https://www.eff.org/deeplinks/2021/02/virginians-deserve-better-empty-privacy-law

https://www.eff.org/deeplinks/2021/02/virginians-deserve-better-empty-privacy-law

How can this be called a Consumer Data Protection Act when it will allows companies to charge consumers more because they wanted to keep their data private? How can not holding companies accountable be a Consumer Protection? Whoever wrote this bill should be ashamed of the blatant anti-consumer pro-monopoly contents.

Why should the ability to sue a company for violating privacy reside only with the Attorney General? That means there is a single point of failure. If the AG is not interested in pressing such charges there is no recourse for any Virginians for the AG's whole term! Plus the right to cure provision is basically a get out of jail free card. The momentum required to get one of the suits going in the first place would evaporate as soon as the violator claims they are going to fix it.

N/A

Please pause SB1392. It is bad for business. When your constituents realize, and they will, that they have to go to every website and find the way to ask that their information not be collected and shared or the information will always be collected, they will be angry. This legislation doesn't even allow a technophobic person to have someone else do it for them. When consumers realize that what they heard was groundbreaking consumer data protection actually prohibits us from obtaining redress when businesses misuse our data, they will tell others not to trust the internet. If you want to stop consumers from using the internet, pass this legislation. If you want to encourage consumers to use it and build business, fix it so the automatic action of business is to NOT collect and sell consumer data UNLESS the consumer knowingly gives permission. Add an enforcement mechanism in that allows the Attorney General to act and give consumers something to do other than just complain to the Attorney General who does not have time or resources to check out every consumer complaint. If you pass this bill as it is written, Virginia will be advertised as the state no one should emulate on this legislation. Businesses may be happy, but you can bet that consumers will not be happy and that the fallacies with this Virginia law make it a place where consumers dare not do business. Don't promise to study it and fix it next year. Wait to pass the law until you get it right. Protect Virginia businesses and consumers.

Protect our personal information, not industry's ability to use it if we don't manage to take all the refusals.

I understand this bill offers no way for people to sue companies for violating their privacy. So I am unsure why anyone would even consider it. It seems after the four years we have just endured we need to strengthen privacy and other methods to keep our data safe online. If this bill has no teeth it seems we are going backwards. Please, please stop catering to large tech firms. They don’t need your assistance. We do.

As a resident of Virginia and someone who has been in the tech industry for nearly 30 years, I must firmly state my opposition and downright outrage at the ridiculous industry-drafted "privacy" bill currently gaining favor in our legislature. This bill offers almost no ability for individual residents to sue on behalf of violations; it offers an easy-out "remedy" for companies to "fix" violations without correcting for past actions and creates a path for companies to charge Virginia citizens for "opting out of sharing their information. No bill should be passed that lacks a private right of action, no company should be able to charge me for insisting on my privacy. I will be contacting my representatives directly, but this bill is simply a copycat of bills proposed in numerous states and completely drafted by industry. Shame on you.

Please pause SB1392. It doesn't protect consumers. You can't expect every consumer of online data to understand and respond to the privacy settings of every website, or to figure out how to stop social media from collecting our data. So far the U.S lags the rest of the world in protecting consumer privacy.

