It’s only April, but 2023 has already been a big year for new and evolving data privacy legislation. In January, the California Privacy Rights Act took effect, expanding and clarifying the rights and obligations within the California Consumer Privacy Act. In addition, exceptions for business-to-business and employee and applicant data expired, ushering in new requirements and broadening the reach of the California laws. At the same time, the second major state data privacy law – the Virginia Consumer Data Protection Act – took full effect.
On July 1, the Colorado Privacy Act and the Connecticut Data Privacy Act will take effect, followed shortly by the Utah Consumer Privacy Act. That doesn’t even cover the new data privacy legislation recently passed in Iowa and Indiana, which we’ll review in future posts.
It can be daunting for consumers and business leaders alike to digest the alphabet soup of emerging data privacy legislation. Many businesses are still recovering from a big push to update consumer disclosures and implement procedures to address their new obligations in California and Virginia. But businesses cannot stop now. With the recent publication of regulations by the Colorado Attorney General’s Office, there is no better time for businesses to review existing disclosures and procedures to confirm compliance with the Colorado law.
Gov. Jared Polis (D) signed Senate Bill 190 into law in July 2021. The Colorado law applies to businesses (called “controllers” in the statute) that collect personal data from more than 100,000 Colorado residents or that collect data from 25,000 or more consumers and derive revenue or receive a discount on goods or services from the sale of that data.
Businesses should confirm that they are making appropriate disclosures to consumers in privacy notices. Importantly, the Colorado law requires businesses to limit data collection and retention of data, which means that businesses must have strong data retention practices. Moreover, Colorado requires businesses to respond in a timely manner to consumer requests to exercise rights of access, correction, deletion, data portability, and opt-outs for certain transactions.
The recently published regulations address a few areas of the law that may be less familiar, including the following:
- Profiling: The CPA and regulations have restrictions and consent requirements on automated processing that evaluates, analyzes, or predicts an individual’s economic situation, health, personal preferences, interests, or behavior.
- Data Protection Assessments: The CPA requires controllers to conduct a a Data Protection Assessment before processing that presents a “heightened risk of harm” to Colorado residents.
- Universal opt-out mechanisms: The CPA and its regulations establish the standards for Universal Opt-Out Mechanisms that will be recognized by the Colorado Department of Law, and require controllers to respect opt-outs from any compliant Universal Opt-Out Mechanism.
Businesses subject to the CPA should keep in mind that, in addition to certain opt-out requirements, the law also requires that controllers obtain a consumer’s freely given, specific, informed, and unambiguous consent via a clear, affirmative act before collecting or processing certain sensitive personal data (such as data that reveals race or ethnicity, religious beliefs, a mental or physical health condition or diagnosis, sexual orientation or sex life, citizenship or citizenship status, or genetic or biometric data).
We will continue to keep you up to date on new data privacy laws, whether your state will be affected, and interpretations of the laws.
