That creepy feeling that someone is tracking your every move online was acknowledged this legislative session by lawmakers who overwhelmingly passed the Colorado Privacy Act. It gives residents the right to tell companies to stop collecting their data — and delete any personal data collected.
As more states consider similar privacy measures and companies like Apple crack down on wayward advertisers and app developers, Colorado will become the third state to pass a comprehensive consumer privacy law. Senate Bill 190 now awaits Gov. Jared Polis’ signature.
But even with such bold mandates to give residents more control of their personal data — and giving authority to the state attorney general to enforce it — consumer advocates said the measure could have gone further to protect people. One change allows consumers to universally opt out of ad-based tracking instead of having to make that request for each website or company. But the act also lets advertising companies keep tracking consumers if they ask for consent first.
“That’s one of the reasons we still opposed the bill,” said Allison Conwell, with the Colorado Public Interest Research Group. “You already use your global opt out (but to then) have someone be able to ask you to collect your data? That just shows (opt-in) is possible and that should be the standard.”
Another sore spot was consumers have no right to sue, which is called a private right of action. But that was never in the bill, said bill sponsor Sen. Robert Rodriguez, said after the measure was introduced.
The Denver Democrat said “it would make it hard for me to run this bipartisanly. I had to give up some rights for that, which is how legislation passes here, some compromises.”
The proposal started as a compromise between the interests of consumers and businesses, and it’s based on similar laws passed by two other states. The California law, considered more consumer friendly, isn’t opt-in either. The Virginia law also doesn’t let consumers sue violators.
Amie Stepanovich, executive director of Silicon Flatirons Center at the University of Colorado Law School, is disappointed that the law has “17 blanket exceptions,” including data collected by airlines, telephone companies and others governed by federal or state regulations.
But the state had to start somewhere, she said.
“Any new privacy law is a good thing,” Stepanovich said. “I don’t think this is the end of the story and in fact, if the next legislature wanted to revisit this, there could be some major improvements by just very small tweaks. I don’t want to frame this as a victory and move on. It’s an issue we can continually improve upon.”
The limitations should also keep Coloradans on their toes when it comes to protecting their personal data, she added. Because, at least in the computer security world, it’s always best to be skeptical of rules that may create a false sense of security.
“You don’t want to oversell something,” she said, “and then have somebody believe that they don’t have to question their relationship with companies anymore because now Colorado has a privacy law and everything is going to be OK.”
The Colorado Privacy Act doesn’t apply to all companies or all people. Some highlights:
- Intentionally target Colorado residents
- Store or process personal data on more than 100,000 consumers per calendar year
- Profits in some way from the sale or processing of personal data of at least 25,000 consumers
- Employment records, job applications
- Personal data governed by state or federal laws, such as health or financial information
- De-identified data, or data no longer linked to a specific consumer
- Publicly available data in government records, such as property tax and home ownership records.
What consumers gain:
- Can opt out of having personal data collected, processed or sold that is being used for targeted advertising or profiling purposes
- Access, correct or delete the personal data a company has stored, or get a copy of it free of charge once every 12 months (there could be a charge for a second request within the year).
While the Electronic Frontier Foundation, an organization devoted to defending digital privacy, didn’t take a stand in favor or against the Colorado bill, its legislative director, Lee Tien, said he’s disappointed it didn’t give consumers the right to sue, but he is heartened that the AG’s Office and local district attorneys are empowered to enforce the privacy act.
“The role of enforcement is not merely to make a particular privacy violator stop doing something that is already obviously prohibited; it is potentially generative of new social understandings about privacy and (to be blunt) power as technology changes,” Tien said in an email.
In other words, it gets people talking about privacy.
He pointed to the Biometric Information Privacy Act in Illinois that requires companies collecting fingerprints, facial scans or other biometric data to share how the data will be used. After a 2014 visit to the Six Flags Great America amusement park in Illinois when a then 14-year-old visitor scanned his thumb to get a season pass, his family sued. They weren’t told why it was necessary. There was a lot of coverage of the case. Six Flags lost in court.
