Colorado has enacted the United States’ (U.S.) third state privacy law, further complicating the task of the Congress in passing a federal privacy statute. The “Colorado Privacy Act” (SB 21-190) bears greater resemblance to Virginia’s “Consumer Data Protection Act” (SB 1392/HB 2307) (see here for more detail and analysis) than the “California Privacy Rights Act” (Proposition 24). The bill uses an enhanced notice and consent model that puts the onus on Colorado residents to opt out of certain personal data collection and processing subject to broad exceptions. Moreover, there is no private right of action and controllers must be given notice and 60 days to cure violations before the attorney general or district attorneys may enforce the new law.
In a sign that this bill is industry friendly, some privacy and consumers rights advocates voiced displeasure with the bill. For example, the Colorado Public Interest Research Group argued:
- Here in Colorado, our legislature is considering an “opt-out” bill, meaning that companies get access to our personal data unless we tell them to stop. Furthermore, the bill, SB21-190 titled Protect Personal Data Privacy, only lets consumers opt-out of data collection, tracking, selling and sharing for a few purposes.
- This means that few things will actually change around data privacy in Colorado. We’re enshrining the wrong foundation into law, and the bill will make future data privacy gains harder to achieve.
With privacy legislation currently at a standstill in Congress, it is very likely industry will continue to work state legislatures to block laws seen as unfavorable and get enacted favorable laws. Hence, the U.S. may wind up with piecemeal privacy statutes much like the current landscape of data breach and notification laws.
As always, let’s begin with some of the key definitions. Children are defined as those 12 years of age and under, which matches the federal privacy statute, the “Children’s Online Privacy Protection Act” (COPPA) the Federal Trade Commission (FTC) enforces.
Consent is defined as:
A clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data.
This is a fairly strong definition, strengthened by subsequent language making clear what does not constitute consent:
(b) hovering over, muting, pausing, or closing a given piece of content; and
(c) agreement obtained through dark patterns.
The bill uses the General Data Protection Regulation’s (GDPR) phraseology of controllers and processors, with the former being an entity “that, alone or jointly with others, determines the purposes for and means of processing personal data” and the latter being an entity that processes personal data on behalf of a controller. Determining which entities are controllers and which are processors will be a fact-specific determination, meaning there is no bright line test or rule in the bill to distinguish between the two.
Personal data is defined widely; it shall be “information that is linked or reasonably linkable to an identified or identifiable individual” that is neither de-identified data nor publicly available information. The key to the strength of the definition will ultimately hinge on how “linked” and “reasonably linkable” are defined, for if Colorado’s courts read these terms broadly, then more of a person’s data would meet the definition and qualify for protection and rights under the bill. If the term is ultimately read narrowly, and undoubtedly any entities fighting enforcement will seek to do just that, then the aperture of personal data rights tightens leaving entities to do what they will with information outside this definition.
Like many recent bills, there is a subclass of personal data, “sensitive data” that is subject to heightened rights. This term is defined as:
(a) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status;
(b) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or
(c) personal data from a known child
The first element is fairly broad and even standard by now in many of the privacy bills. The second is also fairly standard but would seem to exclude the processing of biometric or genetic data for purposes other than “uniquely identifying an individual.” Would the processing of these sorts of data for anything short of uniquely identifying a person be outside the definition of sensitive data? If appears so. Consequently, it may be legal under Colorado’s statute to process genetic or biometric data as regular personal data if the purpose is not to uniquely identify people. Regarding the third element, if my elementary school age son makes a secret TikTok account with a fake birthday, then the platform might arguably claim it did not know my son was a child and therefore was not responsible for meeting the higher standard for sensitive information.
The definition of sale, sell, sold requires the exchange of money of something of value, a potentially significant loophole, for much of the data collection and processing world thrives on trading data. Conceivably, trading personal data would qualify as “other valuable consideration,” but this may remain to be seen once implementation and enforcement of the bill begins. Moreover, sell, sale, and sold do not include:
(i) the disclosure of personal data to a processor that processes the personal data on behalf of a controller;
(ii) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
(iii) the disclosure or transfer of personal data to an affiliate of the controller;
(iv) the disclosure or transfer to a third party of personal data as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets; or
(v) the disclosure of personal data:
(a) that a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party; or
(b) intentionally made available by a consumer to the general public via a channel of mass media.
Some of these exception bear note. A number of companies use Amazon Web Services (AWS). Under the above exceptions if company A provides me a streaming service that uses AWS, then the company may provide my personal data to Amazon, and I would not be able to opt out of such a disclosure (more on this later.) This may prove to be a significant loophole.
Additionally, the last exception under which a person “directs” a controller to disclose information may also be an avenue by which controllers can collect and share personal data outside the confines of the new regulatory system. It will almost certainly prove the case that people will continue to see voluminous privacy notices and disclosures, and it will likely become de rigueur to slip language into these requiring Colorado residents to “direct” controllers to disclose information.
The Colorado Privacy Act would apply to many companies operating in the state. The new bill applies to any controller that:
(a) conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and
(b) satisfies one or both of the following thresholds:
(i) controls or processes the personal data of one hundred thousand consumers or more during a calendar year; or
(ii) derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of twenty-five thousand consumers or more.
