeding as many cockroaches as customers, but (laughter). 

Ben Yelin: One of my favorite restaurants in San Francisco unfortunately closed. You know, it was that exact type of place. And it closed down for this exact reason - is, you know, maybe they were cutting corners with their sanitation practices to make their food taste better, which it did. 

Dave Bittner: (Laughter). 

Ben Yelin: But to try... 

Dave Bittner: Yeah. 

Ben Yelin: Yeah. To try and center it back on what we're talking about here, I mean, I don't think it's out of the question that you could kind of see that type of process play out as it comes to cybersecurity. I mean, probably a lot of the most innovative products online, especially from startups, are going to be less concerned about security features, especially if bringing yourself up to standards might set against your bottom line. 

Dave Bittner: Right. 

Ben Yelin: So this maybe provides an extra incentive to get that rating, show your customers that you are responsible, that you, you know, are interested in protecting the data of your consumers. And it might be advantageous to both you as a company and the consumer. 

Dave Bittner: Yeah, it's an interesting combination of carrot and stick, isn't it? Because if you do well - you know, it's a carrot to incentivize you to do well. But if you don't do well, you have that stick on the other side publicly shaming you for not doing better. 

Ben Yelin: That scarlet F on your forehead. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: I also think there's a big difference as to whether it's voluntary, like the Singapore IoT system... 

Dave Bittner: Yeah. 

Ben Yelin: ...Or if it's mandatory. You know, I think voluntary could be a good place to start because then you're really only offering the carrots and not the sticks because you're giving people potentially incentive to voluntarily get involved with the system. I think where you start to see industry opposition is if it became mandatory. Then you really have to worry about the structure of the National Cybersecurity Certification and Labeling Authority, as it would be called... 

Dave Bittner: Yeah. 

Ben Yelin: ...Under the proposal of the Solarium Commission. 

Dave Bittner: Kind of like a cyber Better Business Bureau, right? 

Ben Yelin: Yeah, exactly. 

Dave Bittner: Yeah. 

Ben Yelin: And we - also, we know very little about how that commission would be set up. I mean... 

Dave Bittner: Yeah. 

Ben Yelin: ...I would be worried if it were members of Congress, to be honest... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Or it was under the authority of members of Congress. 

Dave Bittner: Yeah. 

Ben Yelin: But any sort of nonpartisan authority with technical expertise, this could be a promising idea. 

Dave Bittner: All right. That's interesting. I guess time will tell. We'll see if that gets any traction. Interesting story. 

Dave Bittner: My story this week comes from The Verge, article from Adi Robertson and Russell Brandom. And it's titled "Google Antitrust Suit Takes Aim at Chrome's Privacy Sandbox." The subtitle here is "Google is trying to hide its true intentions behind a pretext of privacy, say prosecutors." 

Dave Bittner: This is an interesting story here, Ben. You've got 15 attorneys general. I always say that wrong. I don't know why I want to say attorney generals. 

Ben Yelin: You got it right that time. 

Dave Bittner: I know (laughter). 

Ben Yelin: I'm proud of you. 

Dave Bittner: Fifteen attorneys general. 

Ben Yelin: It doesn't sound right even though it is right. 

Dave Bittner: Correct. 

Dave Bittner: They're being led by Texas. And they updated a complaint about Google with some more details on the case that they've made against Google. And basically, what this is coming down to is that they think that Google is taking unfair advantage of their market position with the Chrome browser and that some recent privacy updates to Chrome, which includes sort of deprecating the use of cookies and some of the tracking mechanisms that the ad industry uses online - Google, in exchange for that, is implementing what they're calling a privacy sandbox. 

Dave Bittner: Now, as you and I know, putting a name on something doesn't mean that that's what that thing is. 

Ben Yelin: Sandbox sounds so nice and peaceful. 

Dave Bittner: Well, think the Patriot Act (laughter). 

Ben Yelin: Yeah, exactly. Who doesn't like a sandbox? 

Dave Bittner: Right, exactly. Who doesn't want to be a patriot? 