Consumer Reports sincerely thanks you for your work to advance consumer privacy in Virginia through the Consumer Data Protection Act (CDPA). The bill would extend to consumers important baseline privacy rights. However, the CPDA should be modified to at least bring it up to the standard of the California Consumer Privacy Act (CCPA), which was recently strengthened by the passage of Proposition 24, the California Privacy Rights Act (CPRA). That would help ensure that the CDPA is practically workable for consumers, and that Virginians have protections that are at least as strong as those in California. A strong default prohibition on data sharing is preferable to an opt-out based regime which relies on users to hunt down and navigate divergent opt-out processes for potentially thousands of different companies. A better approach would be to set strong limits on the data that companies can collect and share. CR has documented that California consumers often find it difficult to locate Do Not Sell links on data brokers’ homepages. Further, about 14% of the time, onerous opt-out processes prevented consumers from opting out. However, within the parameters of an opt-out based bill, we make the following recommendations to improve the CDPA: Require companies to honor browser privacy signals as opt outs: Consumers need tools, such as a global opt out, to ensure that they can better exercise their rights. The Global Privacy Control specification is already designed to work with the CCPA, and could help make the opt-out model more workable for consumers. Add an authorized agent provision: CDPA should also be amended to include the CCPA’s “authorized agent” provision that allows a consumer to designate a third party to perform requests on their behalf—allowing for a practical option for consumers to exercise their privacy rights in an opt-out framework. Strengthen enforcement: The “right to cure” provision in the administrative enforcement section of the CDPA should be removed, as Proposition 24 removed it from the CCPA. It ties the AG’s hands and signals that a company won’t be punished for breaking the law. Consumers also should be able to hold companies accountable for violating their rights—there should be some form of a private right of action. Strengthen control over targeted advertising: The CDPA’s opt out should cover all data transfers to a third party for a commercial purpose. The CDPA’s current language is ambiguous, and could allow internet giants like Google, Facebook, and Amazon to serve targeted ads based on their own vast data stores on other websites, in spite of the opt out. Remove the verification requirement for opting out: CDPA sets an unacceptably high bar for opt-out requests by subjecting them to verification by the company. Much of that data collected online (including for targeted advertising) is tied to a device and not an individual identity, rendering opt-out rights illusory. Non-discrimination. Consumers shouldn’t be charged for exercising their privacy rights—otherwise, those rights are only extended to those who can afford to pay for them. We urge you to adopt consensus language from the Washington Privacy Act that limits the disclosure of information to third parties pursuant to loyalty programs. Thank you again for your consideration, and for your work on this legislation. We look forward to working with you to ensure that Virginians have the strongest possible privacy protections.

I do not believe that SB1392 actually protects consumers as you intend for it to. The process endorsed by this bill is far too cumbersome for seniors who did not grow up using the complex computer technology that would allow us to set up protection for our data on multiple sites. Please work to establish secure and manageable tools to protect our privacy rights. Slow down and work out the snags in this legislation so it achieves its goals which will benefit all of us. Respectfully, Tina L. Smusz, MD

This bill does not protect consumers. Technology is confusing enough for those over 65 without eliminating the ability of our children to help us remotely. Consumers no matter what age they are deserve to be protected from corporations mining our data when we have not given permission. We cannot be expected to find the opt in procedure for every web site that we visit to try to protect our privacy. Put a pause on SB 1392! Get this right!

Please do not pass the consumer date privacy act that will protect me only if I find the way each internet site uses my data. Finding how to opt out should be upfront, visible, and in large print for those elderly who have difficulty reading fine print. There should be an "opt in" feature rather than an "opt out" feature that is extremely difficult to find an understand. Wording should be written at an 8th grade level so all can understand.

The data privacy law can’t require the attorney general to bring a case against violators. That provision means Amazon and the AG will just be buds. Also the “cure” time should not exist. If they can beat the case to trial and show they’ve taken all the right measures, the judge can decide if they’ve cured.... no period should be baked into the law. I agree that we need this sort of protection. The law is mostly good. Just allow individuals to sue and eliminate the cure period.

Why should any bill, like SB 1392 , allow big tech make the rules? Don't put the fox in a position to guard the hen house. I am not a Virginian but I believe every American should guide the creation of laws throughout our great country because, ultimately, we are all Americans looking to maintain uniformity of our American values.

I am very opposed to this bill because it is far to weak to protect citizens privacy. Privacy is a vital issue because of the growing power of technology firms such as Amazon, FB and google. It is imperative that any privacy bill have an opt- in procedure for the use/sharing of our data, NOT an opt- out. Also, this bills allows tech companies to penalize citizens who opt out by charging them or limiting their service. That provision makes this bill utterly worthless. Privacy is critical to freedom, as its violation leads to manipulation and coercion. Please give us better privacy protection and defeat this bill!!

As a Virginia resident I commend the committee for working to address the issues data rights and privacy. These are important and have not received the attention they deserve. I must, however, admonish the committee for embracing a bill that does not achieve or even attempt to truly protect citizens from the predatory practices of the data industrial complex. This bill fails to include a private right of action for citizens to seek redress. It fails to require opt-in for data sharing and relies on the proven failure that is opt-out. Worse, this bill allows companies to punish consumers who opt out. The committee is faced with an historic opportunity to lead by example and craft a bill that truly protects and respects Virginian's privacy and data rights. Sadly, SB 1392 does neither.