This definition would encompass most large companies doing business in the state with significant data collection and processing operations. But many small businesses would be exempt, and they may be a conduit through which a significant amount of personal data may pass to the larger data processing world. Additionally, the bill exempts entities subject to a number of federal privacy statutes, including but not limited to, would not be subject to the Colorado Privacy Act:
- The Health Insurance Portability and Accountability Act/ Health Information Technology for Economic and Clinical Health Act
- Fair Credit Reporting Act
- Financial Services Modernization Act of 1999 (aka Gramm-Leach-Bliley)
- Family Educational Rights and Privacy Act
Consequently, most entities in the following fields would not need to adhere to the bill: healthcare, financial services, credit reporting, and education. This is fairly standard in many of the more industry-friendly privacy bills that have been introduced in states and Congress, but this recurring set of carveouts seems contrary to the purported motivation for U.S. privacy legislation that would create one standard across the country.
Moreover, the Colorado Privacy Act’s requirements do not apply to controller or processor’s ability to do a number of things, including meet federal and state government and judicial requirements. The exceptions that will likely be construed as liberally as possible may allow controllers and processors to make the argument some of their current activities may not be subject to the bill such as
- conduct internal research to improve, repair, or develop products, services, or technology;
- identify and repair technical errors that impair existing or intended functionality;
- perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship with the controller;
- protect the vital interests of the consumer or of another individual;
- prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action;
It would not prove surprising if many of these exceptions are used in ways that prove contrary to the legislative intent of the bill.
In terms of those activities that are subject to the Colorado Privacy Act, processors must follow the direction of controllers and must help controllers in a number of ways, including helping them meet their responsibilities to Colorado residents. There must be a binding contract between controllers and processors that sets out the processing instructions, including the purpose and nature of these activities and the type of personal data to be processed. Another key passage in any such contract is what a processing is to do with the personal data when the processing is finished. A processor must return or delete these data unless retention is required by law. Additionally, controllers and processors must “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures.” Moreover, like many privacy bills, controllers or processors that disclose personal data to other controllers or processors are not liable for the any of the latter’s violations unless the former had actual knowledge the recipient of the information intended to violate the new privacy regime.
Colorado residents will receive the by now usual set of rights regarding their personal data. One may opt out of the processing of her personal data if the purpose is for:
- targeted advertising
- the sale of personal data; and
- “profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer”
Taking the second activity people can opt out of first, Colorado residents can opt out of having their personal data sold. Of course, privacy and consumers rights advocates would prefer that the mechanism be opt in because in many situations people will choose the default setting whatever that may be. Hence, if the default setting is that one’s personal data may be sold, then more people will allow that instead of an opt in regime which would result in fewer people agreeing as evidenced by Apple’s new iPhone OS.
Aside and apart from the issue, however, granting people the right to opt out of sales makes the definition of what is selling all the more important. Hence, the discussion above about the limits of the term and exceptions. If a controller is giving away personal data and sharing freely, this probably does not constitute a sale under the Colorado Privacy Act. Such a controller may face liability for not securing and safeguarding the information, but that’s a different issue. The central issue is people will only be able to opt out of the selling of their personal data and not the collection and processing of it. Moreover, it is not clear whether trading information qualifies as a sale although it may, for presumably the personal data have value. But some larger entities may claim the data alone lack value until their proprietary processing methods give it value. In any event, this strikes me a big loophole.
Going back to the first practice people can opt out of, “targeted advertising,” the practice, as defined under the bill, encompasses ads based on personal data gleaned from websites or apps not affiliated with a controller. In other words, if I happen to be logged into Facebook, and I have opted out of targeted advertising, and I see an advertisement for German luxury cars based on searches and research not performed on Facebook, this practice would violate the new law. But, if I searched on Facebook (of course, why would I, but bear with me) for German luxury cars, then Facebook could show be targeted ads based on this interest. Or, more likely, if I read about Germans cars, Facebook could start targeting me with BMW and Mercedes ads. The definition of “targeted advertising” is
displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer’s activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests; and
(b) does not include:
(i) advertising to a consumer in response to the consumer’s request for information or feedback;
(ii) advertisements based on activities within a controller’s own websites or online applications;
(iii) advertisements based on the context of a consumer’s current search query, visit to a website, or online application; or
(iv) processing personal data solely for measuring or reporting advertising performance, reach, or frequency.
This would allow much of the current targeted advertising world to continue apace. Moreover, even if I did see targeted advertising contrary to a clear and affirmative opt out, how would I prove a violation? Enforcement of this proscription may prove tricky.
Finally, the Colorado Privacy Act seems to be making the default setting for the collection and processing of personal data that controllers and processors may engage in “profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.” Before we can digest what this means, we need to review two key definitions. First, profiling is defined as
Any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Consequently, profiling can be my auto insurer using a range of personal data to project the likelihood of my getting into an accident and then setting my rates. Or a potential employer generating a profile on my likely salary request. Or a life insurer digging into my personal data to determine how much I drink, smoke, use illicit drugs, skydive, or whatever to write me a policy.