Dave Bittner: So what these attorneys general are making the case is that what this privacy sandbox from Google will actually do is strengthen Google's position in the market, and I suppose what they're claiming is more and more seeming like a monopoly position in the market, where if people want to do targeted advertising, the easiest way to do it is going to be to go through Google, which means Google profits from that. 

Dave Bittner: Google is saying, no, no, no, no, no. This is all in an attempt to make it easier for people to protect their privacy. But obviously, these state attorneys general are skeptical of that, which is why they've got this lawsuit here. What's your take on this, Ben? 

Ben Yelin: So first, we should mention that this is just one lawsuit that Google is facing in the antitrust realm. So there is the original Texas complaint. There's a complaint led by Colorado's attorney general, joined by other attorneys general, which is about the manipulation of search results in violation of antitrust laws. And then there's the Department of Justice investigation, which we've referenced on this podcast. It seemed to me prior to this that the Texas complaint was perhaps the least high-profile, and this might increase its profile. 

Ben Yelin: So as you said, 15 other states have joined this amended lawsuit, and they're basically accusing Google of walling off an entire portion of the internet that consumers can access through Google Chrome's browser. 

Ben Yelin: So, you know, when other browsers block cookies, as other browsers have done to augment, you know, privacy protections for their consumers, that's not seen as an antitrust practice because the walling off that they're doing is different since they're not controlling the marketplace for browsers... 

Dave Bittner: Right. 

Ben Yelin: ...Or for search engines. But when we're talking about Google Chrome, they have such a large market share that Google's plan and their privacy box technology would require advertisers to use Google as the middleman, and it would make Google's advertising system more attractive. 

Ben Yelin: And so this, to me, has merit. If you - if Google is going to be the middleman in this scenario and the point of entry for advertisers is going to try and navigate this privacy box system, then that is an anti-competitive practice. And I think it was wise of these attorneys general to amend their lawsuit to include this. 

Ben Yelin: It's one of those things that Google probably thought they were going to get away with it because people like privacy, and this is something that augments user privacy, whether it's a antitrust concern or not. But some activists out there, including the Electronic Frontier Foundation, have seen through this, and they've criticized some of what Google's been doing as being self-serving. 

Ben Yelin: And so this is the first time that beyond activists, we've seen that position being taken by public officials at the state level. So it's really interesting. I'm curious to see how this is going to be received in court. 

Dave Bittner: Now, from an antitrust point of view, is this a situation where, for example, you know, if Google spun off the team who makes Chrome, made that an independent company or sold it off or whatever so that it wasn't shackled to the advertising part of Google - right? - those two aren't communicating with each other, presumably, behind the scenes in the best interest of the larger company, could that be a solution? Could that be a remedy that the government would seek? 

Ben Yelin: Potentially. There are a lot of problems with that because you can manipulate, you know, your corporate structure in such a way where, you know, maybe they're technically not part of the Google family anymore, but the profits filter up to Google. It's one of those things where you'd really have to ensure some type of independence. 

Ben Yelin: I think what you're getting at is it's not the action itself that's necessarily the antitrust violation. It's the action combined with the fact that it's Google, and they have this large market share. 

Ben Yelin: I don't know if that's going to be a proper remedy. And it's certainly not one that Google wants. I mean, it's - one of the most profitable parts of their portfolio is having this gargantuan advantage in browsers. Everybody uses Google Chrome. So, you know, I don't think that that's something that they're going to give up as willingly. 

Dave Bittner: Yeah. And I suppose that we're in this for the long haul, right? None of this is going to get solved quickly, right? 

Ben Yelin: Never. No. I mean, this is going to take years. As I said, this is part of several lawsuits against Google. We've now seen, you know, this complaint amended. There could be further amendments to the complaint. 

Ben Yelin: Google is going to file their answer at some point. We've already gotten a hint as to what they're going to say in their answer, which is that the attorneys general here are mischaracterizing their business and mischaracterizing the privacy sandbox. And so we'll see exactly what the argument is there. 

