ICLE Comments to the Virginia Senate on SB 85
My name is Kristian Stout, and I serve as director of innovation policy at the International Center for Law & Economics (ICLE), a nonprofit, nonpartisan research center that promotes the rule of law and sound economic principles in technology and competition policy. Our work focuses on the legal, economic, and institutional implications of digital regulation. I write today to share my expertise in privacy law, platform governance, and the constitutional limits of state technology regulation.
In particular, I am writing to express serious concerns about SB 85, which would amend Virginia’s Consumer Data Protection Act to require social-media platforms and artificial-intelligence (AI) model operators to implement data portability and interoperability interfaces. While empowering users to access and transfer their data is a reasonable goal, SB 85 goes much further. Its mandates are sweeping, likely unconstitutional, and unworkable in practice.
SB 85 would effectively force platforms to “open the gates” of their systems by requiring them to provide user personal data—including complete social graph data covering a user’s connections and interactions—in a portable format, while also maintaining continuous, third-party-accessible interfaces for near real-time data sharing. This level of mandated interoperability is unprecedented at the state level. It would impose extraordinary technical complexity and create serious risks to privacy and security.
Privacy and Security Risks
Forcing platforms to share detailed social graph data and AI “contextual data” with third parties creates substantial privacy risks. As ICLE Senior Scholar Mikolaj Barczentewicz has explained, mandated interoperability often exposes not only the data of users who opt in, but also the posts, comments, and interactions of other users who never consented to such sharing. If I export my social-media data to another service, that transfer would inevitably include comments and interactions from others connected to me. Those individuals did not consent to having their data shared on a different platform, yet their privacy would be compromised by design.
Even in the European Union—hardly a reluctant regulator of digital platforms—policymakers have raised concerns about mandatory interoperability for social networks. Those concerns focus on risks to user privacy, weakened security protections such as end-to-end encryption, and increased difficulty enforcing existing data-protection laws like the General Data Protection Regulation (GDPR).[1]
SB 85 appears to assume that data can be shared without tradeoffs in privacy or security. In reality, it would create a major loophole. Once user data leaves a platform, the recipient is governed only by its own privacy policies. That weakens the protections Virginia’s current privacy law provides and could encourage bad actors or irresponsible firms to entice users into transferring sensitive data to services that handle it carelessly or exploitatively. In practical terms, SB 85 risks turning personal information into an open book, accessible far beyond its original context.
These risks grow when platforms cannot meaningfully vet or block harmful third parties, including foreign actors or fly-by-night operators. Broad access points create attractive attack vectors, while enforcement mechanisms often lack the ability to detect and stop abuse in real time.[2] Even strong privacy laws depend on effective enforcement, and misuse of broadly mandated interoperability would be difficult to detect or prosecute—especially when bad actors operate outside the United States.[3]
Constitutional and Legal Concerns
SB 85 would fundamentally reshape how major online platforms operate nationwide, if not globally. By imposing sweeping design and data-sharing mandates at the state level, the bill raises serious Dormant Commerce Clause concerns.[4] It would burden interstate commerce and regulate conduct far beyond Virginia’s borders, an area the U.S. Constitution reserves to Congress.
In effect, Virginia would be dictating data-sharing architecture for platforms used across the country. Courts are likely to view that as unconstitutional overreach. The bill may also implicate other constitutional protections by compelling private companies to provide broad access to their systems and user data, potentially raising Takings Clause or First Amendment issues. At a minimum, SB 85 invites legal challenge and preemption, given existing federal laws and regulatory orders that already govern aspects of data sharing and privacy. The General Assembly should be cautious about enacting legislation that would trigger costly litigation and is unlikely to survive judicial scrutiny.
Practical Difficulties
Beyond its legal and privacy flaws, SB 85 presents severe practical problems. Compliance would require platforms to redesign their systems to support continuous, near real-time data portability through open protocols—effectively forcing them to build and maintain open APIs for competitors and third parties. That kind of redesign would divert substantial resources away from innovation and toward compliance, while delivering limited real-world benefits.[5]
The challenge becomes even greater given the bill’s expanded scope, which now includes AI model operators. Companies would need to ensure encryption in transit, implement robust authentication systems, and continuously monitor third-party recipients to prevent abuse. SB 85 would impose an unfunded mandate that turns platforms into full-time privacy and security gatekeepers for an ecosystem they cannot control. The practical result may be fewer privacy protections, more vulnerability, and less innovation.[6]
These obligations would not be one-time. They would be ongoing, forcing companies to police how external actors use exported data indefinitely. Although the bill allows “reasonable” limits on frequency and volume, those provisions do little to reduce the engineering and compliance burden of real-time interoperability. Smaller or newer firms may not be able to absorb these costs, while even large platforms may choose to limit services in Virginia rather than accept the legal and technical risks.
Including AI model operators adds still more uncertainty. Unlike social-media data, there are no standardized formats or protocols for transferring a user’s complete AI-interaction history across systems. Forcing near real-time interoperability could degrade functionality, undermine security, or expose proprietary aspects of AI models. It also conflicts with user expectations about how AI interactions are stored and used.
Conclusion
SB 85 seeks to promote user choice and competition, but its approach carries serious unintended consequences. The bill threatens user privacy, stretches constitutional limits on state authority, and demands technical feats that are impractical or counterproductive. Forced interoperability at this scale is a risky and untested approach that could expose Virginians to significant privacy harms while offering uncertain benefits.
I respectfully urge the committee to reconsider SB 85. Protecting consumer data and fostering competition are important goals, but this proposal relies on a heavy-handed mandate that is likely unlawful, unworkable, and ultimately harmful to Virginians’ privacy and the Commonwealth’s digital economy.
[1] See generally Kasia Söderlund et al., Regulating High-Reach AI: On Transparency Directions in the Digital Services Act, 13 Internet Pol’y Rev. 1 (2024), https://doi.org/10.14763/2024.1.1746.
[2] Mikolaj Barczentewicz, Privacy and Security Risks of Interoperability and Sideloading Mandates, Truth on the Mkt. (Jan. 26, 2022), https://truthonthemarket.com/2022/01/26/privacy-and-security-risks-of-interoperability-and-sideloading-mandates.
[3] Miko?aj Barczentewicz, Privacy and Security Implications of Regulation of Digital Services in the EU and in the US (Stan.-Vienna Transatlantic Tech. L.F. Working Paper No. 84, 2022), https://laweconcenter.org/wp-content/uploads/2022/01/TTLF-WP-84_Barczentewicz.pdf.
[4] Geoffrey A. Manne et al., Comments of the International Center for Law & Economics: OLP182—RFI on State Laws Having Significant Adverse Effects on the National Economy or Interstate Commerce (Sep. 15, 2025), https://laweconcenter.org/wp-content/uploads/2025/09/Comment_-State-Laws-with-Out-Of-State-Economic-Impacts.pdf.
[5] Barczentewicz, supra, note 3.
[6] Barczentewicz, supra, note 2.