After Robert Rodriguez got a COVID-19 test last year, he had to log into the testing company’s site to get his results. But to see them, he needed to verify his identity.
“The questions were like, what month was your mother born, which of these four cars did you own when you were younger, what county does this address reside in, which was a rental property I own,” said Rodriguez, a state senator and Denver Democrat. “And I was like, ‘Why do you have this?’ ”
Rodriguez may not remember what he shared with companies long ago, but someone is keeping track of him. Personal data has long been publicly available, assembled from property tax to marriage records and other public documents. Harder to get, but still out there, data comes from credit agencies that store volumes of personal financial history, past employers and home addresses. But with modern technology’s ease of sharing reams of digital information and a commercial market hungry for the information, personal data has become easy to capture, share, steal and sell.
Rodriguez wants to give every Coloradan the right to find out what personal data is out there and limit its accessibility with Senate Bill 190, which he co-sponsored with Sen. Paul Lundeen, a Monument Republican.
They’ve been working on it for more than a year and faced compromises between business and consumer privacy groups. But if passed, Colorado would become the third state with a comprehensive consumer data privacy law to let residents tell a company, “Delete my data.”
“This is exactly what this bill is about: the protection of consumers and affording them the rights around the collection, use and disclosure of their data,” Rodriguez said during testimony last week at the bill’s first committee hearing. “This bill puts several guardrails in place for consumers to better understand what data companies have about them, and to give them some control of that data.”
The push for stricter laws to protect consumer data gained momentum after the European Union passed the General Data Protection Regulation in 2016, giving its citizens the right to be forgotten. Two years later, as the Cambridge Analytica data scandal blew up and millions of Facebook users discovered their data was collected without their consent, California became the first state to pass a comprehensive data privacy law. The California Consumer Privacy Act requires companies serving California residents to put a “Do not sell my personal information” link on their sites.
“Each of these has been both a rallying cry for privacy but also a rallying cry for businesses and business models,” said Lee Tien, legislative director and Adams Chair for Internet Rights at the Electronic Frontier Foundation, an organization devoted to defending digital privacy.
Many more states, including Colorado, are now considering their own laws. Colorado’s, which passed unanimously last week in committee, heads to the Senate appropriations committee on Friday.
But passing a law has been complicated, confusing and controversial, even for privacy advocates. San Francisco-based EFF didn’t endorse or oppose the California law because it felt consumers should be asked to opt in to having their data sold — not forced to opt out.
Last year, nearly all proposals in other state legislatures died. This year, nearly half of the 27 bills proposed have already petered out, according to the International Association of Privacy Professionals, or IAPP. Virginia’s Consumer Data Protection Act passed in March and another 14 proposals from 10 states are still being considered.
“There’s the tension of do we want to wait for a more comprehensive privacy bill that really protects people and checks all the boxes of what would be ideal for consumers? Or do we want to get something in place now that isn’t perfect,” said Sarah Rippy, an IAPP Westin Fellow who is based in Denver. “When you talk about what laws are good and what laws are bad, the reason you’re not getting a clear answer is because there isn’t one.”
Colorado’s bill: Too business friendly?
Business groups and consumer advocates have been in a tug of war over data privacy policies. California’s law is touted as the minimum standard for consumer privacy while Virginia’s was modeled after one in Washington state that is considered more business friendly and was supported by Amazon and other tech companies. Washington’s bill just failed for the third straight year.
And here’s where the asterisk comes in.
Colorado’s bill has pieces of both California and Washington but, said Alissa Gardenswartz, an attorney at Brownstein Hyatt Farber Schreck in Denver, “this looks to be particularly business friendly at the moment.”
By that, she means there are exemptions for businesses and extra steps for consumers. California’s law, for example, exempts information protected by the federal Gramm-Leach-Bliley Act, which safeguards sensitive bank and financial data. But Colorado’s bill exempts the entire company — not just the protected data — so as the bill stands, those businesses don’t have to delete personal data, even if a Colorado resident requests it.
Similar to the Washington proposal, Colorado’s bill exempts businesses that collect data and have fewer than 100,000 Colorado customers in a calendar year, or companies that make money off personal data if they have fewer than 25,000 Colorado customers. Data governed by state or federal laws, such as employment records, are also exempt.
It’s also opt-out, which means Coloradans must make their request with each company.
Amendments added last week pushed it even more into business-friendly territory, said Amie Stepanovich, executive director of Silicon Flatirons Center at the University of Colorado Law School.
Air carrier companies were exempted because they fall under federal regulations. The right to opt out was narrowed to only include opting out of targeted advertising, sale of data or certain profiling.
“The fact that it’s providing rights to folks … to take action on their data, giving them a right to opt out or right to delete, that’s all wonderful,” Stepanovich said. “But it has some really serious limitations to it that are more business friendly. And with the most recent amendment, those limitations have gotten even more significant.”
She said privacy laws need to shift the obligation of protecting consumer data to the entities that collect and use a consumer’s personal data. There’s a requirement for companies to only use data for only the purpose it was collected — unless the consumer consents.
“It has a big carve out for consent and we know companies are very good at getting users to consent to things because it’s not always clear what they’re consenting to,” she said.
Some privacy advocates aren’t happy with Colorado’s compromises, which they say favor Big Tech and large companies. (A number of prominent tech firms — including Google, Facebook, Amazon, Microsoft and Adobe — are represented by some of the more than 230 lobbyists tracking this Colorado bill.)
But a key sticking point for consumer advocates is that there is no private right of action, which would give citizens the right to sue companies. The Colorado bill requires the Attorney General’s office to handle enforcement.