Ben Yelin: But then, you know, we could be talking about years of discovery where the court and attorneys for each side try and dig into exactly how Google has tried to illegally take advantage of its position in the marketplace. And, yeah, that takes a really, really long time. And a lot of attorneys are going to get very rich off this lawsuit. 

Dave Bittner: (Laughter). 

Ben Yelin: Unfortunately, I'm not one of them, but somebody is going to get very lucky. 

Dave Bittner: Right, most importantly, yeah (laughter). All right. All right, well, again, that story is from The Verge, and we'll have a link to that in the show notes. 

Dave Bittner: It's time to move on to our Listener on the Line. 


Dave Bittner: We got a nice note from a listener in the U.K., someone named Ricky (ph). And they write in and say, in part, I'm an avid listener from the U.K. and love the podcast. Well, thank you, Ricky. We appreciate that. 

Dave Bittner: Part of their message says (reading) Clearview AI may have been able to get away with scraping data, and precedents seem to have been set in the U.S. Now, as per your discussion about Instagram having the right to offer image embedding to other sites and the copyright claim is relinquished once uploaded, how granular could one get with this premise as far as your understanding of their terms are? 

Dave Bittner: (Reading) For example, once the image is uploaded, encoded and stored, in the most accurate technical sense, there will be differences in the ones and zeros when you really get down to it. In addition, any backup of that image when duplicated is, by definition, not the same image. Are there arguments to be made there, or is this one of those situations where lawyers can dance around that like the ship of Theseus thought experiment? 

Ben Yelin: I have to admit I was not familiar with that metaphor. 

Dave Bittner: (Laughter) Let's dig into that. So before I ask you for a actual informed legal opinion on this, I will pontificate from my position of ignorance. 

Ben Yelin: Always a good idea. 

Dave Bittner: It's what I do best. 

Dave Bittner: So to me, what we're getting at here is kind of like, let's say you make a painting - right? - a beautiful painting, and you have copyright of that painting, and I take a picture of that painting. I'm not allowed to go around and sell my pictures of your painting and say, well, this isn't the original painting; this is just pictures of the painting. This is different from that. There's no actual - there's no paint in my paint - in my photos of this painting. I'm using - I'm printing this on my inkjet printer, and so it's a totally different thing. 

Dave Bittner: Well, if it's the same image, I would suspect if I went in front of a judge, they would say, yeah, it's the same image. Knock it off. Right? 

Ben Yelin: Yes. Yes, they would. 

Dave Bittner: Is that what we're getting here (laughter)? 

Ben Yelin: Yeah, it's really a spectrum. It's not a hard-and-fast rule. 

Dave Bittner: Yeah. 

Ben Yelin: You are more likely to survive a copyright claim if there's some sort of transformative use involved. So if you're using that picture and altering it in a way that it changes its creative meaning, potentially it's like a satire or some sort of public commentary, then, you know, you might be exempt from a copyright claim under fair use. 

Ben Yelin: If there are minor changes in the zeros and ones, that's not going to vitiate the copyright claim. So even if the image is minimally altered, you know, that's all ultimately up for a judge and a jury to decide. 

Dave Bittner: Right. 

Ben Yelin: But it's highly unlikely that the copyright claim will be vitiated in that circumstance. 

Dave Bittner: Yeah. This also reminds me of, you know, some of the arguments back in the days, the early days, when people were talking about software piracy and music piracy, where, you know, that difference between walking into a brick-and-mortar store and walking out with a record album without paying for it versus making a copy, a digital copy of a digital file - you know, is something actually lost? In other words, rather than the physical good being lost, the potential revenue has been lost. 

Ben Yelin: Yeah. 

Dave Bittner: And what's the difference there? 

Ben Yelin: Yeah. I mean, ultimately, after a series of lawsuits and protestations by some of our favorite musicians, it turns out that that was a copyright claim. There's a reason we don't use Napster and LimeWire anymore, because, you know, that music in and of itself has value even in the absence of something physical. 

