Senate Bill 190 has over the past few weeks passed both the Senate and the House and is now heading to the governor’s desk for signature (he is expected to sign). Once signed, this will mark the 3rd state to pass a data privacy law, and will be the 3rd state to have changes going into effect in the 2023 calendar year.
If signed, unless a referendum petition is filed prior to enactment, the law will take effect on July 1st, 2023. Sections of the law modify existing law, or repeal sections of the law in both the 2024 and 2025 calendar years.
Modeled on the previous California and Virginia laws the bill grants residents of Colorado certain rights in the name of privacy. Let’s take a look at what the bill entails.
Note: I am not a lawyer. This is not legal advice. You are strongly encouraged to seek legal counsel to determine if this applies to your scenario and what responsibilities you may have once enacted. The revised law can be found here.
Some interesting definitions
In law, the terms may be the same but the definitions can often change. For the purposes of this law, here’s some standout ones I felt worth mentioning.
Consent is always a sticky point in discussing privacy law. For the Colorado law it’s worth noting what does not qualify as consent.
- Acceptance of General or Broad Terms of Use or similar documents that contain descriptions of personal data processing along with other unrelated information.
- Hovering over, muting, pausing or closing a given piece of content
- Agreement of any sort obtained via a dark pattern
A Dark pattern is identified a user experience designed or manipulated with the substantial effect of impairing the user decision making or choice.
Identified or Identifiable Individual means someone who can be readily identified, directly or indirectly including by reference to a identifier such as name, an ID number, geolocation data or a online identifier.
Personal data is a tricky one, but is defined as information that is linked or is reasonably linked to a identified or identifiable individual – but does not apply to data publicly available – which data lawfully made available from Federal, State or local governmental records or information that the controller has a reasonable basis to believe was made lawfully available to the general public by the consumer.
Profiling is worth mentioning – as it applies to any form of automated processing of personal data to evaluate, analyze, or predict person aspects concerning a individual’s economic situation, health, personal preferences, interests, reliability, behavior, location or movement.
Sale of data means the exchange of data for monetary or other valuable consideration by a controller to a third party. So money does not need to change hands to be classified as ‘selling’ data.
Targeted Advertising means display an ad to a consumer based on the personal data obtained or inferred over time from the consumer’s activates across nonaffiliated websites, applications or other online services to predict their preferences or interests. The law goes on to list 4 examples of what is not include under this definition.
Who does it apply to?
The law covers Colorado residents and applies to legal entitles that conduct business in, or produce products or services that intentionally target Colorado residents and that either process data of more than 100,000 consumers per year, or derive revenue from the sale of data and process data of at least 25,000 consumers.
What rights do consumers gain?
As with the other state laws, consumers will gain the ability to opt of of processing, access, request a copy of, correct and delete data that may have been already collected. The bill goes on to define a data controller as a entity in alone or jointly, determines the means and purposes of processing data. A processor likewise is a entity that processes personal data on behalf of a controller. This is pretty standard stuff and completly in line with other privacy efforts we’ve seen to date both in the states and in the General Data Protection Regulation of the European Union.
The controller of the data needs to authenticate (with commercially reasonable effort) the identity of the consumer making the request, but the controller can not require the consumer to create a new account in order to exercise their rights. They may however require the use of a existing account, should one exist.
Opting out of data collection in the context of this law, allows the consumer to opt out of the processing of personal data for the purposes of Targeted Advertising, the sale of personal data or profiling in decisions that produce legal or significant effects concerning the consumer.
The consumer may opt out via web link, or technology such as a browser setting, browser extension or global device setting. The definitions of what this means is required to be defined by the attorney general prior to the law going into effect, effective July 1st, 2024.
Now the law has a interesting quirk – in that if the consumer is presented a prompt for consent, and grants consent, that consent takes precedence over any global out out mechanism. I have no idea how this would technically work – but thought it interesting.
What is specific to this law, and may end up being a larger deal is the fact that the law can be enforced not only by the attorney general (as in the case in California and Virginia) but also the district attorneys. We may end up seeing this result in far more cases as a result.
