Companies collect and share your online data. Colorado wants to become one of the only states to give consumers more say.

Social media ads sometimes seem to know a little too much about you — where you shop, the products you buy or what websites you’ve been frequenting.

Big tech companies store this information about consumers, and it’s long been fueling a debate about how to balance data privacy with letting businesses cater to their customers.

Colorado lawmakers decided to tackle the issue again this year with SB21-190, which unanimously passed the Senate last week. If it makes it to Gov. Jared Polis, Colorado would be the third state to pass a data privacy law, following California and Virginia.

It wouldn’t take effect, though, until July 2023. And even then, some data privacy experts worry it doesn’t go far enough, while businesses worry about complying with various regulations in different states.

Colorado State Senator Steve Fenberg, D-Boulder, ...

David Zalubowski, The Associated Press

Colorado Senate Majority Leader Steve Fenberg, D-Boulder, front, and Sen. Robert Rodriguez, D-Denver, sit amid the empty desks before the chamber reopens to deal with budget issues at the Capitol in Denver on Tuesday, May 26, 2020.

The details

With 26 states also considering what to do about data privacy this year, Colorado lawmakers have looked around for the policies they believed would work best. Washington state’s is the main model, Democratic Sen. Robert Rodriguez of Denver said, because it balances consumer and business rights. (Washington has not been able to pass it yet.)

“We’re just trying to figure out good controls and giving people access,” he said. “I think young people assume they have no privacy and old people have no idea how much privacy they don’t have.”

Fellow bill sponsor Sen. Paul Lundeen, a Monument Republican, is concerned that smartphones store information about people “that defines who you are,” which gets shared with various companies.

The bill “is an effort to thread that needle, protect our privacy, and at the same time, give all the businesses we rely on, all the providers that we rely on, the ability to do their job without stealing our future, without stealing our identity, without stealing the representation of who we want ourselves actually to be,” he said.

Colorado consumers would be able to opt out of having companies collect certain information — like which websites they’re visiting — and could decide whether to deny a company access to sensitive data like a health condition. The current version also calls for a “global privacy control,” a browser setting that Rodriguez said would be available in 2024 to all Colorado users to stop data collection on any website they visit.

Not every company would come under the proposed rules, only those that process personal data of 100,000 or more consumers per year or make money or get discounts from selling personal data of 25,000 or more consumers. Companies also would have to make clear the type of data they collect, what they do with it and how long they store it.

Banks and other financial institutions are exempt, and businesses will still have to comply with federal privacy rules for children. The attorney general’s office will have rule-making and enforcement authority, and the latter is also provided for district attorneys (which isn’t found in California or Virginia’s laws).

RJ Sangosti, The Denver Post

Colorado Attorney General Phil Weiser takes notes in Denver as members of U.S. Supreme Court speak during oral arguments conducted remotely in the Baca faithless electors case on May 13, 2020.

From federal to local

The issue is not new; Colorado Attorney General Phil Weiser recalls working on it during the Obama administration. His office has been working with sponsors on the bill.