Data & Privacy Legal Developments: Virginia Consumer Data Protection Act, Data Scraping, CFIUS and more

2021 promises to be an exciting year in the data and privacy space. With the adoption of technologies that collect, analyze, aggregate, distribute and share data, and the implementation of new laws and regulations in response, businesses need to be aware of the impact these developments will have on current and future operations.

The following is a summary of recent developments in this evolving area of law.

Will Virginia Become Second State to Adopt Comprehensive Data Protection Law? Surprising many, Virginia is set to become the second state, after California, to adopt a comprehensive data protection law. Virginia’s Consumer Data Protection Act (CDPA) is expected to be approved by the Virginia legislature and signed by the Governor later this month. A business which targets products or services to Virginia residents and (i) controls or processes personal data of at least 100,000 consumers or (ii) derives over 50 percent of its gross revenue from the sale of personal data and controls or processes personal data of at least 25,000 would be subject to the CDPA. However, there are a number of organizations and data types that would not be covered by the law. The law would begin to take effect on January 1, 2023.

Another High-profile Data Scraping Case. Southwest Airlines has filed a complaint against Kiwi.com in the U.S. District Court for the Northern District of Texas, alleging that Kiwi scraped fare information from Southwest’s website. Southwest claims this action constituted a breach of contract and a violation of the Computer Fraud and Abuse Act (CFAA). Web scraping was addressed by the Ninth Circuit Court of Appeals HiQ v. LinkedIn, although a petition for certiorari in the case is in the U.S. Supreme Court.

Amazon Transparency Report Shows Increased Government Request for Data. Amazon released its semi-annual Information Request Report. The report describes at a high level requests for information by government agencies for data collected or stored by Amazon. The report, which includes requests for both content and non-content data, covers its shopping services, products (e.g. Ring, Echo) and data stored on the AWS cloud. According to the report, Amazon received a significant increase in government requests for user data in the last six months of 2020.

Report: CFIUS Looking at Prior VC Deals Involving Sensitive Technologies. According to a recent Wall Street Journal report (paywall), the Committee on Foreign Investments in the United States (CFIUS) has a team of approximately two dozen people “tasked with rooting out old investment deals that involve sensitive technologies that could pose a threat to national security.” The team’s focus includes venture capital investments to determine whether the source of funds can be traced back to China. The Foreign Investment Risk Review Modernization Act (FIRRMA) of 2018 gave CFIUS much greater authority to examine transactions involving technology companies that collect or store sensitive data of U.S. citizens, due to national security concerns.

Stay tuned for more legal developments related to data management, including privacy and data protection, cybersecurity, intellectual property rights and data quality. Please contact Kevin Pomfret (703.760.5204 | kpomfret@williamsmullen.com) with any questions.