Keypoint: The Colorado bill mirrors the Virginia Consumer Data Protection Act and Washington Privacy Act but contains some notable differences.
On March 19, 2021, Colorado lawmakers introduced the Colorado Privacy Act (SB21-190).
The bill is similar to Virginia’s Consumer Data Protection Act (VCDPA) and the Washington Privacy Act (WPA) but contains notable differences, including with respect to the scope of its exemptions and the rights it would provide to Colorado residents.
Senator Rodriguez (Democrat) and Senator Lundeen (Republican and minority whip) sponsored the bill, signaling that it has bi-partisan support. The bill has been assigned to the Senate’s Business, Labor and Technology Committee, which Senator Rodriguez chairs.
According to the legislative calendar, the deadline for bills to pass out of the Senate is April 7, 2021, which means the bill will have to move quickly.
Below is a general overview of the bill as introduced.
The bill applies to controllers that conduct business in Colorado or produce products or services that are intentionally targeted to residents of Colorado and that (1) control or process the personal data of 100,000 or more consumers during a calendar year and/or (2) derive revenue or receive a discount on the price of goods or services from the “sale” of personal data and process or control the personal data of 25,000 or more consumers. The bill does not contain a monetary threshold for applicability such as the $25,000,000 threshold found in the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
Similar to the VCDPA, the bill defines “consumer” as “an individual who is a Colorado resident acting only in an individual or household context.” The definition does not include “an individual acting in a commercial or employment context.”
The bill also excludes many types of entities and data sets, similarly to the VCDPA. For example, the bill excludes financial institutions and affiliates of financial institutions subject to the Gramm-Leach-Bliley Act and personal data collected, processed, sold, or disclosed pursuant to that law. In comparison, the CCPA and CPRA only provide a data exemption for GLBA institutions, not an entity exemption.
In addition, the bill includes numerous exemptions related to healthcare organizations, including exemptions for protected health information, patient identifying information, information and documents created for purposes of HIPAA, de-identified information, and information maintained by covered entities and business associates subject to certain conditions.
The bill also does not apply to the processing of personal data by an individual in the course of a purely personal or household activity (a concept borrowed from GDPR).
Similar to the VCDPA and WPA, the bill defines personal data as “information that is linked or reasonably linkable to an identified or identifiable individual.” The definition excludes de-identified and publicly available information.
Notably, the bill defines publicly available to include not only information found in government records but also “information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public or widely distributed media; and information made available to the general public by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.” The definition is broader than the definition of publicly available currently found in the CCPA, although the CPRA will broaden the CCPA definition when it becomes fully operative. The bill’s broad definition of publicly available could encompass information found on social media profiles, such as Facebook and LinkedIn.
The bill grants Colorado residents the following rights with respect to personal data held by controllers (as distinguished from processors):
The rights provided above are interesting insofar as the bill – as currently written – allows Colorado residents to opt out of all processing, not just targeted advertising and sales. Further, a consumer may also authorize another person to opt out on their behalf, but only for targeted advertising and sales.
The right to opt-out of all processing is broader than the rights currently provided in the VCDPA, CCPA and CPRA, although it could be argued that the right to deletion reaches a comparable result. Of course, this right is found in GDPR Article 21, although that is a qualified right to object to processing.
Controllers must respond to consumer requests within 45 days (the controller can extend the deadline by an additional 45 days). Controllers must establish an internal appeal process for consumers in the event that the controller denies the request.
Notably, the bill does not require controllers to place a “Do Not Sell My Personal Information” or similar link on their websites as the CCPA and CPRA require. Also to be noted, the bill defines “sale” as “the exchange of personal data for monetary or other consideration by a controller to a third party for purposes of licensing or selling personal data at the third-party’s discretion to additional third parties.” The definition is very similar to the definition of “sale” used in Nevada’s SB220 and is far more restrictive (and business friendly) than definitions found in the CCPA, CPRA, and VCDPA.
Similar to the VCDPA and WPA, the bill requires consumers to consent to the collection of sensitive data. The bill defines sensitive data as personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, and the personal information of a known child.
Data Processing Agreements
The bill requires controllers to enter into data processing agreements with processors for the transfer of personal data. However, the bill only currently provides that the contract must set out “the processing instructions to which the processing is bound.” This is in contrast to the more extensive requirements found in the CPRA and VCDPA.
Data Protection Assessments
Controllers must conduct data protection assessments prior to processing personal data in a manner that creates a “heightened risk of harm to a consumer.” Those activities include, but are not limited to, processing for targeted advertising or profiling, selling personal data, and processing sensitive data.
Unsurprisingly, the bill requires controllers to provide consumers with a “reasonably accessible, clear, and meaningful” privacy notice, which must contain disclosures regarding the controller’s data collection and sharing practices.
Other Controller Duties
In addition to the duties described above, controllers are required to:
The Colorado Attorney General’s office and district attorneys would enforce the bill. As currently written, those offices are not required to provide a warning letter prior to bringing an enforcement action. Violations would be punishable by the civil penalties set forth in C.R.S. 6-1-112. That statute provides for civil penalties of not more than $2,000 for each violation. It also states that a violation “shall constitute a separate violation with respect to each consumer or transaction involved; except that the maximum civil penalty shall not exceed five hundred thousand dollars for any related series of violations.”
There is no private right of action.
If passed, the bill would go into effect on January 1, 2023.