I returned home from working in tech in San Francisco in part because of my extreme disillusion with data privacy and startups. I’ve watched employees access dating direct messages that contained images in order to laugh at people’s anatomy. I had a friend whose ex had been given full access by his employer to her ridesharing use—and from that he discerned who she was beginning to date and harassed him until the fledgling couple split. Tech companies would have you believe that is possible to anonymize data, but this is a lie, and they know it. Tech companies would have you believe that their data repositories are “unhackable” but this is a lie, and they know it. We should always remember the words of Mark Zuckerberg, bragging to a friend about how much information he had gathered on his classmates—the friend he was messaging asked how he’d managed it—“I don’t know why” Zuckerberg typed. “They trust me.” “Dumb f—ks” While you might feel Zuckerberg has changed since he was 19 there has been no evidence to suggest he has had a change of heart since, but now he has a better PR team. Tech companies are only going to protect us as much as they can be held financially liable for. If we cannot punish them for damaging our credit, our relationships, our reputations, our livelihoods and even our physical safety, they will never change. Passing a bill that has the full support of Microsoft and Amazon is to reveal that your allegiance is with donations, not with the safety of your people, and your name will be recorded on the wrong side of history when Americans realize just how much they’ve lost.

I urge you to voice NO on SB 1392. It is ostensibly a consumer privacy bill, but is in fact more effective at eliminating consumer privacy. It offers no private right of action, which would allow consumers to act in their own interest, but relies on the Attorney General's office to fight those violations the AG deems worthy. The bill also allows companies to penalize customers that opt-out of having their data used for privacy invading purposes. Privacy is a fundamental human right. Privacy should not be available only when requested; opt-in should be the default, and personal data shared only with explicit, informed consent from the customer. Privacy should be available to all, not only those who can afford the financial penalties. Thank you for your consideration.

https://www.eff.org/deeplinks/2021/02/virginians-deserve-better-empty-privacy-law

To Whom It May Concern (especially my Commonwealth Senator, Hon. John Edwards): Concerning consumer privacy of personal data and collection of consumer data by online companies, as I read it, this bill tends to protect corporations and "big tech" rather than the citizens of the Commonwealth/consumers. It would seem to me that instead of placing the onus on the consumer to find the opt-in procedure for every website a person uses (or might use) and try to figure out how to stop social and commercial media companies from harvesting consumer data and using it for profit, the social and commercial media companies should be forced to provide an "opt-out" box to check, one that prohibits their using consumer data for gain or profit. In addition, because some (many?) are not "computer savvy", but may wish to use these social commercial media sites in their everyday life, it seems appropriate that a consumer could legally assign an individual/group (family members, friends, attorney, etc.) to act for the consumer to block use of consumer data by social and commercial media sites (as opposed to forcing each individual to do this themselves - as I pointed out, not everyone is "savvy" and has the computer skills to do the search and wade through the "legal-ese" required to block unwanted data harvesting). I find it commendable that our Senate and House of Delegates is addressing this problem, but I feel that this proposed piece of legislation is acting more for the "protection" of the media/commercial companies versus acting in the best interests of the consumer/citizen. I would ask that Senators and Delegates re-evaluate this bill, and draft a bill that better protects the interests of the public (versus "protecting" the big tech companies who stand to gain from harvesting data on consumers/citizens of the Commonwealth. This is a big problem in the United States, and I would hope that here in Virginia we would take the time and do the research to adequately protect the private citizen from data harvesting for profit by online companies. Respectfully yours, Phil Pickett Blacksburg, VA

I write to ask you to reject this bill, which is written to greatly benefit tech companies, and all companies that wish to use our private data for their own benefit. This bill is written to seem "as if" a security and privacy bill -- to be a "consumer protection bill" -- but rather creates barriers and obstacles for those wishing to truly protect their own data. Or, those such as parents or adult children asked to help their parents to protect their data. In these respects, it is truly a wolf in sheep's clothing. We surely do need consumer data protection in Virginia, in the U.S. generally, which falls far behind in these consumer rights and protections as compared with other technology-rich nations. Why is that? Because of the lobbying and campaign donation power of corporations. Please do not vote for this bill that would raise the bar for creating protections for children, to aid anyone needing our help to navigate the privacy and protections issues. It makes protection of our data onerous, requiring that each individual go to each individual website and perform particular privacy protections for each, no matter that none of these website have a uniform standard format for doing so. This bill penalizes all but those with the most time, perseverance and familiarity with all manner of website formats! Really? Which one of you will enjoy performing these machinations for every website you use? Stop this bill, please! Lakshmi Fjord 420 Altamont St. Charlottesville, VA 22902

I am concerned SB 1392 does not do enough to protect us from predatory e-commerce practices. As well intentioned as it is, I fear this construction invites predatory behavior because it actually limits the legal liability of companies abusing consumer data. Specifically, the provisions denying a private right of action and allowing companies to cure defects to avoid liability are disappointing. These are meaningful penalties that companies must consider before engaging in harmful practices. I hope the Committee will reconsider, and use this opportunity to protect all Virginians’ privacy rights.

