The Colorado Privacy Act will take effect July 1, 2023 and local attorneys are gearing up to help local businesses navigate the change, as a federal proposal also looms.
The act lets users opt out of the sale of their personal data or using that data for targeted advertising. The public will also be able to know if their data is collected and be able to access it, correct it or delete it.
According to the bill summary, controllers are also required to conduct data protection assessments concerning their processing activities of personal data that’s at a heightened risk. The CPA can also only be enforced by district attorneys and the attorney general.
Rich Spilde, a partner at Holland & Hart who deals with data and privacy security concerns, said the CPA rides on the coattails of what Europe put in place with the General Data Protection Regulation.
“I describe this as a wave,” Spilde added, with California being the first state to implement something like GDPR.
Now other states have followed suit like Colorado. Spilde surmised it’s because the public is becoming more aware of the prevalence of data privacy issues.
“I think what’s driving the Privacy Act is you read every day about data breaches, you read every day about big ransomware events; I would expect that for every ransomware event or big data breach you read about, there’s plenty of others that you don’t because events happen and maybe they don’t trigger a disclosure requirement,” Spilde said.
Data privacy and the CPA is also a fluid situation. Austin Chambers, who is an associate at Dorsey & Whitney in Denver, specializes in data privacy and technology and said the Colorado AG’s Office is open to public comment making the CPA stronger.
Chambers said he’s paying close attention to what it will look like for consumers to opt out of sales of data. He added states like Colorado are working on how they can streamline the process of opting out of targeted ads through the use of technology or other functionality within the browser or device.
“I think the biggest challenges really are going to be around ad-supported industries,” Chambers said, adding there are concerns over making up revenue streams without having targeted advertising.
The law is meant for organizations that control or process personal data of 100,000 or more consumers during a year. The law also states it’s meant for entities that get revenue or receive a discount on the price of goods or services from the sale of personal data and processes or controls the data of 25,000 consumers or more.
“That could conceivably could apply, for example … a nonprofit that maybe collects personal data and provides it to somebody else in return for a discount on services,” said Mike Simpson, a senior associate at Wood Smith Henning & Berman. “You don’t necessarily actually have to be deriving a revenue from that sale, from that transfer.”
Simpson went on to say privacy acts like the one in Colorado can be good for business.
“Having some more certainty about what procedures will be in place, what you have to do, I think will be of benefit to business,” said Simpson, who works with issues connected to cybersecurity and data privacy. “Businesses deal with risks … accounting for it all the time and again, I think this is something that will help them be able to better mitigate those risks down the line.”
Proposed Federal Law
A federal law involving data privacy has also been introduced in the U.S. House of Representatives which has received some bipartisan support. According to the proposed bill, it would establish requirements for how organizations handle personal data and limits the collection, processing and transfer of the data.
It would also create consumer protections including the right to access, delete and correct personal data. It would allow consumers to opt out of targeted advertising as well. The new law would preempt most state laws concerning data privacy.
“It would preempt comprehensive privacy legislation like the Colorado law; it doesn’t preempt everything because … there are a number of much more specific laws in different states that are so focused on a certain area of privacy or security that it wouldn’t impact those,” Spilde said.
Chris Seusing, leader of Wood Smith Henning & Berman’s cybersecurity and data privacy group, added the proposed federal law is a private right of action with certain qualifications around it. Colorado doesn’t have that.
But why now in Colorado and federally?
“It’s not as though nobody’s really been aware of these issues for the past two or three decades,” Simpson said. “There have been people in Congress and private actors … who have been pushing hard to try and get this kind of legislation passed … it’s sort of reached a critical mass in the last couple years.”
As for businesses, Seusing believes in the long run, a federal privacy law should be beneficial.
“Probably one of the biggest benefits to businesses and why there is I think probably more of a general trend where the businesses are in favor of a federal law, is it provides consistency across the country,” Seusing said.
The federal law still needs to be approved by the U.S. House and Senate. It has been co-sponsored by two Republicans and a Democrat.