The governor’s signature is all that is left in order to make Colorado the third state to enact what could be the strongest law in the nation around protection of online consumer data.

In the recently concluded session’s waning days, lawmakers gave near-unanimous approval to a bill that would give consumers the right to tell online vendors and other websites “no thanks” to those sites selling or sharing their personal data.

You hear the stories almost daily, about hackers or ransomware getting into the systems for companies big and small. According to Analytics India, 2020 saw some of the biggest data breaches in history, including at Twitter, Tik Tok, Zoom and Nintendo. But it isn’t only online companies; brick and mortar businesses, such as the MGM Grand Hotel and Marriott also saw consumer data stolen by hackers that broke into online systems in 2020.

One solution, according to Senate Bill 190, is not to let companies collect, share or sell consumer data at all.

THE COLORADO PRIVACY ACT: WHAT IT DOES

Senate Bill 190 would be known as the Colorado Privacy Act, and housed within the Colorado Consumer Protection Act. 

Under the bill, any online entity that controls or processes personal data of 100,000 or more consumers per year would have to provide an “opt out” to consumers on whether the company can sell or share any personal data collected.

SB 190 also goes after what’s known as “dark patterns.” In the online world, a dark pattern is a kind of trick that websites use to hide information from consumers, such as how to delete an account or where to find the place to opt out on data collection. The bill states that websites that use “dark patterns” have not obtained consent from consumers if the consumer cannot find the way to opt out.

It also requires consent for collection of “pseudonymous data,” which is personal data that cannot be attributed to a specific person without additional information that is kept separately. For example, when you go to an event and use an online ticket to check in, the barcode has a number that can be traced back to the purchaser. It’s commonly used in marketing, according to the Data and Marketing Association.

The bill provides exemptions for health data, given that personal health information is largely protected by the federal Health Insurance Portability and Accountability Act of 1996.

“This is a sea change in how we handle personal information. It will be a big shift but it’s one that’s long overdue,” according to House sponsor Rep. Terri Carver, a Colorado Springs Republican, who has made data privacy a signature issue during her time in the House. The bill has been two years in the making, she told Colorado Politics.

SB 190 establishes a solid foundation for consumer data privacy in Colorado, Carver said. It will allow the consumer to make the choice on whether or not they want their personal data sold, if it can be used for targeted advertising or used for “consequential profiles,” which refers to a tracking mechanism that shows which websites a consumer visits, or a website where a consumer purchases goods or services and which requires a data profile on the consumer that is then sold or shared.

Carver explained the bill provides other important consumer rights. That includes notifying the consumer about what information the business has, that a consumer can get a copy of that data, as well as the right to correct and delete that personal information.

It also imposes responsibilities on businesses and other entities covered by the bill, such as transparency. If the business does not comply, there is an appeal process to the Attorney General or to a local district attorney who would handle enforcement.

Another key provision of SB 190, according to Carver, is that it requires an “opt in” for sensitive data, such as biometric data. That’s the data that includes body measurements, for example; or facial recognition, even keyboard strokes. The opt-in also applies to data on children and demographic information. All of that goes into effect July 1, 2023. 

But what Carver refers as the bill’s “shining star” is its provision to enact a global or universal opt-out, which goes into effect on July 1, 2024. That’s the mother lode: one click on a computer or mobile device and personal data cannot be stored, shared or sold by any website or company covered by the bill. That makes Colorado’s law stronger than the data privacy laws in California – where it’s optional – and Virginia, Carver said. “We make it mandatory.” 

SB 190 matches technology with true individual control over data, Carver explained. She said all the bill sponsors, which also includes Sen. Paul Lundeen, a Monument Republican, and Rep. Monica Duran, a Wheat Ridge Democrat, “believe strongly in data privacy and are horrified at how late we are, both in Colorado and in the nation, in establishing an effective mechanism for data privacy.”

The longer phase-in for the global opt-out is to give the Attorney General time to do rulemaking, which is due by July 1, 2023, and businesses have an additional year to get their software ready for the global opt-out implementation date in 2024.

During a May hearing on SB 190, Sen. Robert Rodriguez, a Denver Democrat, claimed that 1.7 MB of data is collected on every consumer, every minute. That’s about 2,000 pages of information, Rodriguez told the Senate Business Affairs and Labor Committee.