Tien said “having public arguments (are) what makes the law and its underlying concepts of privacy ‘live’ in public discourse and to some extent popular culture.”
The final version passed by legislature shifted to a heavier focus on limiting data collection for targeted advertising. Because of that, legal analysts expect consumers will see more banner displays asking people to allow tracking or other data collection.
It also means if a business allows Google or Facebook or other ad networks to put trackers on their websites, the site must offer a way for consumers to opt out of third-party trackers too, said Camila Tobon, an attorney on the legal affairs committee representing the Denver Metro Chamber of Commerce.
“But already, Google is changing the way it does advertising cookies and it’s changing from the third-party cookies to (a) group of cohorts,” she said. “The advertising industry, or the online advertising industry, is already changing and adapting because these requirements aren’t new.”
In the private world, Apple’s latest mobile browser requires companies to ask users to allow their app to track users across other apps and the web. It’s part of Apple’s App Tracking Transparency.
A week after the feature launched, only 4% of U.S. mobile users agreed to be tracked, according to Flurry Analytics, leading to headlines that 96% of U.S. users opt out of tracking. Six weeks later, 7% opted in for tracking.
Businesses must adapt
The pending Colorado measure would take effect July 1, 2023. By then, the attorney general’s office needs to have rules in place to specify what universal opt-out mechanisms can be used. Having that authority to make the rules was the only way Colorado Attorney General Phil Weiser said he would support the bill.
“For our support, we needed rulemaking authority to make sure that if a company said, ‘We’re giving someone the opt-out choice,’ but if the opt out was so misleading or difficult to access that it wasn’t a real opt-out choice, that was not going to cut it,” Weiser said.
It also gives companies 60 days to “cure” or fix the violation, which the Tien at the EFF said undermines any enforcement actions. That right, however, sunsets in 2025.
Weiser called the right for a business to cure “an experiment to look at and decide whether it is a good model, or not a good one.”
For companies that already changed their policies after Europe’s strict General Data Protection Regulation passed in 2016 or California’s California Consumer Privacy Act went into effect last year, the changes required in Colorado should be easy to address.
But other companies? That’s why the state is giving businesses two years to review their procedures, said Tobon, for the Denver Chamber
“If companies weren’t affected by GDPR, if they weren’t subject to CCPA and they haven’t looked at these issues, they’re going to have a really heavy lift,” she said. “Because they’re going to have to understand what personal information they have, what they’re collecting, who they’re collecting it from, how they’re using it (and) for what purpose specifically are they using it, how long are they keeping it, how are they securing it, who are they sharing it with and what are the contracts with (third parties).”
The Colorado bill has pros and cons for both businesses and consumers, said Jason Crosby, a Denver attorney who is certified by the International Association of Privacy Professionals.
Companies that collect and sell personal data for targeting advertising purposes don’t have to stop. They just have to ask permission. And prohibiting consumers from lawsuits obviously lessens the risk of litigation.
But he’s unsure of two expectations for businesses: The bill requires companies to make data protection assessments when activities “present a ‘heightened risk of harm’ to consumers,” and provide “appropriate technical and organizational measures” of security. Defining “risk” and “appropriate” needs clarity from the AG’s office, like in California where then-AG Kamala Harris set a compliance center.
“I would like to see our attorney general do something similar so that businesses have clear guidance,” Crosby said.
As for consumers, they gain more rights in how their data is collected or controlled, but with no ability to sue and relying on the AG’s office for that, this is only as strong as the AG.
“And while the current attorney general cares deeply about this issue and wants to protect the privacy of Colorado citizens, we can’t be sure that his successors will have the same interest in enforcing this law,” Crosby said.
While the Denver Chamber pushed for amending the original bill to exclude employment data — which lawmakers did — Tobon said that data privacy laws are becoming inevitable and companies must figure out how they’re handling customer data. A federal law will likely take its place some day but until then, more companies are opting to default to the stricter rules.
“The fact that it’s focused on consumer data is helpful to consumers,” Tobon said, “but then also for businesses because they can really zero in on the types of activities that they’re going to have to really truly understand.”