First it was California (of course). Then it was California version 2. In 2020, things were quiet and no states joined the club. Earlier this year Virginia joined the club and today Colorado became the third state to enact a California-style or Europe-style privacy law, with some significant differences.
Here are some of the key parts of the law.
- Consumers have the right to get a copy of their data, get it corrected, delete it and be able to port it to a competing service
- Allows consumers to opt out of targeted advertising, sale of data and some profiling
- Exempts employee data, deidentified data and publicly available data
- It also exempts data covered by HIPAA, GLBA and COPPA
- Companies that collect data need to tell consumers how they are going to use it
- It requires a duty of care to protect data. This is also known as the full employment act for lawyers
- And of course, it has a number of exemptions
One new twist – while there is no private right of action, action can be taken by local DAs – many of whom are planning to run for higher office – in addition to the AG, who is pretty busy.
California’s law is based on global revenue; the Colorado law is based on the number of Colorado residents the company collects data on (100,000) or fewer residents if you also sell some data (25,000). Still, that should eliminate many smaller companies.
Business to business transactions are also exempt.
Like most of the similar laws, processing of sensitive data like racial, ethnic, mental or physical health, sexual orientation, etc. require an opt-in.
Finally, the AG is authorized to create rules to carrying out this new law.
Companies need to have a much more robust privacy disclosure, which includes a number of specific items.
Also, and this is a weakness for many companies, the law requires companies to have a WRITTEN contract with all data processors (think of cloud software providers, for example) which documents instructions for processing data, confidentiality requirements and the requirement to notify the data owner before subcontracting, among other requirements.
One important first step for companies to take, no matter whether they just operate in Colorado, also operate in Colorado or operate in multiple states, is to get a really good handle on what data you collect, where you store it and who you share it with, either for financial purposes or just to run the business. Our experience tells us that this is a real challenge for most companies.