“That is one of the big, big, big issues that we’re seeing in privacy (and) people are going, ‘Wait a minute. What is this BS? You’re supposedly passing a consumer privacy law but one of the things you’re really trying to make sure is that nobody can sue you, that you can’t be held accountable,’” said Tien, with EFF. “Nobody should be sure or particularly confident that a state attorney general is actually going to stand up for your privacy rights against a big corporation that is probably promising to help them win another election.”
Colorado’s AG Phil Weiser is still reviewing the proposed bill and hasn’t weighed in.
Rodriguez, the bill’s sponsor, said there was a lot of give and take and he realizes that not everyone is happy with the bill so far — including business groups still planning to push for more amendments.
“We feel we’ve tried to take some of the best pieces of the California bill, the Washington bill and even the Virginia bill to try to get what we call the Colorado bill,” Rodriguez said. “Would we love to have the (Europe’s GDPR privacy law) with an opt in and everything? Sure, but there’s so much stuff ingrained in the United States already, that would be a humongous lift and it would be transformative across the country. I’m not sure that could get through the Colorado legislature.”
Loren Furman, chief lobbyist at the Colorado Chamber of Commerce, called it a complex and technical piece of legislation and credits the bill’s sponsors for trying to address concerns from numerous parties, from tech and telecom, to insurers, retailers, oil and gas, and tourism industries.
She said the business community is most worried about compliance.
“Generally, (businesses) all appreciate the interest of protecting consumers’ confidential information. None of our members are going to say, ‘Yeah, we don’t support the goal of the bill,’” Furman said. “What’s Important to them is that they can operate within the confines of the bill.”
The how-to needs to be better addressed, such as how the opt out rules work or how a company would need to stop information from being shared or not shared, she said.
“There needs to be some specifics in the bill,” she said. “You never want to leave everything to rulemaking.”
Do privacy laws work?
The California law dates back to 2017 when Alastair Mactaggart, a real estate developer and privacy advocate in San Francisco, self-funded a ballot initiative to stop companies from mining personal data. He withdrew it, but only after the state legislature agreed — and passed — a law addressing his privacy concerns. California’s AB 375 passed unanimously.
But even Mactaggart didn’t think that was enough so he launched another initiative. Proposition 24 passed in November and goes into effect in 2023. Called the California Privacy Rights Act, it offers consumers even more control over their data and created an agency to enforce it, he said.
“It’s early days yet and the new initiative is just so much more protective than the original law,” Mactaggart said. “It lets you blur your location within 250 acres so they can’t track you within that. There’s a new category of sensitive personal information like your race, your ethnicity, your health information, sexual orientation, and it lets you tell a company, ‘Look you cannot use that information unless it’s necessary to give me a product I’m actually asking for.’”
But three years after the original law passed, even Mactaggert has difficulty finding clear messaging on sites for a Californian to request the company stop selling their personal data.
“I’m a little disappointed so far that the button that you’re supposed to see, ‘Do not sell my information’ … you can’t find it. And the law is crystal clear: It’s supposed to be there,” he said. “I think it’s a work in progress. Some of it is growing pains and some of it is maybe that the rules have not been either promulgated or enforced … But this is a marathon, not a sprint. The whole data economy grew up with basically no regulation on any of your data and now the new stuff will.”
As states consider new privacy bills, businesses are worried about the potential patchwork of numerous state privacy rules. Some companies, including Vail Resorts, already address this in their privacy policies with paragraphs for European and California customers. Vail has a form for California residents. But to request personal data or have it deleted, a consumer must share their name, email, phone number and EPIC Pass ID.
“I do think that absolutely businesses would prefer to have a national data privacy law because while these laws that are getting passed are similar, they have enough small differences that they can make compliance potentially tricky and expensive,” said Gardenswartz, the Brownstein attorney who previously served as the state’s deputy attorney general for consumer protection.
Convercent by OneTrust, a technology company that provides tools to help clients keep track of their compliance with local and global regulations of all kinds, said one approach is to default to the strictest rules. But that’s difficult because new data privacy laws continue to come online. Brazil is expected to start enforcing its new law this month.
OneTrust supports building “a program of trust rather than thinking about it purely from a compliance perspective,” said Alexis Kateifides, lead privacy counsel at OneTrust, which acquired Denver-based Convercent last month. “Technology is always going to evolve the use and ways in which data can be utilized.”
But another concern is that if Colorado passes a more business-friendly law with exemptions, it could contribute to the model for a future federal law.
“What industry has decided is let’s pass a lot of really mediocre state laws (so they) become the template for the federal law,” said Ed Mierzwinski, national consumer protection director for the Colorado Public Interest Research Group. “Congress will be a race to the bottom rather than a race to the top unless we can make sure that some of the good state laws pass and we stop the enactment of these bills that don’t apply to very many companies, that don’t give consumers enforceable real rights, that rely on opt out, not consent, and rely on consumers being forced to go out and read privacy policies.”
Stepanovich, who is following the Colorado bill closely, feels conflicted about whether it’s better to get some sort of privacy law passed now and hope for improved consumer protections later. But she said the language in Colorado’s bill, which included pieces of the Virginia law, will influence others.
“If Colorado passes a law that really impacts and provides strong protections that companies have to respond to, it raises the water level, essentially, for people across the country,” she said. “If they pass something very weak, it will be picked up by other states and potentially be worked into a framework (for) a federal law. …. So, it matters outside of Colorado what we’re doing here.”