The Colorado Privacy Act, SB 21-190. You can find the info here, including all the previous iterations. I'll hit the high points but if you want the details you should always go straight to the text:
Lots of definitions. A big one is consent. Specific, unambiguous, informed. Earlier version referenced a "narrowly defined purpose" which was removed before the final. NOT consent: broad policies, exiting a window, agreement through dark patterns (defined elsewhere)
Dark patterns - UI "designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice"
Also "Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer" may be longest term of art ever
Oh yeah I'm not numbering this thread, sorry folks.

So the definition I'm really confused by...Consumer: "a Colorado resident acting only in an individual or household context"... "DOES NOT INCLUDE AN INDIVIDUAL ACTING IN A COMMERCIAL or employment CONTEXT" (emph mine)
Similar language was also in the VA law. And I assume they mean a business who is a "person" under the Constitution. But a person acting in a commercial context is ... not good language. So I'm not a consumer if I go to the store to buy something? Surely not what was intended.
"Personal Data" is defined to exclude "publicly available info" which likely includes metadata / social media info; has implications for data aggregators.
Controller, Processor, De-Identified Data, Process, Profiling, Pseudonymous Data, terms re: health data are all defined.
sale/sell- excludes affiliates /mergers/bankruptcy transfers. Also excludes personal data "intentionally made available by a consumer to the general public via a channel of mass media" (NFTs?)
Final term with a weird thing: Targeted Ads- doesn't include ads based on activities "w/in a controller's own websites or online applications"

How big is this as a loophole?
Which brings me to applicability...
CPA hits at those who conducts biz in CO or produces/delivers products/services intentionally targeted at CO residents + either
a. controls/processes data of >100,000 consumers/yr OR
b. has some financial connection to sale of personal data and process/ctrls >25,000 consumers/yr
That's baseline. Let's now build on the nearly 7 legislative pages of exceptions.
There are 17 blanket exceptions ("this part does not apply to...")

a-h are health data related
i essentially relates to FCRA
j is tied to personal information
- collected for CO health ins law
- collected pursuant to GLBA or DPPA
- regulated by COPPA or FERPA
k is employment records (remember, already we excluded "employment context" from consumer def'n but ok)
l is all air carriers (ughh)
m securities exchange under SEC
n exempts customer data held by any public utility (incl telephone company or common carrier) or authorities
o is a late add (maybe in a prior version I missed?) exempts data maintained by higher ed or the state
p is more on health data
q is a blanket exempt for any institution covered by GLBA. cf. earlier where it was only data covered by GLBA - this is just a full stop carveout
Then there are the "this isn't what this is meant to do" exemptions.
This law is not meant to stop anyone from complying with law enforcement, prepare for actual OR ANCITIPATED legal claims (emphasis mine and potentially this could be broad), conduct market research, ...
... perform internal ops, provide requested services, protect consumer's "vital interests", stop fraud, or do public health stuff so long as they safeguard consumer rights and it's subject to confidentiality obligations under fed/state/local law (We'll be coming back to this one)
also not meant to interfere with rules of evidence, infringe on protected speech, or apply in course of purely household activity.
Then we have nearly 4 legislative pages of, what I can, are very in the weeds provisions on interactions between controllers and processors.

Some good language on security. If you're an in house person, pay attention to pages 18-21.
Phew. Deep breath. We've made it to the "rights in your data" part of this party.