Dave Bittner: Yeah. 

Ben Yelin: So, yeah, I mean, I think that's really the appropriate analogy here. 

Dave Bittner: All right. Well, we thank our listener for sending in that good question. We would love to hear from you. Our phone-in number is 410-618-3720. You can also send us an email. It's 

Dave Bittner: Ben, I recently had the pleasure of speaking with Heather Federman. She's from a company called BigID. And our discussion centered on the impacts of Virginia's new Consumer Data Protection Act. Here's my conversation with Heather Federman. 

Heather Federman: The commonwealth has basically taken bits of GDPR and CCPA, the California privacy law, and created its own version of comprehensive consumer privacy legislation. So some of the similarities you might see here are certain data subject rights or consumer rights. There's also now requirements to do risk assessments for any highly sensitive data processing activities. The attorney general has the ability to enforce the law. And there's also a category for sensitive data as well and specific rights that have to be acted out for that as well. 

Dave Bittner: Can you give us an idea of what this means to your average Virginia resident here? How could this affect them? 

Heather Federman: The good news is that any Virginia resident that wishes to exercise their consumer rights with an organization that does business with Virginians not necessarily in the state of Virginia but it meets a certain threshold - so I believe it's around a hundred thousand, but I can confirm that offline - essentially, they can go to their website. They can exercise their rights and basically say, I want to know what data you have about me. I want the ability to download that data. I want the ability for you to delete that data. 

Heather Federman: Now, the one thing to keep in mind with this is that there are a number of exceptions. So any businesses that are considered a financial institution, they're essentially exempt. If they're a health care institution, they are exempt. There are several other exemptions as well. So there are rights for Virginians, but it's somewhat limited in scope as to what those businesses are. 

Dave Bittner: But what about for a, you know, major platform, say, like Facebook, who's sort of, you know, famous or, dare I say, notorious for vacuuming up all sorts of information about folks? Is this sort of thing going to affect them? 

Heather Federman: Yes, Facebook would fall squarely within the sort of company that this would affect. 

Dave Bittner: And how would it affect them? What sort of things would they have to accommodate? 

Heather Federman: Essentially, what would be somewhat different is they would have to say to any Virginia consumer that wants to exercise their right that they would be able to exercise their right. So what they're doing in California would basically become an extension of what they're doing in Virginia. 

Dave Bittner: It's interesting to me that this includes what's referred to as data minimization. Am I correct in my understanding that the organizations - it's OK for them to collect the data that they need, but really no more than that? 

Heather Federman: Yes. Data minimization - it's been one of the long-standing privacy principles. And there's a set of privacy principles that have been around since the early 1980s. And the idea with data minimization is that you collect the minimum amount of data that you need for a given processing activity. On the flip side of that is once you're done with that data, then you can delete it, you can archive it. If there's any duplicate data, then you can get rid of that duplicative data. 

Dave Bittner: So how would this affect, say - you know, we hear about these apps, for example, like, you know, weather apps that are gathering up our location data - that, you know, in exchange for getting information about the weather, our location data gets collected and then gets sold off. Would this fall under something like this, that my location doesn't, you know, have anything to do with my desire to see what the weather's going to be like? 

Heather Federman: Well, it depends because in the case of a weather app, location typically would be necessary. If I'm in California, then the weather in New York, while it might be interesting, is not really going to be relevant to me if I'm waking up in Los Angeles one morning. 

Heather Federman: Does the weather app need to know my advertising identifier? Do they need to know all of my contacts? In that sense, it becomes a bit more of a slippery slope, and I would say no. So for a weather application, it makes total sense to me. But once we start going into other types of information, then it becomes a bit more unclear. So it's up to the developers of these applications, as well as their businesses and their teams, to say, what do we need to create a functional product or service that's actually going to be in the best interest of our users? 

Dave Bittner: Now, in general, does this still make these sorts of things opt-out? In other words, the providers don't have to ask you if you want to opt in; they merely have to give you the option for opting out. Is that accurate? 

