Questions remain as House considers Colorado Privacy Act

Prospects of the Colorado General Assembly passing privacy legislation have been all over the place during the 2021 legislative session. Despite stretches of inaction, Senate Bill 190, the Colorado Privacy Act, has all the momentum now as it passed its first stop with the Colorado House Finance Committee on a 10-1 vote June 2.

The comprehensive bill, which would take effect July 1, 2023, contains thresholds for businesses holding data on more than 100,000 individuals or those earning revenue from the data of more than 25,000 consumers. SB 190 boasts various data subject rights, a broad opt-out consent model, and attorney general rulemaking and enforcement.

The unanimous passage out of the Colorado Senate May 26 was certainly a boost to SB 190’s chances at becoming a law prior to the end of the legislative session June 12, but the more important development was the addition of House sponsors. The bill stood without House backing since the start of the session Jan. 13 before State Reps. Monica Duran, D-Colo., and Terri Carver, R-Colo., stepped up ahead of the bill moving chambers.

“This bill is good for Coloradans and good for businesses,” Duran said during the first portion of the committee meeting, which ended up spanning two days. “It protects the consumers while allowing businesses to maintain current practices with increased transparency.”

Carver added SB 190’s stakeholder process has been ongoing for over a year and “many many changes” have come about, including plenty of flip-flopping between the last two iterations of the bill took on before leaving the Senate. Carver’s belief is that it is “a balanced bill” as currently constituted.

Notable amendments from the Senate that likely helped the bill strike a happy medium and advance, include revised definitions for “consent” and “sale,” opt-in consent for the collection of sensitive data, and user opt-out provisions with a universal opt-out mechanism. The House Finance Committee accepted further amendments during its meeting, including a reintroduction of provisions on psuedonymous data and guarantees preventing a basis for a private right of action. Carver and Duran were unsuccessful in their attempts to pass amendments to revise the definition of biometric data and temporarily remove the definition of “child.”

In her remarks to the committee, Carver was particularly emphatic about the proposed universal opt-out, saying it’s the reason the bill is “the strongest privacy bill” among existing U.S. state privacy laws and proposed bills.

“On your browser, PC or iPhone, you can make a decision one time, press a button one time, to say I don’t want you collecting my data, doing targeted advertising or consequential profiling at all,” Carver said. “Instead of having to do it at each individual business’ website — the situation in other states that have passed this — you will now be able to do this universal opt-out once. The way to protect data privacy is to make it convenient and effective.”

The claim was met with general concerns about Colorado’s proposed opt-out model. Colorado Public Interest Research Group’s Allison Conwell went as far as saying the bill “does not lay the proper foundation” for Colorado’s consumer privacy aspirations.

“It underpins the current system of commercial surveillance and fails to provide consumers with meaningful control over their personal information,” Conwell said. “Instead of requiring companies to get consumers’ permission before using their data, it places the burden on consumers to navigate today’s incredibly complex data ecosystem and take steps to opt out of unwanted uses of information to the limited extent they are allowed to do so.”

Parent Coalition for Student Privacy Co-Chair Cheri Kiesecker called on lawmakers to consider further clarifying some definitions and provisions in the current bill. Specifically, Kiesecker urged revisions to the definition of sale to clearly state exchanges of data “by an operator or data broker to another person,” which likens to Nevada’s law on data sale opt-outs, while also asking to detail instances of “unreasonably burdensome” circumstances that would give companies a reprieve from answering data subject requests.

One aspect of the bill that received mixed reviews was the right to cure, which would allow the Colorado attorney general’s office to issue violators an opportunity to rectify its non-compliance within 60 days to avoid penalty.

“The Washington attorney general’s office actually said the right to cure is an unlimited get-out-of-jail-free card for violators,” Kiesecker said, adding the cure provision ultimately sunk the legislative efforts in Washington. “It also outlined the massive time and expense involved in processing the right to cure, and the money would not be recouped.”

The right to cure may not work for some state legislatures or regulators, but the Colorado attorney general’s office thinks otherwise. Colorado Assistant Attorney General Dalia Topelson Ritvo testified that the office is satisfied with what amounts to a short-term cure provision.

“We thought a cure period might be a good opportunity for companies to work on their compliance programs toward the beginning of the implementation of this bill, but after a period sunset it to ensure compliance is ongoing and companies evolve with the implementation of the law,” Ritvo said, adding that it was a “good compromiseâ€� before allowing the attorney general to enforce against those companies that are “chronically not in compliance.â€�

Ritvo was also probed by State Rep. Marc Snyder, D-Colo., on why passing SB 190 during the current legislative session was a priority as Snyder pointed to various mentions in opposing testimonies about the bill’s flaws and the need to carry the conversation over into 2022.

“Speaking from my personal opinion, it’s a beginning or a start to establish the infrastructure and the rules in order to advance the privacy of the citizens of Colorado,” Ritvo said. “I fear that if we let it lapse, we will not be able to implement any bill whatsoever. … Just knowing the conversations we’ve had with the sponsors and stakeholders, along with stakeholder opinions and the various tensions related to how technology develops to where privacy concerns are advanced, it could get more complicated quicker. You need to start somewhere and it’s better today than tomorrow.”

Photo by Andrew Coop on Unsplash