I urge all those in this committee, regardless of party affiliation, to vote "NO" on this bill, which is called a privacy bill, but would do little to protect the privacy of Virginia's citizens, and in fact create a system where Virginians must pay to preserve their privacy rights. This bill should be voted down, and a real privacy bill moved forward next year. Real privacy would include a broad private right of action to allow Virginians to bring suit against companies that violate privacy laws. This bill provides a "right to cure" provision that allows companies to willingly violate the law, so long as they take action AFTER the state Attorney General brings suit. This is unacceptable. Companies should be held accountable for violations of privacy. One does not allow a car thief to go free provided he or she returns the stolen vehicles. A real privacy law would require consumers to "opt-in" to data sharing, rather than having to go through an onerous process to preserve what should be there default rights to privacy. This bill does not have such provisions. Even worse than all of the other shortcomings, this bill would allow companies to engage in "pay for privacy" where Virginians can be charged higher fees or offered fewer goods and services should they choose to protect their privacy and not share information. Privacy should be the default right of all Americans, not a privilege offered only to those willing and able to pay for it. In short, this so-called "Consumer Data Protection Act" is a wolf in sheep's clothing and should not move forward.

Consumer protection in the United States is far behind other developed countries, particularly Europe. The primary reason is companies want protection to use personal data for profit. The legislation presented by legislators is usually prepared by or highly influenced by companies using personal data. I would enjoy receiving the same protection big tech firm’s desire and work diligently to obtain. I should not have to contact a firm informing them my personal information is not for disclosure. Any legislation promulgated should clearly define and protect the public’s privacy.

Regarding SB1392: I urge you to Vote No and Stop this bill. While this bill calls itself a 'Consumer Data Protection Act,' it has several components that are against consumers, against privacy, and that result in big tech having free rein to do as it likes with our data with no consequences. I am particularly disturbed by the following: - This bill has no 'private right of action.' While the Attorney General’s office could bring a lawsuit, it offers no way for people to sue companies for violating their privacy. Private rights of action are a vital tool for ensuring that people can act in their own interest to protect their privacy. - This bill stacks the deck against consumers even more under its “right to cure” provision: If the Attorney General sues a business for violating people’s privacy, the business has a chance to fix what it did wrong, which would make the Attorney General's lawsuit go away. Considering how much time and work goes into bringing a lawsuit, giving the other side a cheap and easy out clearly illustrates how a right to cure allows this bill to look like it protects consumer privacy, while not really doing so. - And, in a truly Anti-Consumer vein, this bill also explicitly allows companies to engage in “pay for privacy” schemes, which punish consumers for exercising their privacy rights. In the case of this bill, it says that consumers who opt-out of having their data used for targeted advertising, having it sold, or for profiling, ***can be charged a different “price, rate, level, quality or selection of goods and services.”*** That means punishing people for protecting their privacy—a structure that ends up harming those who can’t afford to protect themselves against data protection. Privacy should have no price tag. Privacy should not only be available for those who have easy disposable income! As a resident of Virginia, I want to see a Privacy bill that has the following: -Protect people’s privacy by default by letting them opt-in to data sale and use, rather than having to go to each company to ask them to stop using their information. -Require companies to commit to strict standards for what information they ask to collect in the first place. -Have real teeth to make sure that companies don’t get away with violating privacy rights. I fully support the Electronic Frontier Foundation's recommendations for consumer data privacy laws: https://www.eff.org/deeplinks/2019/06/effs-recommendations-consumer-data-privacy-laws Please fully amend this bill to comply with these best practices that will truly protect consumer data privacy, or leave this bill in committee and bring back a strong consumer data privacy bill next session. Thank you for your time and consideration. Sincerely, Virginia Pannabecker

Every citizen of the Commonwealth, regardless of their tech access and savvyness, deserve real and reasonable protection of their data. Consider the nightmare of COVID vaccine registration in the ability of every citizen to address their data on every website. Requiring endless hours finding hidden opt-in procedures for every website and figuring out how to stop social media from collecting data is not reasonable nor is prohibiting me from assisting my 93-year-old mother in protecting her data. Consumers require real tools to enforce our privacy rights, not lip service that in reality looks out for big tech. Pause on SB1392 and get it right for consumers before proceeding.

