Colorado is the latest state to consider comprehensive data privacy legislation.
On March 19, State Senators Robert Rodriguez (D), Chair of the Business, Labor & Technology Committee, and Paul Lundeen (R), Minority Whip, introduced SB 21-190, the Colorado Privacy Act (the Act).
Should the Act become law, consumers at any time could opt-out of the sale, collection and/or use of "personal data," which the Act defines as "information that is linked or reasonably linkable to an identified or identifiable individual."
In addition, covered businesses would be required to obtain opt-in consent before processing "sensitive personal data," defined as: (1) "personal data revealing racial or ethical origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status," (2) "genetic or biometric data that may be processed for the purpose of uniquely identifying an individual," or (3) the personal data of individuals below the age of 13.
Covered businesses would be required to conduct and document data protection assessments in connection with activities "that present a heightened risk of harm to a consumer," such as the the processing of sensitive personal data, the processing of personal data for targeted advertising or profiling purposes, or the sale of personal data.
While confidential, covered businesses would have to make such data protection assessments available to the Attorney General upon request.
Covered businesses also would be required to make available "a reasonably accessible, clear, and meaningful privacy notice"; "specify the express purposes for which personal data is collected and processed" and not process personal data "for purposes that are not necessary to or compatible with" those specified purposes without first obtaining the consumer's consent; and abide by duties of data minimization, care, and avoidance of unlawful discrimination.
Consumers, meanwhile, would be granted the following rights: the rights to access, correct, and delete personal data; the right to data portability; and the ability to appeal denied requests to exercise these rights.
The Act would not create a private right of action. Instead, the Colorado Attorney General and district attorneys would have exclusive enforcement authority. Remedies would include injunctive relief and civil penalties up to $2,000 per violation, not to exceed $500,000 for any related series of violations.
If adopted into law, the Act would become effective on January 1, 2023.
For a Perspectives from FSF Scholars describing the worst-of-all-worlds compliance nightmare, costs, and confusion that multiple, inconsistent state data privacy laws would impose on both businesses and consumers, please click here.
And for a post describing recently introduced federal legislation that would preempt state laws, please click here.