Notably, the law only applies to persons acting in a individual or house context. It does not apply to commercial, employment or job application contexts.
What do companies need to do?
Companies are required to take ‘appropriate’ technical and organizational measures for the fulfillment of the obligation to respond to consumer requests to exercise their rights. What is appropriate will likely be defined at a later point by the Colorado Attorney General.
Further, processors are required to help in meeting the controller’s obligations in relation to the security of personal data and the notification of a breach of the security. The processor is also required to conduct and document any data protection assessments required by section 6-1-1309. The processor must assist in all reasonable audits and inspections required by the controller or its agents.
Processors may only engage a subcontractor after providing the controller with a opportunity to object. The subcontractor must meet all obligations of the processor in regard to personal data.
In no event can a controller or processor be relieved of the liabilities imposed on them by virtue of their processing relationship. The law is clear under what conditions a processor may also be considered a controller. Strongly recommend a review with legal counsel to determine any status of existing relationships.
Companies who are credit agencies, or deal with Health data are subject to specific exemptions or additional restrictions as the scenario dictates.
Companies have 45 days to respond to consumer requests, which can be extended by another 45 days where reasonable necessary provided they inform the consumer of the delay and the reasons.
Consumers can not be charged for the first request in a 12 month period. For additional requests a company can charge an amount based on the formula in section 24-72-205(5)(a).
Companies are not allowed to increase the cost of, or decrease the availability of the product or service based only on the exercise of a right under this law.
Should the company decline the request, the company must have a process for the consumer to appear the decision. The company then has 45 days to answer the appeal.
This does not supersede additional laws such as the Children’s Online Privacy protection Act of 1998 or the Family Educational Rights and Privacy Act of 1974, amongst others.
Exemptions
The restrictions on controllers and processors under part 13 of the law do not apply to the following:
- The law does not restrict the company from complying with legal proceedings or inquiry.
- Conduct internal research to improve, repair, develop products services or technology.
- Identify and Repair technical Errors that impair existing or intended functionality.
- Perform internal operations that are reasonable aligned with the expectations of the consumer based on the existing relationship.
- Provide a product or service specifically requested by a consunmer.
- Protect the vital interests of the consumer or another person.
- Prevent, detect, protect against or respond to security incidents, identity theft, fraud etc.
- Process Personal data for reasons of public interest in the area of public health – but several subsections quality this condition.
What happens if you fail to comply?
The consumer has the ability to contact the district attorney, or attorney general and see a investigation. The company must comply with the investigation. If fault is found – a notice to cure may be issued. The company would then have 60 days or action may be brought against them. The law states that this notice to cure provision is automatically repealed effective January 1st, 2025.
Cases appear to be considered under the provisions of deceptive trade practices and actions including injunction may be sought on behalf of the state in the event a notice to cure is not corrected, or that there is no condition in which a cure is possible. This preempts all local governmental law in the state.
What is the suggested action that should be considered?
A lot if still unknown. The Attorney General is required to
By July 1st 2023 define the rules that detail the technical specifications for one or more universal out-out mechanisms. There are several restrictions in the law of what this can and can not include, but final details are pending upon a statement from the AG office at a later point in time.
By January 1st, 2025 – the AG may adopt rules that govern the process for opinion letters and develop an operational framework for business that includes a good faith reliance defense that would otherwise constitute a violation. These rules must become effective by July 1st 2025.
Companies subject to this law will need to develop a plan and the required tech (as defined by the AG) prior to July 1st 2023. Note that the California and Virginia law changes go into effect in January of 2023, and so it may be possible to align efforts and minimize rework if you are proactive in determining responsibilities under each law prior to making technical or process changes.
Brands are once again strongly advised to review the law with legal counsel. What is clear is that we’re soon to be at three of 50 states and it is no longer possible to ignore that this will likely eventually affect you. It’s just a matter of when you’ll need to comply with privacy law in your specific scenario. Brands should think how this affects their data collection and marketing strategies and use the next 18 months to make the required changes ahead of the 2023 effective dates.