Keypoint: The Colorado Privacy Act passed unanimously out of committee last week but not before lawmakers revised many of its pro-consumer provisions to pro-business.

On May 5, 2021, the Colorado Senate Business, Labor & Technology Committee unanimously passed the Colorado Privacy Act. The bill was sent to the Senate Appropriations Committee where it is scheduled for a May 14 hearing.

Before passing the bill, the Senate Committee accepted a number of amendments that changed many of the bill’s pro-consumer privacy provisions in favor of pro-business provisions. As it stands, the bill appears to be an even more business-friendly version of the Virginia Consumer Data Protection Act (VCDPA). For reference, the VCDPA and Colorado bill are both based on this year’s version of the Washington Privacy Act, which failed to pass the Washington legislature in April.

Below is an analysis of some of the more notable amendments.

For reference, the current version of the bill is available here and the original version of the bill is available here. Our analysis of the original bill is available here.

Narrowing of Privacy Rights

Right to Opt Out of Processing

The original version of the bill provided Colorado residents with an unqualified right to opt out of the processing of personal data. The provision extended further than the VCDPA, which will allow Virginia residents to opt out of processing where the purpose is the sale of personal data, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

The amended Colorado bill narrows the right to opt out to the same three categories as the VCDPA. However, Colorado’s bill is more pro-business than the VCDPA because Colorado’s definition of “sale” is narrower (as explained below) and it concerns only profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning a consumer. Virginia’s law does not require the decisions to be solely automated. Presumably, this change was made to move the Colorado provision closer to GDPR’s Article 22, which contains similar language.

The amended Colorado bill also adds four exceptions to the definition of targeted advertising, which are drawn from comparable exceptions found in the VCDPA.

Finally, in what can be viewed as a pro-consumer amendment, the bill would now allow Colorado residents to exercise this right to opt out through a browser setting, browser extension or global device setting.

Right to Correction

The amended version still allows Colorado residents to request that inaccuracies in their personal data be corrected, however, this would be subject to the business’s right to “take into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.” Similar language is found in Virginia’s law.

Right to Deletion

In a subtle but important change, the amended bill narrows the right to deletion to personal data “provided to the controller.” Although not entirely clear, this may limit a consumer’s deletion request to only personal data they provided to the business and exclude personal data the business collected from other sources. In comparison, Virginia’s law extends the right to deletion to “personal data provided by or obtained about a consumer.”

Notifying Third Parties of Consumer Requests

The original bill required controllers to take reasonable steps to communicate to third parties when a consumer exercised any of the provided rights. In another pro-business move, the Colorado bill has removed this obligation in its entirety.

Elimination of Opt-In for Processing of Sensitive Data of Consumers

While most privacy advocates argued against the VCDPA, many have acknowledged that the VCDPA is pro-consumer insofar as it will require controllers to obtain a consumer’s consent to process sensitive data. For example, upon passage of the VCDPA, the Future of Privacy Forum CEO Jules Polonetsky remarked “The law will be the first in the country to require companies to obtain affirmative opt-in consent for processing sensitive data, such as health information, race, ethnicity, precise geolocation, and other sensitive categories  . . .”

In that respect, the VCDPA is arguably stronger than the California Privacy Rights Act’s (CPRA) treatment of sensitive data which will restrict a business’s use of sensitive data to certain purposes and allow consumers to opt-out of other uses.

Similar to the VCDPA, the original version of the Colorado bill would have required controllers to obtain a consumer’s consent prior to processing sensitive data or, in the case of the personal data of a known child or student, only with the consent of a parent or lawful guardian. In fact, the Colorado bill was actually more expansive than the VCDPA by including students.

The amended Colorado bill eliminates the opt-in requirement for consumers. Instead, controllers are only required to provide consumers with “clear notice” and “the opportunity to opt out of processing” of sensitive data. The amended bill also deletes any reference to student data. The bill still requires parental or legal guardian consent for the processing of personal data of a known child. Child is defined as an individual under 13 years of age such that it is unclear how this requirement differs, if at all, from COPPA’s consent requirement.

As amended, the Colorado bill perhaps hues closer to the CPRA’s treatment of sensitive data. Although the CPRA’s definition of sensitive data is broader and businesses that use sensitive data outside of the CPRA’s permissible uses are required to have a link in their website footer stating “Limit the Use of My Sensitive Personal Information.”

For reference, sensitive data is defined in the Colorado bill to include personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, or personal data from a known child.

Deletion of Data Retention Disclosure Requirement

The amended bill removes the requirement that controllers provide consumers with “an estimate of how long the controller may or will maintain the consumer’s personal data.”

Additional Exceptions to Definition of Sale

The original version of the bill already contained a pro-business definition of “sale”. Specifically, “sale” is defined as the “exchange of personal data for monetary or other consideration by a controller to a third party for the purpose of licensing or selling personal data at the third party’s discretion to additional third parties.” The amended bill contains a clarifying revision: “monetary or other valuable consideration”.

The definition substantially limits the instances in which an exchange will be considered a sale by requiring that the exchange be for the purpose of a third-party licensing or selling personal data to other third parties. The VCDPA, CCPA and CPRA do not contain this limitation.

This limitation is found in Nevada’s right to opt out of sales, but Nevada lawmakers are in the process of removing it.

Notwithstanding the above, the Senate Committee accepted two new exemptions to the definition of sale. First, it is not a sale if “a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party.” This exception, which also appears in the CPRA, would implicate cookie consent banners, among other things. Second, it is not a sale if the personal data is “intentionally made available to the general public via a channel of mass media and [the consumer] did not restrict to a specific audience.” This exception would, among other things, exclude activities such as data scraping.

New Right to Cure

The amended bill adds a right to cure which requires the attorney general or district attorneys to first notify a business of an alleged violation. A business then has 60 days to cure the violation, exceeding the VCDPA’s and CCPA’s 30-day cure periods.

Privacy advocates have steadfastly opposed rights to cure, arguing that the right incentivizes noncompliance with the laws unless and until the business receives a violation notice.

Next Steps

As discussed, the Colorado bill is now with the Senate Appropriations Committee where it scheduled for a May 14 hearing. The bill currently does not have any House sponsors. Colorado’s legislature adjourns on June 12.