This law is inadequate by the standards of the EFF and seems likely to worsen privacy and consumer data protection, in addition to causing privacy minded consumers to have to pay more. That is not a direction the commonwealth should move in, I understand we are friendly with tech companies but that doesn’t mean giving them access to the pockets of everyone in the commonwealth that doesn’t enjoy having their data scraped into someone’s algorithm.

I support strong online privacy across the Internet. Please back online privacy and security education, rather than weak consumer privacy bills and subsequent pay-for-privacy tactics. Thank you for your time and service.

Common Sense is a national, independent, nonpartisan voice for America’s children, working to ensure that every child has the opportunity to thrive in the 21st century. We have been active in advancing kids’ and families’ privacy rights across the country, and while we support the aims behind the Consumer Data Protection Act, we are neutral on SB 1392 as drafted. As drafted, SB 1392 is missing some of the protections in comparable privacy legislation like the Washington Privacy Act. First, to the extent Virginia wishes to enact a privacy law that is interoperable with existing privacy laws, extra protections for children and teenagers must be included in this text. This is our key priority. SB 1392 as drafted defines “child” as a “any natural person under thirteen years of age.” We would recommend the bill instead refer to “minors” and be expanded to include persons under the age of sixteen. The data of minors should be deemed universally sensitive subject to opt-in consent requirements, and for minors under 13, parents or guardians should provide affirmative authorization before a business is permitted to process their personal data. Second, SB 1392 includes a number of what appear to be unintended exceptions. Privacy practitioners have already highlighted that, as drafted, the law excludes any business that is in any way covered by federal financial and health privacy laws. These protections should follow the data, not the entity. For example, Google offers products that make it a HIPAA “business associate.” It cannot be the intention of lawmakers to exempt Google from this bill, yet this is arguably what it does. Third, the bill purports to include limits on how companies can process data, which are data minimization and purpose specification provisions. These are designed to stop practices like phone flashlight apps collecting and selling geolocation data, but SB 1392’s provisions are not restrictive. They’re both conditions on disclosures to consumers, which sounds empowering in theory, but the reality is the bill does not improve the readability or accessibility of the impenetrable legalistic privacy disclosures that companies already provide. The bill also lets companies collect as much data as they want to develop new products and services. Building a new product does not justify overriding consumers’ rights, and the breadth of this exception is limitless by the plain text of SB 1392. Finally, we remain concerned about how this bill will be enforced and would like to know whether the Attorney General feels comfortable enforcing this law. We would ask lawmakers whether they intend to pass a paper tiger. As a point of comparison, the Washington Privacy Act provides for 3.6 FTEs to conduct three investigations per year. Common Sense believes that level of enforcement is completely inadequate, but we would ask lawmakers whether that amount of enforcement they intend here: sending three and a half attorneys up against the biggest data companies in the world. Common Sense is encouraged that Virginia lawmakers are exploring ways to provide better privacy protections for Virginians, but we hope SB 1362 can be strengthened before hurriedly enacted into law. Thank you. Joseph Jerome Director, State Advocacy

We support your desire to protect your constituents’ privacy. Unfortunately, the Consumer Data Protection Act, SB 1392, falls short in many ways. It is based on the outdated “notice and opt-out” framework which underpins the current system of commercial surveillance and fails to provide consumers with meaningful control over their personal information. Instead of requiring companies to get people’s permission before using their data, it places the burden on consumers to navigate today’s incredibly complex data ecosystem and take steps to opt-out of unwanted uses of their data (to the limited extent it allows). Making “opt-out” the default disempowers consumers and poses equity concerns; consumers with less time and resources to figure out how their data is being used and how to opt-out will inevitably be subject to more privacy violations. The default should be “opt-in.” Other concerns about the bill include: • It gives consumers no rights concerning the personal data that may be gleaned from social media and other “channels of mass media” if they didn’t adequately restrict access to that information. • It gives consumers no control over businesses selling their personal information to affiliated companies. • It requires opt-in for processing consumers’ “sensitive data” but not for uses of their personal information that may be sensitive. • It allows consumers to opt-out of seeing targeted advertising based on tracking their activities over time on multiple websites and apps and profiling them, but that opt-out does not stop the tracking and profiling from occurring. • It does not apply to advertising based on tracking consumer’s activities over time on the company’s own website or app and profiling them – the business model of Google and Facebook, which profit from profiling and targeting consumers on behalf of other businesses. • It only gives consumers the right to opt-out of profiling when it is used “in furtherance to decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.” There is no overall right to stop being tracked and profiled. • It does not apply to consumers’ personal information when it is in the hands of financial services companies or other businesses that are covered by other laws, even if the privacy protections of those laws are much weaker. • It allows parents and legal guardians to exercise consumer’s rights but does not enable consumers to designate others to act on their behalf, as an aging parent who doesn’t understand technology might want. • It allows businesses to charge consumers more or provide them with lower-quality products or services if they exercise the limited rights they have to opt-out of targeted advertisements, their personal data being sold, or being profiled. In other words, if consumers want privacy, they have to pay more, a blatantly discriminatory policy. • It lets the companies that share consumers’ personal data with third parties avoid any responsibility if those parties violate the law unless they knew they intended to do so. (So Facebook would have no liability for what Cambridge Analytica did with users’ personal information). • It prevents consumers from taking legal action to enforce their rights. • It creates a “right to cure” that hampers the ability of the attorney general to take action to stop bad practices and obtain remedies for consumers. Let's work together to truly protect Virginians' privacy.

