By adopting comprehensive data privacy laws for consumers, Colorado became one of just a handful of states that have successfully updated consumer-protection statutes to reflect the importance of data privacy in the Information Age (see Int’l Ass’n of Privacy Professionals).
On June 8, 2021, Colorado’s legislature passed the Colorado Privacy Act (“CPA”), whose focus is the enhanced protection of “personal data.” (see JD Supra). On July 7, 2021, Governor Polis signed the CPA into law (see Compliance Week). While such law will invariably entail gray areas, blind spots, and inefficiencies, legislation like the CPA generally constitutes a victory for consumer protection. One need not look far—for example, data breaches at major businesses, websites persistently gathering cookies, rapid growth in identity-theft crimes, sale of personal information that results in unwanted solicitations and perpetual spam—to understand the value and sensitivity of personal information. Indeed, any number of large corporations—Facebook, Google, Palantir, Ancestry, etc.—rely in significant part on collecting, analyzing, packaging, and selling various forms of personal data.
In passing the CPA, Colorado’s legislature noted, “The people of Colorado regard their privacy as a fundamental right and an essential element of their individual freedom.” (see Colorado Senate Bill 21-190). Also, “Ongoing advances in technology have produced exponential growth in the volume and variety of personal data . . . and these advances present both promise and potential peril.” While such statements are likely not especially controversial in the United States considering its tradition of personal property and privacy rights, combined with the incessant collection and selling of personal information that infringes on such privacy, it is telling that only a few states have enacted such legislation. The following entail some of the highlights of the CPA:
- It endows consumers with the right to opt-out of the processing of their personal data for sale, advertising, and profiling
- It provides extra protections for “sensitive data,” which include information about race or ethnicity, religion, physical or mental conditions, sex, citizenship status, and genetic or biometric data
- It applies to larger personal-data “controllers” and “processors”—those that process data for at least 100,000 consumers annually or earn revenue from the sale of the personal information of at least 25,000 individuals per year
- It exempts certain entities and types of data from coverage, perhaps most notably those that are covered under the federal HIPAA
- It requires data controllers to take various security precautions and proactively interact with consumers with regard to data privacy
- It does not provide a private right of action—the CPA must be enforced by the Colorado state attorney general
The last point—the lack of a private right of action—is perhaps the CPA’s greatest weakness as attorneys general are often slow to take enforcement action and may be politically influenced. Regardless, the CPA represents an improvement as it facially raises the bar for data-privacy compliance and should lead to many people being able to stem the sale of their personal information—indeed, who wants their personal information sold? The primary consumer-protection statute in most states is one that was initially adopted in the 1970s and, accordantly, was not crafted for the persistent data-privacy issues of the current day but, rather, for misrepresentations made by sellers of cars and other conventional consumer products. In many states, those traditional laws have been hamstrung by a variety of factors and, in the case of a privacy breach, it is not always evident how the injured person may go about seeking legal recourse given substantial gaps in the law. While the CPA can’t be enforced by consumers and attempts to strike a balance between privacy concerns and economics, it nonetheless comprises incremental progress in evolving state consumer-protection law.