The Colorado Privacy Act, SB 21-190. You can find the info here, including all the previous iterations. I'll hit the high points but if you want the details you should always go straight to the text: leg.colorado.gov/bills/sb21-190.
Lots of definitions. A big one is consent. Specific, unambiguous, informed. Earlier version referenced a "narrowly defined purpose" which was removed before the final. NOT consent: broad policies, exiting a window, agreement through dark patterns (defined elsewhere)
Dark patterns - UI "designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice"
Also "Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer" may be longest term of art ever
Also "Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer" may be longest term of art ever
Oh yeah I'm not numbering this thread, sorry folks.
So the definition I'm really confused by...Consumer: "a Colorado resident acting only in an individual or household context"... "DOES NOT INCLUDE AN INDIVIDUAL ACTING IN A COMMERCIAL or employment CONTEXT" (emph mine)
So the definition I'm really confused by...Consumer: "a Colorado resident acting only in an individual or household context"... "DOES NOT INCLUDE AN INDIVIDUAL ACTING IN A COMMERCIAL or employment CONTEXT" (emph mine)
Similar language was also in the VA law. And I assume they mean a business who is a "person" under the Constitution. But a person acting in a commercial context is ... not good language. So I'm not a consumer if I go to the store to buy something? Surely not what was intended.
"Personal Data" is defined to exclude "publicly available info" which likely includes metadata / social media info; has implications for data aggregators.
Controller, Processor, De-Identified Data, Process, Profiling, Pseudonymous Data, terms re: health data are all defined.
Controller, Processor, De-Identified Data, Process, Profiling, Pseudonymous Data, terms re: health data are all defined.
sale/sell- excludes affiliates /mergers/bankruptcy transfers. Also excludes personal data "intentionally made available by a consumer to the general public via a channel of mass media" (NFTs?)
Final term with a weird thing: Targeted Ads- doesn't include ads based on activities "w/in a controller's own websites or online applications"
How big is this as a loophole?
pretty-woman-shopping.gif
How big is this as a loophole?
pretty-woman-shopping.gif
Which brings me to applicability...
CPA hits at those who conducts biz in CO or produces/delivers products/services intentionally targeted at CO residents + either
a. controls/processes data of >100,000 consumers/yr OR
b. has some financial connection to sale of personal data and process/ctrls >25,000 consumers/yr
a. controls/processes data of >100,000 consumers/yr OR
b. has some financial connection to sale of personal data and process/ctrls >25,000 consumers/yr
That's baseline. Let's now build on the nearly 7 legislative pages of exceptions.
There are 17 blanket exceptions ("this part does not apply to...")
1-10:
a-h are health data related
i essentially relates to FCRA
j is tied to personal information
- collected for CO health ins law
- collected pursuant to GLBA or DPPA
- regulated by COPPA or FERPA
1-10:
a-h are health data related
i essentially relates to FCRA
j is tied to personal information
- collected for CO health ins law
- collected pursuant to GLBA or DPPA
- regulated by COPPA or FERPA
11-14:
k is employment records (remember, already we excluded "employment context" from consumer def'n but ok)
l is all air carriers (ughh)
m securities exchange under SEC
n exempts customer data held by any public utility (incl telephone company or common carrier) or authorities
k is employment records (remember, already we excluded "employment context" from consumer def'n but ok)
l is all air carriers (ughh)
m securities exchange under SEC
n exempts customer data held by any public utility (incl telephone company or common carrier) or authorities
15-17:
o is a late add (maybe in a prior version I missed?) exempts data maintained by higher ed or the state
p is more on health data
q is a blanket exempt for any institution covered by GLBA. cf. earlier where it was only data covered by GLBA - this is just a full stop carveout
o is a late add (maybe in a prior version I missed?) exempts data maintained by higher ed or the state
p is more on health data
q is a blanket exempt for any institution covered by GLBA. cf. earlier where it was only data covered by GLBA - this is just a full stop carveout
Then there are the "this isn't what this is meant to do" exemptions.
This law is not meant to stop anyone from complying with law enforcement, prepare for actual OR ANCITIPATED legal claims (emphasis mine and potentially this could be broad), conduct market research, ...
This law is not meant to stop anyone from complying with law enforcement, prepare for actual OR ANCITIPATED legal claims (emphasis mine and potentially this could be broad), conduct market research, ...
... perform internal ops, provide requested services, protect consumer's "vital interests", stop fraud, or do public health stuff so long as they safeguard consumer rights and it's subject to confidentiality obligations under fed/state/local law (We'll be coming back to this one)
also not meant to interfere with rules of evidence, infringe on protected speech, or apply in course of purely household activity.
Then we have nearly 4 legislative pages of, what I can, are very in the weeds provisions on interactions between controllers and processors.
Some good language on security. If you're an in house person, pay attention to pages 18-21.
Some good language on security. If you're an in house person, pay attention to pages 18-21.