Our clients provide people search services that are widely used by law enforcement, government agencies, businesses, and consumers. They support strong privacy laws such as SB 1392. However, one aspect of the bill--its right to deletion--is unclear and potentially unworkable for these companies. Specifically, it is unclear if a consumer's right to "delete his personal information" as found in sec. 59.1-573.A.3 applies both to (1) companies to which the consumer provides that information and (2) companies that obtain that data from third parties. Our clients, like many other companies, collect consumer data only from third parties. If the deletion requirement is meant to apply to these companies, it poses significant compliance challenges. The reason is that these companies obtain consumer data on an ongoing basis, typically receiving updated data flows from their third party sources on a weekly or monthly basis. As such, the companies could delete a consumer's data at the time of the consumer's deletion request. However, within days or weeks, the consumer's data once again will be sent to the companies' database, making the deletion only temporary. Alternatively, the companies could retain enough of the consumer's data to allow them to identify and re-delete the later-acquired data. But, then, the companies would not have complied with the consumer's initial deletion request and be in violation of the law. For these reasons, the California privacy law, on which HB 2307 ostensibly was based, applies the deletion requirement only to companies that collect data directly from consumers. CA Civil Code sec. 1798.105(a). We request that SB 1392 do the same, by amending sec. 59.1-573.A.3 to read: "To delete personal data provided by the consumer." Consumers would not be harmed by such an amendment. They would still be able to stop the unwanted circulation of their data through their opt out rights (which prevent companies from selling the consumers' data or using it for advertising or profiling). In this regard, the bill could be amended to require companies that do not collect data directly from consumers to treat deletion requests as opt out requests.

Pay for privacy is unconstitutional. This can not pass. Virginia deserves privacy.

Legislative staff to the Commission on Youth. Available if needed. Background:  Federal KinGAP was established in Virginia in 2018 to facilitate placements with relatives and ensure permanency for children for whom adoption or being returned home are not appropriate permanency options.  The current Federal KinGAP has eligibility requirements imposed by the Federal Government that are too rigid and prevent its wider use. This bill creates a state program to expand its use to assist children in foster care achieve permanency through kinship placements, exiting the foster care system with financial supports. Explanation of SB 1328 costs:  Department of Social Services estimates a combined total of 90 children will be eligible to enter the State-Funded KinGAP in FY 2022 and 100 children will be eligible to enter in FY 2023 and every subsequent year.  Compared to last year’s bill, this year’s SB 1328 reduces costs and creates cost savings by: • Adding the requirement that the child be in the custody of the local department for at least 90 days. This requirement ensures that the program is targeting the correct population. • Including a second enactment clause to target children who have an appropriate relative who is willing to become their caregiver but is unable to complete the foster home approval requirements.  The Department of Social Services anticipates that these children will exit foster care sooner than they had prior to State-Funded KinGAP, thus saving the higher costs of being in foster care.  Funding for this year’s State KinGAP program has also been limited to room and board (maintenance cost), which will result in additional savings.  State-Funded KinGAP’s OCS costs (partially offset by DSS savings) will continue to grow every year until the number of children aging out equals the number entering the program, at which point the program will stabilize. Children will receive on average 10.5 years of State-Funded KinGAP basic maintenance payments.