Passage of the bill makes Colorado the latest state to implement comprehensive consumer data privacy legislation. While the bill will not go into effect until July 1, 2023, efforts to comply with similar bills like the California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA) highlight that planning and implementation should not be delayed.
Background/Legislative History
The continued absence of comprehensive federal privacy legislation has pushed Colorado, as well as other states, to further pursue and enhance state-level privacy laws. In March 2021, SB 21-190 was introduced in the Colorado Senate as a bipartisan effort to create personal data privacy rights across the state. Following in the footsteps of the CCPA and CDPA, the bill seeks to empower “consumers to protect their privacy and [to] require companies to be responsible custodians of their data.”
Under the Colorado bill, local governments are preempted from adopting laws governing the processing of personal data, and the attorney general may provide rules to administer the bill, including technical specifications covering a universal opt-out mechanism. Unlike the enforcement rules of California and Virginia’s consumer data privacy laws, Colorado district attorneys will have enforcement authority.
Consumer Rights
Under the bill, “consumers” are classified as Colorado residents acting only in an “individual or household context,” and not individuals acting in commercial or employment contexts. Consumers will be able to opt out of the processing of personal data, including data processed for the purposes of targeted advertising or the sale of personal data. Mirroring privacy regulations like the GDPR and CCPA, consumers will also be afforded the right to access, correct, delete or obtain a portable copy of their data.
Additionally, “personal data” will cover any information that is “linked or reasonably linkable to an identified or identifiable individual” and will exclude de-identified data and publicly available information. This definition of “personal data” appears to encourage covered organizations to maintain data in anonymized formats, while tracking to existing standards in California and Virginia.
SB 21-190 will also protect “sensitive data,” which is personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sex orientation, and citizenship, genetic, or biometric data processed to uniquely identify an individual. By creating additional protections for sensitive data, the bill will require controllers to first obtain consumers’ consent before processing sensitive data. Notably, controllers will be obligated to conduct a data protection assessment prior to processing sensitive data.
Compliance with the Consumer Privacy Bill
The Colorado bill will require both nonprofit and for-profit entities to comply. SB 21-190 will apply to any entities that (1) process personal data of 100,000 or more Colorado consumers per year, or (2) that derive revenue or get discounts from selling personal data of 25,000 Colorado consumers or more. The bill defines “sale” as the “exchange of personal data for monetary or other valuable consideration by a controller to a third party.” As a result, sales will exclude the disclosure of personal data for the purposes of providing a product or service requested by the consumer, or the transfer of personal data to processers and affiliates.
Both controllers and processors of data are subject to compliance with SB 21-190. “Controllers” are entities that determine the purposes and means of processing personal data while “processors” are persons that process personal data on behalf of a controller. To facilitate transfers of personal data, the Colorado bill will require controllers to enter into agreements with any entities that process personal data on its behalf and respond to consumers’ requests to delete or modify data. Controllers will also have to conduct data protection assessments prior to processing data in any way that could pose a “heightened risk of harm” to consumers—including data processed for sale, targeting advertising or profiling. Additionally, controllers must provide consumers with “accessible, clear, and meaningful” privacy notices, that disclose a controller’s data collection and sharing practices. Enhancing this requirement, controllers that sell personal data to third parties or process personal data for targeted advertising will be further obligated to conspicuously disclose this information, as well as the processes by which consumers can object to the sale or processing of their data.
In contrast to controllers, SB 21-190 requires that data processors adhere to the instructions of controllers and assist in compliance efforts. Once implemented, full compliance will require controllers and processors to align their processing instructions, the type of data to be processed, as well as the nature, purpose and duration of processing. Additionally, processors must delete or return any personal data as requested, unless data retention is otherwise required.
The Colorado privacy law includes some notable exemptions. Similar to comparable state privacy laws, SB 21-190 exempts some forms of health data including protected health information falling under HIPPA and identifiable private information collected for human subject research. Additional exemptions include personal data collected under the Gramm Leach Bliley Act, the Driver’s Privacy Protection Act, Children’s Online Privacy Protection Act and the Family Educational Rights and Privacy Act.
Similar Legislation in Other States
California and Virginia have each enacted similar privacy legislation in their states, which largely track to the General Data Protection Regulation (GDPR) in Europe. California is also positioned to further expand its data protections with the passage of a second privacy act. The California Privacy Rights Act (CPRA) would effectively replace the CCPA by expanding consumer privacy rights and creating a new privacy agency to implement regulations at the state level. With the continued absence of a federal privacy law in the United States, states like New York and Florida also appear poised to introduce their own privacy acts in the coming legislative sessions.
Next Steps
SB 21-190 echoes the momentum building across the country as multiple states enhance consumer data privacy protections. Covered organizations that have already complied with the CCPA or GDPR may find overlap in compliance obligations with the new Colorado legislation. However, organizations should keep in mind that consumer data privacy laws differ from state to state. As additional states introduce consumer data privacy laws, different standards regarding the scope of data access, portability and deletion may emerge. These nuances signal that organizations should thoroughly understand what each piece of legislation requires for their specific operations.
We would like to thank summer law clerk Gabby Torres for her contribution to this alert.
