Colorado recently become the latest state to consider a comprehensive consumer privacy law. On March 19, 2021, Colorado State Senators Rodriguez and Lundeen introduced SB 21-190, entitled “an Act Concerning additional protection of data relating to personal privacy”. Following California’s bold example of the California Consumer Privacy Act (“CCPA”) effective since January 2020, Virginia recently passed its own robust privacy law, the Consumer Data Protection Act (“CDPA”), and New York, as well as other states, like Florida, appear poised to follow suit. Furthermore, California is expanding protections provided by the CCPA, with the California Privacy Rights Act (CPRA) – approved by California voters under Proposition 24 in the November election.
Unsurprisingly, Colorado’s SB 21-190 generally tracks the CCPA, CPDA, CPRA and the EU General Data Protection Regulation (GDPR). Key elements of the Colorado bill include:
- Jurisdictional Scope. SB 21-190 would apply to legal entities that conduct business or produce products or services that are intentionally targeted to Colorado residents and that either:
- Control or process personal data of more than 100,000 consumers per calendar year; or
- Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.
- Exemptions. SB 21-190 includes various exemptions related to healthcare entities and health data, such as protected health information under HIPAA, patient identifying information maintains by certain substance abuse treatment facilities, and identifiable private information collected in connection with human subject research. Additional exemptions include without limitation personal data collected for the purposes of the Gramm Leach Bliley Act (GLBA), Driver’s Privacy Protection Act (DPPA), Children’s Online Privacy Protection Act (COPPA), Family Educational Rights Act and Privacy Act. Finally, data maintained for employment records purposes are exempted as well.
- Personal Data. Similar to its counterparts, Colorado’s SB 21-190 broadly defines personal data to mean “information that is linked or reasonably linkable to an identified or identifiable individual.”
- Sensitive Data. Like the CPDA, CPRA and GDPR, SB 21-190 includes a category for “sensitive data”. This is defined as “personal data revealing racial or ethical origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status OR genetic or biometric data that may be processed for the purpose of uniquely identifying an individual OR personal data from a known child”. As with Virginia’s CPDA, there are two key compliance obligations related to “sensitive data”. First, sensitive data cannot be processed without obtaining consumer consent, or in the case of a known child or student, without obtaining consent from a parent or lawful guardian. Second, the controller must conduct and document a data protection assessment specifically for the processing of sensitive data.
- Protected Persons. SB 21-190 defines “consumer” as an “individual who is a Colorado resident acting only in an individual or household context”. The Colorado bill states that the definition of consumer does not include “an individual acting in a commercial or employment context”.
- Consumer Rights. Under SB 21-190, consumers have the right to opt out of the processing of their personal data; access, correct, or delete the data; or obtain a portable copy of the data.
- Data Protection Assessments. Akin to Virginia’s CPDA, the Colorado bill requires data controllers to conduct a data protection assessment for each of their processing activities involving personal data that presents a heightened risk of harm to consumers, such as processing for purposes of targeted advertising or processing sensitive data (as mentioned above).
- Enforcement. If enacted, SB 21-190 would only be enforceable by the Colorado attorney general or district attorneys. A violation of law could result in a civil penalty of not more than $2,000 for each such violation (not to exceed $500,000 for any related series of violations), or injunction.
Colorado’s SB 21-190 is in the early stages of the legislative process, still it signals the continued momentum building in states across the country to enhance consumer data privacy and security protections. Organizations, regardless of their location, should be carefully assessing their data collection activities, developing policies and procedures to address their evolving compliance obligations and data-related risks, and training their workforce on effective implementation of those policies and procedures.