RELATED:

Colorado’s efforts are the result of years of inaction by Congress to address consumer data privacy, and that’s despite calls going back to at least 2005, even from within the tech industry. As a result, states are now taking action on their own. In 2018, California implemented the strongest consumer privacy law in the nation, known as the California Consumer Privacy Act. Virginia followed suit in March with the Virginia Consumer Data Protection Act. New York is considering similar legislation.

Detractors on both sides

Even with two years’ work, the bill drew opposition from some in the tech world, concerned about some of its provisions going too far, and from consumer groups that said the bill didn’t go far enough.

Cameron Demetre of TechNet, a bipartisan network of technology CEOs, raised concerns about the cost for companies to comply with Colorado’s law. Demetre said California’s law will cost companies some $55 billion; and even for small companies the cost could be $50,000 to comply with the law.

Chris Howes of the Colorado Retail Council also asked for changes during the May Senate committee hearing, including a different implementation date. He pointed out that a Jan. 1, 2023, start date (from the introduced version) comes right in the heart of the holiday shopping season. The bill was eventually amended to begin July 1, 2023.

He also pointed out that some consumer information is tied to loyalty or club card programs, and that could be threatened by the bill. The sponsors amended the bill to address that concern.

Consumer Reports’ Justin Brookman told the committee he was “gratified” to see Colorado take up the issue, and call the bill a “thoughtful starting place.” He backs the idea of requiring companies to ask up front if they can collect data rather than a system, as is set up in the bill, for consumers to opt out of data collection. The opt-out system takes too much time, he said.

Speaking in favor of the bill was Microsoft’s Ryan Harkins, senior director of public policy, who pointed out that Microsoft has been calling for a federal privacy law since 2005.

“While most of the rest of the world is moving ahead [on privacy laws], we support state efforts,” he told the Senate committee. He also encouraged lawmakers not to water down the bill, and applauded the bill’s global opt-out provision. “New, robust laws are needed to address real and serious concerns about privacy and restore public trust in technology,” Harkins said.

Opposition came from the consumer group CoPIRG.

Danny Katz, executive director of the group, told Colorado Politics that even with the numerous amendments applied to the bill, they are still opposed and have asked Gov. Jared Polis to veto it. He said they want the legislature to start over next year with a better bill.

Alison Conwell, a consumer advocate with CoPIRG, told the Senate committee that SB 190 fails to provide consumers with meaningful control over personal information and places too much of the burden on consumers rather than on the companies.

Conwell told Colorado Politics the data ecosystem was developed without consumer input. Companies decided to automatically collect, process and sell data.

“But if we had the choice, we wouldn’t want that automatic collection happening,” she told Colorado Politics. The model that does right by consumers, she said, is consent upfront where the company asks for permission first.

“Would we love to have a pure opt-in, as is the case for sensitive data? Yes,” Carver said, “but we’ve been working on this bill for two years, and trying to establish a solid foundation for data privacy to build on. We are cognizant of [the laws in] Virginia and California, and tried to take what we thought was the best aspects of both of those states’ laws, and tried where we could to add additional and stronger provisions, such as the global opt-out.”

Federal action still needed

Polly Sanderson, legal counsel for the Future of Privacy Forum, said in a statement that the Colorado law is the first in the nation to apply to nonprofit as well as commercial entities, and she applauded many of the bill’s provisions, such as the global opt-out and its prohibition on dark patterns.

The problem is without federal action, she said, there will be growing concerns about interoperability among states. For instance, Sanderson said in the statement, “definitional differences regarding what constitutes sensitive data, pseudonymous data and biometric data may present operational challenges for businesses. Similarly, the scope of access, deletion and other consumer rights differ between Colorado, Virginia and California, creating potential implementation challenges. Finally, the research exemptions of each of these laws differ in their flexibility, consent, and oversight requirements.”

Sanderson added that “although the Colorado Privacy Act contains notable advances that build on California and Virginia – in particular, formalizing a global privacy control, and applying to nonprofit organizations – there continues to be an urgent need for Congress to set federal standards that create baseline nationwide protections for all.”