Keypoint: The Colorado Senate unanimously passed the Colorado Privacy Act after amending the bill to add back many of the privacy protections previously removed.
On May 26, 2021, the Colorado Senate unanimously passed the Colorado Privacy Act. The bill now moves to the State Assembly. The Colorado legislature is scheduled to close on June 12 so we will know in just a matter of weeks (if not sooner) if Colorado will become the third state to enact broad consumer privacy legislation.
Two House sponsors were added to the bill – Republican Terri Carver and Democrat majority co-whip Monica Dunn. The addition of bipartisan House sponsors perhaps signals that the bill has momentum to pass the House.
Notably, the Senate significantly amended the bill from the version previously passed by the Senate Business, Labor & Technology Committee. As discussed in our May 12 post, the Senate committee had revised many of the bill’s pro-consumer provisions to pro-business provisions. The bill that ultimately passed the Senate (see here) reverted many of those changes. Below is a summary of some of the notable revisions.
Opt In for Collection of Sensitive Data
The bill restores the requirement that controllers obtain consumer consent prior to collecting sensitive data. The Senate committee version had replaced the consent requirement with a notice and opt-out provision.
Modified Definition of “Consent”
The bill defines “consent” to mean a “clear, affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement, such as a written statement, including by electronic means or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data relating to the consumer for a narrowly defined particular purpose.”
Consent does not include (a) “acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information”; (b) “hovering over, muting, pausing, or closing a given piece of content”; and (c) “agreement obtained through dark patterns.”
Dark patterns, which is a new term, is defined as a “user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.”
Modified Definition of “Sale”
The definition of sale was expanded. It no longer is limited to personal data transferred “for purposes of licensing or selling personal data at the third party’s discretion to additional third parties.”
New Data Processor Contract Requirements
The bill now prescribes certain contractual requirements between controllers and processors similar to the California Privacy Rights Act and Virginia Consumer Data Protection Act.
Enforcement – Sunset of Right to Cure
The Attorney General and district attorneys must still provide an entity notice and allow sixty (60) days to cure any alleged violation, but this provision will sunset on January 1, 2025.
Clear and Conspicuous Opt Out
Controllers that process personal data for purposes of targeted advertising or the sale of personal data must “provide a clear and conspicuous method to exercise the right to opt out of the processing” of such data. Controllers need to present this opt-out method “clearly and conspicuously in any privacy notice required to be provided” by the bill and “in a clear, conspicuous, and readily accessible location outside the privacy notice.”
Universal Opt-Out Mechanism
Effective January 1, 2024, a controller that processes personal data for purposes of targeted advertising or the sale of personal data must allow consumers to exercise the right to opt out of the processing of such processing through a “user-selected universal opt-out mechanism.” The Attorney General’s office is permitted to promulgate regulations for technical specifications for such mechanism by December 31, 2023. The bill sets forth a number of requirements for those regulations.
Modified Right to Deletion
The right to deletion is no longer limited to data “provided to the controller.”
Pseudonymous Data
The bill removes all references to pseudonymous data.
Effective Date
The Colorado Privacy Act would go into effect July 1, 2023.