Phew. Deep breath. We've made it to the "rights in your data" part of this party.
There are 5 rights under the CPA--
There are 5 rights under the CPA--
Right 1: right to opt out
Specifically, right to opt out of targeted ads, sale of personal data, or "profiling in furtherance of decisions that produce legal or similarly significant effects concerns a consumer" (henceforth, "profiling")
opt-out has to be clear and conspicuous
Specifically, right to opt out of targeted ads, sale of personal data, or "profiling in furtherance of decisions that produce legal or similarly significant effects concerns a consumer" (henceforth, "profiling")
opt-out has to be clear and conspicuous
This is cool - the bill also calls for a universal opt out, to be available by July 1, 2024. However (always a however), controllers can ask for consent that would take precedence over a person's global opt-out. This seems like it will be pretty prone to abuse.
Right 2- right of access
3- right of correction (takes into account the nature of the personal data)
4- right to deletion ("concerning the consumer")
5- right to data portability (2x/year)
Controllers are not required to comply if they're not able to authenticate a request
3- right of correction (takes into account the nature of the personal data)
4- right to deletion ("concerning the consumer")
5- right to data portability (2x/year)
Controllers are not required to comply if they're not able to authenticate a request
A person may appeal a refusal to take action, which a controller has 45 + 60 days (if reasonably necessary, which it will always be if my time doing FOIA is any indication) to respond.
There is no redress available beyond this appeal unless the CO AG Office takes the case
There is no redress available beyond this appeal unless the CO AG Office takes the case
The next section has special considerations if data is considered de-identified, not maintained in identifiable form, or pseudonymous (the weakest limit of the three imo).
We did rights, the flip side is duties, which is often where the real grit is in privacy world. CPA has 7 duties for controllers.
Duty 1- Transparency. This one is a bit lame. Requires a privacy notice + info on exercising rights. However, rather than specifics the following can be listed in "categories":
-personal data collected
-purposes for processing
-data shared w/ 3rd parties
-3rd parties
-personal data collected
-purposes for processing
-data shared w/ 3rd parties
-3rd parties
Somehow too little information for NGOs to do real scrutiny and too much for people to meaningfully engage with the data.
Also must say if the controller sells info or processes personal data for targeted ads and how to opt out. This one is good and hopefully we'll get good data on people acting.
Until late in the game this part had language allowing controllers to offer different levels of service or pricing based on if someone had opted out. That text was removed so now different service tiers can only be offered on participation in a loyalty program. HUGE win that was.
Duty 2 is purpose specification- express purposes for which data are collected and processed (but compare the duty of transparency which only requires categories).
Duty 3 is data minimization- collection must be adequate, relevant, and limited to what is reasonably necessary
Duty 3 is data minimization- collection must be adequate, relevant, and limited to what is reasonably necessary
Duty 4 is a duty to avoid secondary use- uses must be reasonably necessary to or compatible with specified purposes, but consent can be obtained for more.
Duty 5 is a duty of care, largely built around reasonable security measures, appropriate to the nature of the personal data.
Duty 5 is a duty of care, largely built around reasonable security measures, appropriate to the nature of the personal data.
Duty 6 is to avoid unlawful discrimination. A duty to not break the law is ... something. This could have done more.
And Duty 7 is re: sensitive data- consent is necessary for sensitive data
And Duty 7 is re: sensitive data- consent is necessary for sensitive data
The law starts to wrap up with a requirement for controllers to conduct a data protection assessment for processing activities that "present[] a heightened risk of harm to a consumer," which is defined based on risk of injury to consumers
These assessments have to be made available to the AG, but only upon request. However, they are totally exempt from public inspection/open records laws so...no one else will get to see them.
In the last 7 pages of legislative text, in case you didn't figure it out already, there is not one but 2 separate provisions explaining that the CPA definitely absolutely does not contain a private right of action. The AG's office is the way that this law will be enforced.
Here we get to the part where the state law preempts any local, municipal, city, etc law in Colorado related to processing of personal data. Which is interesting given the law earlier specifically references local laws on public health research (I told you we'd come back to that)
Blanket preemption like this is bad. Local law has done some really cool, innovative things across the country. "Smart" cities are coming, esp in a place as tech-focused as Colorado, and this provision guts the ability of our local governments to respond to emergent tech. Shame.
Then we have some provisions allowing/requiring regulations from the CO AG's office related to the provisions of the law.
We get authorities for the CO AG's office and the DA's to investigate and pursue violations. The law does give controllers a limited opportunity to cure violations upon notice from the AG or a DA, but that provision is built with a sunset on Jan 1, 2025.
I think that's about all. Once signed the bill is set to take effect on July 1, 2023. Mark your calendars.
My take is that there is some good stuff here. But as I hope I've shown, I really don't think this is the gold standard and I hope we keep seeing better from other states.
My take is that there is some good stuff here. But as I hope I've shown, I really don't think this is the gold standard and I hope we keep seeing better from other states.
/fin.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