Heather Federman: It's another one of those it depends. It's just a little messy, depending on where in the world you are, what's your residency and what type of data you're dealing with. I think a general rule of thumb is that there's certain sort of data types in which it becomes more opt-out. 

Heather Federman: So a clear example might be when you unsubscribe from marketing emails, that's an opt out. Opting in is when, let's say you're downloading a mobile app, and they ask you, can this app collect your location? Can they collect your contacts? That's an opt-in. So those are different types of examples of where consent basically becomes a sliding scale. Within these various regulations, though, there are nuances or differences between when it needs to be opt-out versus opt-in. 

Heather Federman: So the General Data Protection Regulation, GDPR, it's considered to be more of an opt-in regime for data collection as one of the legal bases for processing data. However, with the California's CCPA, that's opting out, so opting out of sharing information, opting out of the sale of information, choosing to say, in the new version coming out in California, I want to limit the disclosure of this information, of sensitive data. And Virginia is somewhat similar in that it's also opt out of - wanting to opt out of the sale or sharing of that sort of information. 

Dave Bittner: Are there any significant ways that Virginia's law is different from, say, California's? Are there any ways that they've taken their own path here? 

Heather Federman: In the United States, we have a very sector-specific approach to privacy regulation. That's how it's been for, let's say, the last few decades. There are specific laws around financial data. There are specific laws around health care data and children's data and et cetera. 

Heather Federman: California basically said, OK, so if you are going to be dealing with financial data that's going to fall under this financial law, then this financial data is not going to be regulated by this privacy law. However, anything that falls outside the scope of financial data for purposes under this law, we have jurisdiction to regulate this. You're on the hook for this law. 

Heather Federman: Virginia took a different approach, and they basically said, well, any financial organization that is subject to this law - that they don't - they basically are out of scope for this law. So they don't have to worry. I don't know if the right way is to say they don't have to worry about it because as a financial institution I would still be wondering what's going to be coming down the pipeline from other state regulations. But that's one key difference that I've actually really seen and I was, frankly, surprised by as well. 

Dave Bittner: Now, this made its way through Virginia's House and Senate pretty quickly. Was there broad bipartisan support for it? 

Heather Federman: Yes. I mean, frankly, I was surprised by the speed at which this got through, considering privacy practitioners have had their eyes on Washington for years now, seeing if something would pass there. And here, as you said, it went through within three weeks. There was pretty much bipartisan support. 

Heather Federman: It seemed that the big sticking points that typically hold up privacy laws were already squared away. And one of those is typically around the private right of action, so the ability for an individual to sue. And that is not included in this law. It would just be the attorney general enforcing this, which, just to add to your earlier question about differences, the California one does have the right for individuals to sue if there is a data breach. 

Dave Bittner: I see. As we record this, is this still on the governor's desk to be signed? 

Heather Federman: Correct. I believe it fell on the governor's desk last Friday, and the governor has seven days for official signature. But I would be very, very surprised if the governor did not sign this, considering the broad support - the broad bipartisan support here. And it generally looks good for the state of Virginia. 

Dave Bittner: Where do you suppose we're headed with this? I mean, do you think we're going to continue to see the state-by-state approach to this, or could we eventually see something happen at the federal level? 

Heather Federman: I'm going with the former. We're going to see more state-by-state activity. There's been a number of states that have been looking at their own privacy laws. Florida's governor has come out with an announcement. New York has come out with an announcement - Minnesota, Oklahoma, North Dakota. There's a bunch of states that are having active discussions. It's just Virginia was the first one to get their act together. 

Heather Federman: In terms of federal, I am somewhat skeptical that we're ever going to get there. If it's going to happen, it could potentially happen in the next few years. But even then, I look at what our landscape is when it comes to security, and we have now 50 different state data breach notification laws. And if we couldn't get our act together in the last several years, when we've seen some of the biggest breaches of our time, then I'm not quite sure if we're going to be able to get our act together for federal privacy legislation. 

