A version of the following public comment was submitted to the Virginia Senate Committee on General Laws, Technology Committee on January 28, 2026.
The Technology Policy Project at Reason Foundation has provided pro bono consulting to public officials and stakeholders to help them design and implement technology policy reforms around the regulation of artificial intelligence (AI) and other emerging technologies, digital free speech, data security and privacy, child online safety, and tech industry competition policy. Our team brings practical, market-oriented strategies to help foster innovation, competition, and consumer choice through technology policies that work.
We share the sponsor’s goal of empowering users to control and delete their data, but Senate Bill 85, in its current state, would ultimately hinder the legislature’s ability to achieve that goal.
The core of our concerns centers on problematic interoperability requirements that pose privacy and cybersecurity risks. Proponents of interoperability mandates, such as the one outlined in SB 85, often overemphasize companies’ ability to interoperate within a closed ecosystem of products and services. Indeed, there is a driving market incentive to make services cross-functional online. But when this kind of interoperation occurs, it is done between parties with heightened data protection practices and protocols.
What this bill contemplates, on the other hand, is forcing companies to interoperate with anyone regardless of the receiving party’s data protection standards. Such a mandate would disregard the improvements made in data privacy and cyber threat minimization and significantly undermine a company’s ability to safeguard user data.
When user data is transmitted, the privacy and security protections from the originating platform cannot be guaranteed to be as stringent on the receiving platform. Because companies would be required to comply with interoperability requests, even if they find the third-party platform’s data protection protocols insufficient, this bill would open the door for a new generation of online hacks and cybercrime.
These concerns are compounded by SB 85’s application to certain AI “model operators” and “contextual data.” Contextual data can include prompts, chat histories, uploaded files, preferences, metadata, and model-generated or inferred data linked to a user’s interactions. This information is often far more sensitive than typical social media exports and more likely to include third-party information. Requiring third-party accessible interoperability interfaces for this category of data increases the attack surface and heightens privacy and security risks.