Why Colorado’s data privacy bill may be a big mountain to climb for marketers

The Drum 10 Jun 2021 10:00

The Colorado Privacy Act — the Mile High State’s take on comprehensive CCPA-like data privacy legislation — is expected to be signed into law imminently. While the bill will empower consumers to take greater control over their personal information, it will also erect new hurdles for marketers, who generally rely on the collection and sale of consumer data to track consumer behavior and serve targeted ads.

Colorado is expected to join California and Virginia in passing comprehensive consumer data privacy legislation. The Colorado House voted 57-7 Monday night to pass the Colorado Privacy Act (CPA), which passed in the state Senate on May 26 with a unanimous vote. Governor Jared Polis (D) is expected to sign the bill into law shortly.

If signed, the bill will provide consumers with the right to opt out of data processing, but will introduce additional challenges for businesses — and marketers in particular — that depend on the collection, processing and sale of consumer data for a number of operations. Here’s what you need to know.

The law will apply to any organization conducting business in Colorado or targeting its products or services to Colorado residents that either: process or control the personal data of more than 100,000 consumers annually; or that derive revenue from the sale of personal data in addition to processing or controlling the personal data of 25,000 consumers or more.

Subjected organizations are obliged to give consumers a “reasonably accessible, clear, and meaningful” privacy notice that discloses information about the organization’s data collection and sharing policies and practices. Plus, before transferring personal data, organizations must agree to data processing contracts with service providers. Similar to the California Consumer Privacy Act (CCPA), CPA’s protections don’t apply to employment records and some other types of information.

While the bill includes no private right of action — meaning that consumers can’t file personal lawsuits against organizations they believe to be in violation of the law — the Colorado Attorney General’s office and state district attorneys will enforce CPA and may fine noncompliant organizations up to $500,000.

Though CPA shares much of the same anatomy as CCPA, the upgraded California Privacy Rights Act of 2020 (CPRA) and the Virginia Consumer Data Protection Act (VCDPA), it does differ in a few key areas.

For one, she says, the bill includes stringent limitations on secondary uses of data, requiring an opt-in for such uses. “This is meaningful in that the bill also requires companies to specify the purpose for which they may collect information,” she says. “The practice of collecting data for one purpose (or describing the purpose in very broad and general terms) and using it for another down the line will be constrained by the addition of this requirement. This goes beyond the CPRA (which requires additional notice) and appears stronger than the VCDPA’s secondary notice requirements.”

And while CPA introduces a number of new hurdles for businesses, it’s not all bad news for them, according to Lee. A 60-day cure period — which will be phased out on Jan. 1, 2025 — provides organizations with some much-welcomed wiggle room. “These laws are always more complicated to implement than they appear, and once companies start to get into the weeds on how to navigate these new obligations, mistakes will inevitably be made,” says Lee. “This cure period allows companies to work with regulators on solutions [for] how to navigate the grey areas without fears that unintentional missteps will result in fines.”

Bartoletti, like many techno-ethicists, is particularly pleased with this restriction. “I like the focus on dark patterns — I think this is excellent, as dark patterns are interfaces that really impair people's dignity and autonomy,” she says.

The consumer protections introduced by CPA create new challenges for marketers, many of whom depend on the collection, storage and sale of consumers’ personal information for tracking and ad targeting purposes. Even so, with CCPA/CPRA, VCDPA and the EU’s General Data Protection Regulation (GDPR) already in play, CPA doesn’t create too many stumbling blocks with which businesses weren’t already contending.

For one, while the existing state-level laws share many similarities, marketers may find themselves in hot water should they not understand the subtle definitional differences between various privacy laws. “Marketers will need to read the law's definitions and requirements carefully,” says Future of Privacy Forum's Sanderson. “For instance, [CPA’s] definition of ‘pseudonymous’ data differs slightly from existing standards, and marketers should closely compare Colorado, Virginia and California's definition of [terms like] ‘sale’ and ‘sensitive’ data. Likewise, the scope of the consumer rights — such as access and deletion — varies between the state laws.” She notes that one approach to dealing with such a challenge would be to pinpoint the most comprehensive standard and implement it universally. Strategies such as geofencing could also be applied, though Sanderson advises that businesses assess such possibilities within the larger framework of their strategies, risk tolerance and compliance practices.

Right now, Lee’s advice to marketers is to tread carefully and make the data value exchange apparent to target audiences. “Marketers will have to be more intentional and specific in their communications with consumers about how and why they are collecting information,” she says. “Most marketers will want to avoid the friction of having to get consent for additional purposes. I think we are going to see more creative approaches to describing the value proposition to consumers of sharing their data. We are already starting to see companies tell consumers that data is how they keep their websites and apps free; We will see more of that as marketers will have to work harder to get access to data, particularly where opt-in consent is required or a universal opt-out is made available.”

Continue reading original article...


CPAVCDPAColoradoColorado HouseColorado Privacy Act
You may also like