Colorado lawmakers on March 19 introduced a data privacy rights bill that would give consumers the right to opt out of having their personal information processed by businesses and other entities.
If passed, the proposal would put Colorado in the company of states such as California, Virginia and Nevada, which have enacted comprehensive consumer data privacy laws. Lawmakers in several other states, including New York, Washington and Florida, have introduced data privacy bills in recent months.
Many elements in Colorado’s SB21-190 will be familiar to businesses that are already used to complying with the California Consumer Privacy Act or the European Union’s General Data Protection Regulation. Similar to laws elsewhere, SB21-190 would give consumers the right to access, correct, delete and obtain copies of the personal data companies collect from them.
Like the GDPR, it would also require companies to conduct data protection assessments for data processing activities that pose a heightened risk to consumers. Under SB21-190, those activities would include processing sensitive data, selling personal data and processing data for targeted advertising.
The bill defines personal data as any information linked to or “reasonably linkable to” an individual. Davis Graham & Stubbs attorney Camila Tobón noted that while this broad definition is “relatively new” in the U.S., where federal data protections have been limited to certain types of information such as health data or information collected by financial institutions, the CCPA and its successor, the California Privacy Rights Act, and the recently passed Virginia Consumer Data Protection Act also define personal data broadly.
SB21-190 would not protect data collected from individuals acting in a commercial or employment context. “It’s not going to apply in the business to business context, which is the standard that we have seen throughout most of these laws,” said Ballard Spahr partner Greg Szewczyk.
But the Colorado bill is unique in a few key ways. It would allow a consumer to opt out of all personal data processing, which includes collection and use of the data. Current and proposed laws in other states allow consumers to opt out of the sale of data or the sharing of data for certain purposes, such as targeted advertising. “The Colorado [bill] doesn’t have those qualifiers or limitations. It’s just the right to opt out of all personal data processing,” Tobón said.
SB21-190 would apply to companies that either control or process the personal data of more than 100,000 consumers. It would also apply to companies that derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers. According to Szewczyk, this second threshold differs from what has been proposed or enacted in other states, where companies that sell data are subject to the law only if they derive a certain percentage of their revenue, typically 50%, from personal data sales and control data of a certain number of consumers.
According to the attorneys, there are two models that have emerged in U.S. data privacy law: one based on California’s laws and the other exemplified by Virginia’s CDPA. The Virginia law was inspired by the Washington Privacy Act, Tobón said, which was initially proposed in 2019 but has yet to be approved by the state’s legislature.
The attorneys say the Colorado bill most closely follows the Virginia-Washington model. For example, Tobón said, SB21-190 shares key terminology used in the Virginia law and the GDPR, which define the obligations of data “controllers” and “processors.” The California laws define responsibilities of “businesses,” “service providers,” “third parties” and “contractors.”
“You have all these different types of entities in the mix,” said Tobón, adding it is easier for companies to understand the controller-processor distinction than the various categories in the CCPA and CPRA.
Szewczyk said another difference between the models is that companies are subject to California’s laws if they have $25 million in gross revenues, regardless of whether they meet the thresholds for data sales or how many consumers’ data they possess. “The California model was sweeping in every company that does $25 million in annual gross globally,” he said, “whereas the Virginia model doesn’t have that.”
If SB21-190 passes, it would take effect Jan. 1, 2023. Tobón noted the date is a big one in data privacy law; California’s CPRA, which amends the CCPA, and Virginia’s CDPA are also set to go into effect then.
To prepare for the new laws, attorneys recommended companies do a thorough data inventory and data map to understand what information they have, who they’re collecting it from, why they have it and how they’re using it.
“In [the Colorado bill] and other laws, there are data minimization requirements that you only collect what is reasonably necessary for the purpose that you’re collecting for,” Szewczyk said. “Just making sure that you have your arms around what data you have, and why you’re collecting it, can take a big step towards making compliance a lot easier down the road.”
Szewczyk said he’s helping clients identify the “lowest common denominator” for complying with current and proposed laws, which varies from business to business but tends to be a combination of the strictest elements of the GDPR, the CPRA and Virginia’s CDPA.
While 2023 may feel distant, Tobón said, data and process inventories take a lot of time and resources. “Even if you need the impetus of a specific law in Colorado to get you going,” she said, “I wouldn’t wait until December 2022 to start figuring out how you’re going to comply.”
“Even if this bill doesn’t get passed, eventually there may be other laws. There may be a federal law,” she said. “Everything is going in that direction of transparency and accountability and consumer control over their personal information.”