Dave Bittner: Yeah, it's a really interesting insight. When does this go into effect? When do Virginians get to enjoy the benefits of this law? 

Heather Federman: It would be January 1, 2023, which is the same day that the new version of California's law, the California Privacy Rights Act, also goes into effect. 

Dave Bittner: So there's a bit of a ramp-up period here where I suppose organizations have time to plan and put things in place. 

Heather Federman: Correct. And that's a good thing ultimately for two reasons. One, it's giving - if the federal lawmakers really want to do something, I mean, it's giving them the signal that, you know, they've got two years to basically get their act together. 

Heather Federman: And also, for any organizations in America that have taken a California-only approach, this might be a signal for them to take a bit of a wider approach to any consumers that want to exercise their rights because this is going to only continue to be a trend of allowing consumer rights to be part of a state regulation. And it's going to look somewhat kludgy in your privacy statement if you're saying only Virginians, only Californians. So I'm really hoping that that, at least, is something that comes out of this. 

Dave Bittner: And what sort of advice are you giving folks who are on the other side of this, who are providing these online services and are going to have to comply with this law? 

Heather Federman: To me, it's about taking a practical approach when it comes to managing these various regulations, to managing your data rights. So it really starts with knowing the data, having a clear sense of where your data is, whose data it is, so a clear data mapping strategy program in place. 

Heather Federman: And from there, I always like to look at what the similarities are between these various regulations and see, OK, so I know that California, Virginia, GDPR - these are all the similar requirements, so I can focus on these and then start to go into what the nuances might be. So really starting from the data layer, then going into what are the similarities. And then finally, we can drill into the details. 

Heather Federman: The one thing that, I mean, I think will be interesting for state regulation will be this question around private right of action because that's really going to be the sticking point as to whether these state laws will get passed. And to me, that's why the Virginia law did get passed. Well, I mean, it's not officially passed, but it has gone through so smoothly. And I'll be curious to see if that's going to be the case with other state laws. I'll be very curious to watch out for that private right of action prong going into the next year. But this is just the first of an onslaught of regulation we're going to be seeing, not the last. 

Dave Bittner: All right, Ben, what do you think? 

Ben Yelin: I mean, first of all, it's exciting. I know we talked about this a few weeks ago. But really, we have our second-in-the-nation law of this type after California's law. I think the Virginia law, as Heather said, takes aspects of both the CCPA and the GDPR. And, you know, it's just going to be really exciting and interesting to see how this plays out in the next couple of years before this law and the revised version of the CCPA go into effect in 2023. 

Ben Yelin: I also kind of glommed on to what she said at the end, where so much of what I look at in these laws is that private right of action because that's really what gives the consumers a lot of power. And, you know, without that, I think there's going to be more industry support for this legislation, for this type of legislation, but the legislation isn't going to be as robust. So I think that's a really interesting dividing line. 

Ben Yelin: And we're going to start to see more of these laws. It's not going to stop at California and Virginia. So you not only are going to have to deal with compliance issues with multiple states, but you're going to have to think about how they all fit together and whether this could be the impetus for some sort of federal data privacy law. 

Dave Bittner: Yeah. 

Ben Yelin: So I thought it was a really interesting interview. 

Dave Bittner: Yeah. Just a quick note, too, is some of our listeners have pointed out that it's not as if only California and Virginia have these laws either. In fact, California gets all the attention, but there are some other states that have implemented privacy laws, I believe even ahead of California. 

Ben Yelin: Yeah. California's is the most comprehensive... 

Dave Bittner: Right. 

Ben Yelin: ...And the most like GDPR, which is why people reference it. But, you know, we've talked about other states where they have at least segments of similar data privacy legislation - Illinois, for example, being one of them. So, yeah. 

Dave Bittner: Yeah. 

Ben Yelin: It is not just these two states. I think what's distinguishing about California, now Virginia, is the comprehensive nature of the legislation. 

Dave Bittner: All right. Well, again, our thanks to Heather Federman from BigID for joining us. We do appreciate her taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. 

Dave Bittner: The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.