The other definition spells out the rest of the right a person may exercise the right to opt out of. The bill explains:
“decisions that produce legal or similarly significant effects concerning a consumer” means a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.
In layman’s terms, the default setting under the Colorado Privacy Act is to allow controllers to use automated means to make decisions about Colorado residents that could result in the provision or denial of financial services, housing, insurance, education, employment, and other things. If a person does not opt out, a controller is well within its legal rights to do any of the above bounded by Colorado’s civil rights laws or U.S. civil rights laws as the bill makes clear.
The bill permits the use of what has been deemed a universal opt out if other circumstances under which one downloads and uses, say, a browser extension that she would click on every website she wants to opt out of targeted advertising, the sale of personal data, and profiling. There are other described means by which a person could achieve the same. Moreover, every controller must post clear and conspicuous means on their website. There is a potentially catch, however. Controllers must comply with all such requests if they can authenticate who the person is. Undoubtedly, it would accrue to a controller’s financial interests to authenticate as few people as possible who are requesting to opt out. Depending on how strictly the Colorado Privacy Act is enforced, this may be another off ramp controllers may use to avoid regulation.
Nevertheless, before 1 July 2024, controllers may allow people to use a universal opt out mechanism, but after this date, they have to allow people to do so. Again, the battle may be waged over authentication. Regardless, the Colorado Attorney General must establish technical specifications for universal opt out mechanisms.
Finally, there is a provision allowing controllers to ask people to consent to targeted advertising or the sale of personal data even if a person has already exercised a universal opt out for these practices. This seems contrary to the entire notion of a universal opt out.
And yet, controllers must obtain opt in consent to process sensitive personal data or the consent from the parents of a child (defined as 12 and under) for the processing of personal data.
Colorado residents will also have the following rights:
- The right to determine whether a controller is processing (but not merely collecting and holding) one’s personal data and to access these data
- A potential ability to correct inaccuracies in personal data depending on the the nature of these data and the type of processing
- The right to demand a deletion of personal data
- The right to port personal data “in a portable and, to the extent technically feasible, readily usable format.”
Controllers have 45 days to respond to people’s requests and may unilaterally extend the period by 45 days “where reasonably necessary.”
Controllers may also refuse requests but must furnish the reasons for the denial. A Colorado resident may appeal such a refusal and each controller must have an internal appeals process. If the denial is “upheld,” then a person may contact the attorney general’s office. Moreover, there is language allowing controllers to request additional information from a person to authenticate her identity. It seems fairly predictable there will be a significant number of controllers will as a matter of course require additional information to honor requests to exercise data rights in order to limit the number of requests they need to honor.
Controllers must provide people “with a reasonably accessible, clear, and meaningful privacy notice that includes:
(i) the categories of personal data collected or processed by the controller or a processor;
(ii) the purposes for which the categories of personal data are processed;
(iii) how and where consumers may exercise the rights pursuant to section6-1-1306, including the controller’s contact information and how a consumer may appeal a controller’s action with regard to the consumer’s request;
(iv) the categories of personal data that the controller shares with third parties, if any; and
(v) the categories of third parties, if any, with whom the controller shares personal data
Moreover, if controllers sell personal data to third parties or process personal data for targeted advertising, they must “conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.”
Controllers must also specify the “express purposes” for which personal data are collected and processed. Likewise, there is a duty to collect only the personal data that “adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.” Moreover, controllers are banned from secondary uses of personal data unless they obtain consent from people. While “secondary use” is not explicitly defined, the bar against secondary use seems to involve use beyond purposes that are reasonably necessary or compatible with the specified purposes for which the data were collected. Controllers also have a duty of care to take “reasonable measures” to protect personal data in “storage” and from “unauthorized acquisition.” Does this duty extend to personal data in transit? It is not clear. Moreover, who authorizes the acquisition of personal data? Might a controller authorize the disclosure of data to a third party without valuable consideration regardless of what a person wants? It seems like this is permissible under Colorado’s new privacy law.
Controllers also have a duty to conduct data protection assessment if its processing presents a “heightened risk of harm” to people. This concept is defined as including:
(a) processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of:
(i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
(ii) financial or physical injury to consumers;
(iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or
(iv) other substantial injury to consumers;
(b) selling personal data; and
(c) processing sensitive data
Data protection assessments would be made available only to the attorney general and could not be obtained through freedom of information requests. However, data protection assessments are only required after 1 July 2023 and need not be retrospective, meaning they will almost certainly only cover activities after that date.
There is no private right of action, and only the attorney general or district attorneys could enforce the Colorado Privacy Act. The attorney general and district attorneys could seek civil penalties under existing authority to seek $20,000 per violation and injunctive relief for violations. However, they could not seek damages for willful or egregious violations. Finally, before they can go to court to ask for an injunction, the controller must be given notice of the violation and 60 days to cure the conduct.
The statute will come into force on July 1, 2023 unless a referendum petition is filed within 90 days of the end of the legislative session to put the legislation to a vote on the 2022 ballot in Colorado.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.