The misses have far outweighed the hits on the U.S. state privacy law front this year. States poised to lead the way on comprehensive privacy legislation fell short of expectations and attention paid to them. It's the surprise efforts, like the one that concluded Tuesday in Colorado, that have been the success stories.
On June 8, the Colorado General Assembly passed Senate Bill 190, the Colorado Privacy Act, giving the Centennial State the third comprehensive state privacy law in the U.S. after California and Virginia. Following initial passage by the Colorado Senate May 26, the Colorado House passed an amended version of SB 190 on a 57-7 vote Monday night before the Senate unanimously voted 34-0 on concurrence and final passage Tuesday.
The bill will soon be transmitted to Gov. Jared Polis, D-Colo., who will have 10 days to sign off on the bill or explicitly veto it.
"There was a distinct opportunity for Colorado to take a leadership position in this space," Husch Blackwell Partner David Stauss, CIPP/E, CIPP/US, CIPT, FIP, PLS, said. "By all accounts, the bill is stronger than Virginia's in a number of respects. I think it just took time for the right stakeholders, like the attorney general's office, to get on board. Once they got those details worked out, we started to see the incredibly swift momentum we've seen over the last two weeks of this bill."
The CPA applies to businesses that collect and store data on more than 100,000 individuals or those earning revenue from the data of more than 25,000 consumers. It also includes various data subject rights, a broad opt-out consent model with a universal opt-out mechanism, a right to cure, and attorney general rulemaking and enforcement.
The effective date for the bill is July 1, 2023.
"Right now, companies are collecting data on consumers that consumers don’t know about. Absent action at the federal level, states like Colorado are advancing effective data privacy policy solutions," Colorado Attorney General Phil Weiser said in an emailed statement to The Privacy Advisor. "The core part of the Colorado data privacy bill that really matters is consumers will have the ability to control and dictate how their data is used."
There's nothing seriously groundbreaking about the substance of the CPA, which is ultimately a good thing in the eyes of Greenberg Traurig U.S. Data, Privacy & Cybersecurity Practice Co-Chair David Zetoony.
"I've seen bills out there that have just gone to left field. Trying to go from zero to well beyond status quo. I think that's a mistake," Zetoony said. "Then I look at a bill like Colorado's, and it's not necessarily trying to create new ground, and if it is then it's being done incredibly incrementally. At the end of the day, if you're going to get into the privacy game, then you don't reinvent the wheel … and Colorado has a great chance at being the third state to create a sort of line or a trend."
Consumer advocates continue to hold out hope for bills with further boosts to consumer rights and protections, including a private right of action. Colorado's pending law doesn't offer a PRA, but it does carry rights to access and correct data while also providing for several controller obligations. With all that, Common Sense Media Policy Director Joe Jerome, CIPP/US, views the CPA as a positive break from the line of 2021 state proposals.
"I think SB 190 is a mixed bag from a privacy advocate's perspective, but it is absolutely, 100% an improvement on what was forced through in Virginia," Jerome said. "If states are willing to improve on Virginia, that's good to see."
Spotting compliance issues
As Zetoony outlined, Colorado isn't asking companies to roll out compliance measures they aren't already used to with the laws in California and Virginia. Subtle nuances, like the CPA's universal opt-out mechanism or certain definitions, may ultimately be the greatest challenge because companies can't streamline all regulatory compliance in one swoop.
"The biggest hurdle for companies being subject to numerous laws is just that," Stauss said. "The difficulty is the impetus to say let's get one common denominator or one compliance module that works everywhere. But I think we're seeing the differences and how navigating those commonalities just isn't going to be that easy. You'll see tugs-of-war internally on whether to take steps overall or for each individual law."
A more specific compliance issue Colorado presents, according to Zetoony, is the required data protection assessment. Such examinations are also required in the Virginia Consumer Data Protection Act, but Colorado does not exempt companies from these assessments like Virginia does.
"I'm frankly surprised the people endorsing these bills in Colorado and Virginia didn't raise more red flags around this," Zetoony said. "It's truly cryptic. I think there's an arbitrary, capricious and due-process problem with it. Colorado has it open-ended to where you need to perform one in the case of a heightened risk. The degree of arbitrary and capriciousness to try to hold a company liable for not having flagged after the fact an instance the attorney general would consider a heightened risk is pretty extreme without guardrails."
