Colorado has joined California and Virginia in passing a comprehensive data privacy law that forces companies to make wholesale changes to how they handle people's sensitive information online.
The Colorado Privacy Act, which was signed into law on July 7 by Governor Jared Polis, gives consumers the right to ask companies not to sell their personal information while also giving them access to any data companies have about them. Consumers can also ask companies to delete their data, and the law forces enterprises to ask for consent to hold certain sensitive information like Social Security Numbers, drivers license numbers and more.
While some states have passed narrower laws focused on specific data collection and sale practices, Colorado is considered among experts to be the third state after California and Virginia to pass a commercial privacy law.
In addition to the rights it gives consumers, the act also forces companies to respect opt-out requests submitted on behalf of consumers. The law applies to companies that collect personal data from 100 000 Colorado residents or collect data from 25 000 Colorado residents and derive some revenue from sales.
The law, which takes effect in July 2023, was hailed by experts as a step forward for data privacy in the US, even though many had concerns about a number of loopholes in the bill that companies are already taking advantage of with California's more comprehensive law.
Charles Farina, head of innovation at Adswerve, said it was concerning that the bill did not have a private right to action and noted all of the exemptions -- particularly for non-profits.
"The CPA includes greater fines per violation, but without an overarching federal privacy law, there remain loopholes for gathering first-party data and continued doubt from consumers about the safety of their data," Farina said.
"Legislation like CPA is a step in the right direction, but signals that there is still more work to be done to ensure a transparent exchange of data between consumers and businesses."
Consumer Reports senior policy analyst Maureen Mahoney said the law would need to be strengthened down the road.
Consumer Reports noted that the advertising industry has already used bad-faith interpretations of California's more stringent regulations to claim "that the opt-out doesn't apply to data shared with third parties for targeted advertising."
They added that the Colorado law should have had a provision making sure that consumers will not be charged for exercising their privacy rights.
Tyrone Jeffress, the US information security officer at Mobiquity, added that the law is expected to be more effective than others because it can be enforced by both the Colorado office of the Attorney General as well as local district attorney offices.
"The CPA goes beyond California's by requiring a blocking option for consumers to 'opt-out' of having their personal information shared to create consumer profiles. To ensure compliance with the CPA's heavier guidelines, businesses and organizations must have a deeper understanding of how their data is collected and exactly what it is being used for when targeting new customers and sharing publicly," Jeffress explained.
"I'm thrilled for the residents of Colorado. Ultimately, each new legislation is a win for US consumers and privacy advocates. As businesses start to comply with the law, consumers can expect to see more pop-up notifications on websites disclosing how information is being collected and how that information is used. These disclosures are ubiquitous in Europe and will start to increase across the digital landscape in the US as new privacy regulations come onboard. The good news for consumers is that many of the common privacy rights afforded to EU and California residents will become part of the standard way of engaging with businesses in the US going forward."
Dan Clarke, a data privacy law expert, working with lawmakers in multiple states on their own laws, said the Colorado law resembled the Virginia law and California's CPRA more than the state's CCPA.
"It aligns a little better with GDPR as well. There are two things that I think are pretty big about the law. Number one is the requirement to respect the universal opt-out. Until July 1st, 2023, the attorney general has to provide the technical specifications for that opt-out, and then everybody gets a year actually to abide by it. This is a significant development because now you've got a requirement to abide by what can just be programmed into a browser as a default setting," Clarke explained.
"It can be programmed into your mobile phone as the default setting, and you have to abide by it. I think that will accelerate the industry's adoption and understanding of these universal opt-out signals."
Clarke added that the other major development in the law is the demand for "privacy impact assessments, " forcing companies to assess what kind of data they collect and have.
"If you're releasing a new product, or for example, did a kiosk to take people's temperatures during COVID-19, you have to assess what kind of data you have. How are you using that data? How are you securing it? How long are you going to retain it? What's the risk of it?" Clarke said.
That is a feature of the GDPR and was included in the Virginia law but is largely invalidated due to a bevvy of exemptions. There are almost no exemptions in Colorado's law, meaning companies will have to do impact assessments for any project that collects personal data, Clarke told ZDNet.
New assessments will also need to be done if there are any changes to policies, vendors or staff. Clarke added that there is a one-year lookback period, so data collected at the end of this year will be within scope.
Another key provision is the right to appeal, which Clarke said is unique among the world's data privacy laws. According to Clarke, only the Virginia and Colorado laws allow consumers to appeal a company's decision to refuse your request for your data to be deleted.
If a company refuses to delete your data, you can appeal the decision, and another arm of the company has to look at the decision.
Clarke said any organization complying with California's CCPA and CPRA would be prepared for Colorado's law for companies worried about complying with the laws. Clarke said the biggest issue for those who were not affected by California's laws would be preparing to handle sensitive data like financial information.
"With sensitive data, you have actually to ask for permission. So you have to say, 'I want to opt into allowing you to use it and, in some cases, sell it," Clarke said.
Clarke predicted that New York, Texas and Florida might be the next states to pass data privacy laws, noting that the length of some states' legislative sessions is part of what makes it difficult to pass these kinds of laws. Some states that looked likely to pass their own data privacy laws, like Washington, simply ran out of time because of how controversial the law became locally.
"An important thing about the Colorado law is just the fact that another state piled on. It's kind of surprising that you've got another state that has piled on so quickly, and I honestly think that's the biggest news out of this whole story," Clarke said.
"You've got to deal with another state."