Passage of the bill makes Colorado the latest state to implement comprehensive consumer data privacy legislation. Although the bill does not come into effect until July 1, 2023, efforts to comply with similar bills such as the California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA) stress that planning and implementation should not be delayed.
Legislative background / history
The continued lack of comprehensive federal privacy legislation has prompted Colorado, along with other states, to pursue and improve state-level privacy laws. In March 2021, SB 21-190 was introduced to the Colorado Senate as part of a bipartisan effort to create statewide privacy rights for personal data. Following in the footsteps of the CCPA and the CDPA, the bill seeks to empower “consumers to protect their privacy and [to] require companies to be responsible custodians of their data.
Under the Colorado bill, local governments are excluded from passing laws governing the processing of personal data, and the attorney general can provide rules for administering the bill, including technical specifications covering a mechanism universal withdrawal. Unlike the California and Virginia consumer data protection law enforcement rules, Colorado prosecutors will have the power to enforce the law.
Under the bill, “consumers” are classified as residents of Colorado acting only in an “individual or household context”, and not as individuals acting in business or professional contexts. Consumers may refuse the processing of personal data, including data processed for the purposes of targeted advertising or the sale of personal data. Reflecting privacy regulations such as GDPR and CCPA, consumers will also have the right to access, correct, delete, or obtain a portable copy of their data..
In addition, “personal data” will cover any information “related or reasonably related to an identified or identifiable individual” and will exclude anonymized data and publicly available information. This definition of “personal data” appears to encourage Covered Organizations to keep data in anonymized formats, while respecting existing standards in California and Virginia.
SB 21-190 will also protect “sensitive data”, which is personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health problem or diagnosis, sex life or sexual orientation. , and citizenship, genetic or biometric data processed to uniquely identify an individual. By creating additional protections for sensitive data, the bill will require supervisors to first obtain consumer consent before processing sensitive data. In particular, data controllers will be required to carry out a data protection assessment before processing sensitive data.
Compliance with the draft consumer protection law
Colorado’s bill will require nonprofit and for-profit entities to comply. SB 21-190 will apply to all entities that (1) process the personal data of 100,000 or more Colorado consumers per year, or (2) who earn income or obtain discounts by selling personal data of 25,000 Colorado consumers or older. The bill defines “sale” as “the exchange of personal data for monetary or other consideration by a controller to a third party”. Accordingly, sales will exclude the disclosure of personal data for the purpose of providing a product or service requested by the consumer, or the transfer of personal data to subcontractors and affiliates.
Controllers and data processors are subject to compliance with SB 21-190. “Data controllers” are entities that determine the purposes and means of processing personal data, while “processors” are people who process personal data on behalf of a controller. To facilitate transfers of personal data, the Colorado bill will require controllers to enter into agreements with all entities that process personal data on its behalf and respond to consumer requests to delete or modify data. Supervisors will also need to conduct data protection assessments before processing the data in any way that could present an “increased risk of harm” to consumers, including data processed for sale, targeting. advertising or profiling. Additionally, controllers must provide consumers with “accessible, clear and meaningful” privacy notices that disclose a controller’s data collection and sharing practices. Reinforcing this requirement, controllers who sell personal data to third parties or process personal data for targeted advertising purposes will be further required to openly disclose such information, as well as the processes by which consumers can object to the sale or to the processing of their data.
Unlike controllers, SB 21-190 requires data processors to adhere to controller instructions and contribute to compliance efforts. Once implemented, full compliance will require data controllers and processors to align their processing instructions, the type of data to be processed, as well as the nature, purpose and duration of the processing. In addition, processors must delete or return all personal data as requested, unless data retention is otherwise required.
Colorado’s privacy law has some notable exceptions. Similar to comparable state privacy laws, SB 21-190 exempts certain forms of health data, including protected health information under the jurisdiction of HIPPA and personally identifiable information collected for research involving human subjects. Additional exemptions include personal data collected under the Gramm Leach Bliley Act, Driver’s Privacy Protection Act, Children’s Online Privacy Protection Act, and Family Educational Rights and Privacy Act.
Similar legislation in other states
California and Virginia have each enacted similar privacy legislation in their states, which largely matches the General Data Protection Regulation (GDPR) in Europe. California is also in a position to further expand its data protections with the passage of a second privacy law. The California Privacy Rights Act (CPRA) would effectively replace the CCPA by expanding consumers’ privacy rights and creating a new privacy agency to enforce regulations at the state level. With the continued absence of a federal privacy law in the United States, states like New York and Florida also appear poised to introduce their own privacy laws in upcoming legislative sessions. .
SB 21-190 echoes the momentum that is building across the country as several states strengthen the protection of consumer data privacy. Covered organizations that have already complied with the CCPA or GDPR may see an overlap in compliance obligations with new Colorado law. However, organizations should keep in mind that laws on consumer data privacy differ from state to state. As more states introduce consumer data privacy laws, different standards regarding the scope of data access, portability, and deletion may emerge. These nuances indicate that organizations need to fully understand what each law requires for their specific operations.
We would like to thank summer legal assistant Gabby Torres for her contribution to this alert.