The consumer struggle
Colorado's opt-out model brings mixed reactions. In one regard, there's been praise for the inclusion of the universal opt-out, which will give consumers the one-stop, one-click method for executing their opt-out right across websites. The downside comes into play with language around the general right to opt out.
"There's been a lot of attention paid to the right to opt out, but it's a fairly limited right," Silicon Flatirons Executive Director Amie Stepanovich said, speaking on her own behalf. "It applies to targeted advertising and sale of information. You can't opt out of the unnecessary or irrelevant collection of your information."
Stepanovich also went back to the lack of a right of action, noting how "people from marginalized communities have not been able to count on government institutions to vindicate their rights for them." She added that even a limited PRA could've been useful as it relates to being able to "guarantee that those who could be most negatively impacted by bad corporate practices have any form of redress."
Jerome was a little more wide-ranging with his thoughts on where the bill could've gone further on behalf of consumers.
"It obviously could have done more to restrain targeted advertising as practiced by the biggest companies, and we're disappointed it doesn't do anything new for young people," Jerome said. "I think the duties (for controllers) are interesting, but there's still a lot of potential loophole language, like internal product development and what that means with the strong language against secondary use and discrimination."
Attorney general support, enforcement key
Some privacy professionals believe the backing from the Colorado attorney general's office might've been the turning point for the CPA's prospects in the state legislature. Brownstein Hyatt Farber Schreck Shareholder and former Colorado Deputy Attorney General for Consumer Protection Alissa Gardenswartz senses Weiser's interest in privacy and Colorado's growing tech scene made getting behind SB 190 an easy choice.
"It was sort of touch and go for a while (with the bill), but I think it got legs when the office got involved," Gardenswartz said. "I always thought it would be a priority and assumed (Weiser's) attention would turn to this. This could've happened last year, but for the pandemic, which derailed the session and priorities in general."
Gardenswartz also pointed to some telling signs that indicated the attorney general's involvement. One was the two-year sunset provision placed on the right to cure while the other was the rulemaking capabilities allowing Weiser's office to address outstanding compliance concerns and ambiguities ahead of the law's effective date.
"Weiser deserves a ton of credit for engaging on the bill, and I think his office did a lot to steer the legislature in the right direction," Jerome said. "I believe his office was keen to have some degree of rulemaking authority, which I know industry often is not a fan of either. As an advocate, I like the ability of these laws to be amended by attorneys general."
As far as what the focus of rulemaking could be, Gardenswartz has some initial ideas.
"Just looking at the law, I think perhaps more clarity around what a privacy notice should look like and how to be clear to a consumer would be helpful. Potentially addressing the 'dark patterns' piece and clarifying intentional patterns versus those with good intent and bad implementation," Gardenswartz said. "They could take some lessons learned from (the California Consumer Privacy Act's) rulemaking to see where there could be some additional clarity provided. I also just hope that stakeholder consideration and engagement is sincere."
A new model framework?
On the whole, the CPA gives off a degree of balance between consumer privacy and allowing businesses to remain vibrant despite compliance. Such a perceived happy medium begs the question as to whether this legislation could be workable in other states that haven't had luck with privacy legislation in prior attempts or those that simply haven't tried at all to this point.
"Is it a perfect bill? No. Not by any stretch of the imagination, but it's also important to note how the bill sponsors said a number of times that this was version 1.0," Stauss said. "The intent is not to pass and forget. They're looking to pass and continue to work on this bill. I do fully expect them to tinker over the next couple of years. Unless the federal government gets involved, this will not be static."
The idea of "something instead of nothing" is a common concept lawmakers and professionals have grappled with at the state and federal levels. Laying a foundation may prove useful if it's the right one. On the other hand, holding out for the perfect bill has similar pros and cons.
Stepanovich doesn't want or consider the current iteration of the bill to be something other legislatures pick directly from, as she sees room for improvement before that happens. In a perfect world, she'd still like to see U.S. Congress provide the baseline she believes would "start a conversation in 47 states." However, she wouldn't go as far as saying a federal law should preempt what's been done in Colorado, California and Virginia.
"Preemption is more difficult and nuanced than a lot of people give it credit for. It's a sliding scale, and we need to be honest about where it should lie," Stepanovich said. "We need to have basic conflict preemption and then do something to make sure states aren't making it hard for companies to comply with conflicting or confusing standards. But those same companies also need to answer why privacy is any different from several different standards they comply with across the areas they do business."
Photo by Andrew Coop on Unsplash