Skip to content

Virginia Politics |
Chesapeake delegate says company is violating Virginia’s consumer data protection laws

FILE – Del. C.E. “Cliff” Hayes, D-Chesapeake, addresses members during the floor session of the Virginia House of Delegates at the State Capitol in Richmond, Va., Jan. 20, 2022. A recent investigative report provided to The Associated Press has raised questions about whether Hayes is meeting the state’s residency standards for lawmakers. He insists he is following the law. (Bob Brown/Richmond Times-Dispatch via AP, File)
FILE – Del. C.E. “Cliff” Hayes, D-Chesapeake, addresses members during the floor session of the Virginia House of Delegates at the State Capitol in Richmond, Va., Jan. 20, 2022. A recent investigative report provided to The Associated Press has raised questions about whether Hayes is meeting the state’s residency standards for lawmakers. He insists he is following the law. (Bob Brown/Richmond Times-Dispatch via AP, File)
Staff mugshot of Katie King.
PUBLISHED:

A Hampton Roads legislator is raising concerns about a company he alleges is violating Virginia’s consumer data protection laws.

“Everybody ought to be concerned (with data security),” Del. Cliff Hayes, a Chesapeake Democrat, said Thursday. “We are in the age of artificial intelligence and security breaches, and many people don’t even realize that data is being collected about them online.”

The Virginia Consumer Data Protection Act was signed into law in 2021 and took effect last year. Hayes carried the legislation in the House of Delegates. It allows residents to request to review the data that companies have collected about them, and to opt out of having their data collected or sold.

In a May 7 letter addressed to Johnny Ayers, the chief executive officer of Socure, an identity verification company based in Nevada, Hayes asserted that the company is not abiding by these rules, which the company denies.

When a consumer submits a request about their data, Hayes said they receive an SMS text that links to a landing page where they are asked to verify their identity. The page requires consumers to agree to Socure’s Terms of Use before moving forward.

“Within the Terms of Use are provisions requiring the consumer to waive his or her rights to future class action lawsuits against Socure, as well as an agreement to binding arbitration,” Hayes wrote. “If the consumer chooses to not agree to Terms of Use, the identity verification process is canceled, thus ending one’s inquiry.”

Hayes said those provisions should be deemed contrary to public policy. But he asserted even those who agree to the terms are unable to receive a full disclosure as required under the law.

“My office has observed firsthand that once an individual exercises his or her ‘right to know’ to Socure, they receive an encrypted email with a zip file,” he wrote. “My first concern here is that this practice discourages access to the information, especially with individuals that are not technologically proficient. This practice could discriminate against people of lower incomes and appears to be inequitable.”

Hayes, who works as a chief information officer for the city of Portsmouth, added that his own team was unable to access the contents of the zip file.

Hayes asked Ayers to provide a written response to the “apparent noncompliance” with the data protection act and to explain how the company intended to comply with the law moving forward. He further requested a detailed list of the types of information that Socure collects and all the sources the company utilizes to obtain that information.

“Virginians have a right to know under the law what information you gather and hold on them, and so far it appears you are actively attempting to make that information extremely difficult to obtain,” Hayes wrote.

Jennifer Kerber, senior director of government relations for Socure, wrote back to the delegate on July 1.

“We take seriously the rights granted by all privacy laws, including Virginia’s VCDPA, and have developed a careful process to respond to all requests in a timely and compliant manner,” the letter states. “Upon review, we are confident there is no disruption to Virginians’ ability to exercise any rights granted by the VCDPA, as a result of the processes we employ.”

Kerber said the only requests for access in Virginia have come from the delegate or individuals hired by the company’s competitors. She said those who experience technical difficulties could contact the company for assistance.

Socure implements “robust identity-proofing measures” before sharing any data because fraudsters can impersonate individuals, Kerber added.

The Consumer Data Protection Act provides gives the state Attorney General’s office exclusive authority to enforce violations of the law.

Hayes said Thursday that he was not satisfied with the response and has contacted Attorney General Jason Miyares.

“I can only imagine what a (private) individual would be going through with this company,” he said. “It is our hope that there will be a response from the attorney general.”

A spokesperson for Miyares confirmed Friday that the office had received Hayes’ letter and said the office is looking into the matter. The office could not comment further.

When the Consumer Data Protection Act was adopted, Virginia was only the second state to adopt a data privacy law. But data privacy experts and public interest groups have critiqued the commonwealth’s law as not going far enough and for not being user friendly.

“Virginia’s privacy law puts a lot of work on you if you want to stop companies from collecting and selling your data,” the U.S. PIRG Education Fund wrote in a consumer alert this year. “It’d be better if instead companies were limited to what data they can collect on you and what they can do with it in the first place.”

Katie King, katie.king@virginiamedia.com