There are 5 rights under the CPA--
Right 1: right to opt out
Specifically, right to opt out of targeted ads, sale of personal data, or "profiling in furtherance of decisions that produce legal or similarly significant effects concerns a consumer" (henceforth, "profiling")
opt-out has to be clear and conspicuous
This is cool - the bill also calls for a universal opt out, to be available by July 1, 2024. However (always a however), controllers can ask for consent that would take precedence over a person's global opt-out. This seems like it will be pretty prone to abuse.
Right 2- right of access
3- right of correction (takes into account the nature of the personal data)
4- right to deletion ("concerning the consumer")
5- right to data portability (2x/year)
Controllers are not required to comply if they're not able to authenticate a request
A person may appeal a refusal to take action, which a controller has 45 + 60 days (if reasonably necessary, which it will always be if my time doing FOIA is any indication) to respond.
There is no redress available beyond this appeal unless the CO AG Office takes the case
The next section has special considerations if data is considered de-identified, not maintained in identifiable form, or pseudonymous (the weakest limit of the three imo).
We did rights, the flip side is duties, which is often where the real grit is in privacy world. CPA has 7 duties for controllers.
Duty 1- Transparency. This one is a bit lame. Requires a privacy notice + info on exercising rights. However, rather than specifics the following can be listed in "categories":
-personal data collected
-purposes for processing
-data shared w/ 3rd parties
-3rd parties
Somehow too little information for NGOs to do real scrutiny and too much for people to meaningfully engage with the data.
Also must say if the controller sells info or processes personal data for targeted ads and how to opt out. This one is good and hopefully we'll get good data on people acting.
Until late in the game this part had language allowing controllers to offer different levels of service or pricing based on if someone had opted out. That text was removed so now different service tiers can only be offered on participation in a loyalty program. HUGE win that was.
Duty 2 is purpose specification- express purposes for which data are collected and processed (but compare the duty of transparency which only requires categories).
Duty 3 is data minimization- collection must be adequate, relevant, and limited to what is reasonably necessary
Duty 4 is a duty to avoid secondary use- uses must be reasonably necessary to or compatible with specified purposes, but consent can be obtained for more.
Duty 5 is a duty of care, largely built around reasonable security measures, appropriate to the nature of the personal data.
Duty 6 is to avoid unlawful discrimination. A duty to not break the law is ... something. This could have done more.
And Duty 7 is re: sensitive data- consent is necessary for sensitive data
The law starts to wrap up with a requirement for controllers to conduct a data protection assessment for processing activities that "present[] a heightened risk of harm to a consumer," which is defined based on risk of injury to consumers
These assessments have to be made available to the AG, but only upon request. However, they are totally exempt from public inspection/open records laws one else will get to see them.
In the last 7 pages of legislative text, in case you didn't figure it out already, there is not one but 2 separate provisions explaining that the CPA definitely absolutely does not contain a private right of action. The AG's office is the way that this law will be enforced.
Here we get to the part where the state law preempts any local, municipal, city, etc law in Colorado related to processing of personal data. Which is interesting given the law earlier specifically references local laws on public health research (I told you we'd come back to that)
Blanket preemption like this is bad. Local law has done some really cool, innovative things across the country. "Smart" cities are coming, esp in a place as tech-focused as Colorado, and this provision guts the ability of our local governments to respond to emergent tech. Shame.
Then we have some provisions allowing/requiring regulations from the CO AG's office related to the provisions of the law.
We get authorities for the CO AG's office and the DA's to investigate and pursue violations. The law does give controllers a limited opportunity to cure violations upon notice from the AG or a DA, but that provision is built with a sunset on Jan 1, 2025.
I think that's about all. Once signed the bill is set to take effect on July 1, 2023. Mark your calendars.

My take is that there is some good stuff here. But as I hope I've shown, I really don't think this is the gold standard and I hope we keep seeing better from other states.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Amie Stepanovich

Amie Stepanovich Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @astepanovich

8 Jun
There is no "communications network for criminals"

Communications networks are used by people.

The TOS don't have a click box that says "by using this service you are agreeing that you are a criminal"

When you compromise for the criminals, you compromise for all people.
""You had to know a criminal to get hold of one of these customised phones ... the Australian police explained."

<<< You should be reading this with extreme skepticism
What made them criminals? Had they been convicted? Then why were they being investigated?
Read 4 tweets
2 Apr
This Clegg piece is getting passed around a lot and I have thoughts about some of the things it says, which I'll provide here in a thread, featuring and responding to 10 pieces of the write-up. The following represents my personal thoughts and opinions. Sorry in advance. 1/
It starts with this recognition of the benefits of targeted advertising for the world. We know this argument - I've even made this argument before, and I referenced it recently around how tech has traditionally been built up around a call of being good for humanity 2/ Text: "Personalized digital advertising not only allows
But, as with many things, I've seen more and changed my mind. First, this isn't just "targeting," it's micro-targeting. The marginal benefits that people receive from micro-targeted ads are not worth the potential harm of those ads, how they can distort perception of the world 3/
Read 34 tweets
1 Apr
I'm so old I remember when experts were saying we need more encryption to address the current cybersecurity threats.…
You know, last week.
Lest we forget, the UK already has draconian anti-encryption provisions in its law, as well as authorization for "bulk hacking," two words which never cease to send chills down my spine.
The case for encouraging greater development and use for encryption has been well-documented, and has only grown stronger over the years. You can see the history at
Read 9 tweets
28 Jun 19
Reporting about encryption? Here is a thread with some resources you may want to look at>

Starting with this international coalition letter on encryption, signed by >400 orgs, experts, and companies
Here is the conversation mapping and flash fiction from the first Crypto Summit…

The conversations were further flushed out in CS2 outcomes reports>…
The Crypto Colloquium was a multi-stakeholder dialogue that measured consensus on the topic of encryption and flagged important questions that need to be answered by any proposal…
Read 13 tweets
25 Jul 18
A lot of people will spend time today talking about all the ways to help LE investigations w/o undermining encryption.

But there's some vital subtext here that I'm going to go ahead and make text.
If LE (mostly FBI) stopped making a fuss about encryption, there would actually be time, energy, and resources to discuss these other pieces of the puzzle.
I haven't spoken about encryption once in the last many years where I haven't asked, nay begged, to put this conversation to rest so we could move on to more pressing matters that could actually make an impact without corroding human rights AND digital security
Read 9 tweets
3 Jul 18
A few observations about the app in this Wired Story> "To keep women safe, the creator of a sex party empire wants to track who, how and where we date"…
The main page of the app advertises, "SafeDate automatically makes sure your friends have got your back. Securely and privately. Just in case."
The app has no privacy policy. At least not one on their website. Their terms mentions a privacy policy by there is no active link.…
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!