Companies collect and share your online data. Colorado wants to become one of the only states to give consumers more say.
Social media ads sometimes seem to know a little too much about you — where you shop, the products you buy or what websites you’ve been frequenting.
Big tech companies store this information about consumers, and it’s long been fueling a debate about how to balance data privacy with letting businesses cater to their customers.
Colorado lawmakers decided to tackle the issue again this year with SB21-190, which unanimously passed the Senate last week. If it makes it to Gov. Jared Polis, Colorado would be the third state to pass a data privacy law, following California and Virginia.
It wouldn’t take effect, though, until July 2023. And even then, some data privacy experts worry it doesn’t go far enough, while businesses worry about complying with various regulations in different states.
With 26 states also considering what to do about data privacy this year, Colorado lawmakers have looked around for the policies they believed would work best. Washington state’s is the main model, Democratic Sen. Robert Rodriguez of Denver said, because it balances consumer and business rights. (Washington has not been able to pass it yet.)
“We’re just trying to figure out good controls and giving people access,” he said. “I think young people assume they have no privacy and old people have no idea how much privacy they don’t have.”
Fellow bill sponsor Sen. Paul Lundeen, a Monument Republican, is concerned that smartphones store information about people “that defines who you are,” which gets shared with various companies.
The bill “is an effort to thread that needle, protect our privacy, and at the same time, give all the businesses we rely on, all the providers that we rely on, the ability to do their job without stealing our future, without stealing our identity, without stealing the representation of who we want ourselves actually to be,” he said.
Colorado consumers would be able to opt out of having companies collect certain information — like which websites they’re visiting — and could decide whether to deny a company access to sensitive data like a health condition. The current version also calls for a “global privacy control,” a browser setting that Rodriguez said would be available in 2024 to all Colorado users to stop data collection on any website they visit.
Not every company would come under the proposed rules, only those that process personal data of 100,000 or more consumers per year or make money or get discounts from selling personal data of 25,000 or more consumers. Companies also would have to make clear the type of data they collect, what they do with it and how long they store it.
Banks and other financial institutions are exempt, and businesses will still have to comply with federal privacy rules for children. The attorney general’s office will have rule-making and enforcement authority, and the latter is also provided for district attorneys (which isn’t found in California or Virginia’s laws).
From federal to local
The issue is not new; Colorado Attorney General Phil Weiser recalls working on it during the Obama administration. His office has been working with sponsors on the bill.
“The core part of the bill that really matters is consumers have the ability to control and dictate how their data is used,” he said. “Right now, all sorts of companies are collecting data about consumers that consumers don’t know about.”
There is a continued push to pass federal data privacy legislation as Europe has done, but without a central federal policy in the United States, individual states have had to take matters into their own hands. That could create a patchwork of regulations, said Dan Jaffe of the National Association of Advertisers.
“We generally believe that this is a growing trend, that there’s going to be numbers of different bills that are very inconsistent with each other and that’s going to start creating major hurdles for people in Colorado and around the country who are trying to do business on the internet,” Jaffe said.
His organization is against this bill, and he argues that it could be expensive to deal with different state regulations, leading businesses to potentially pass on the costs to consumers.
But Camila Tobón, a Denver-based privacy and data security attorney, says that Colorado’s proposal is similar enough to the others, which makes it easier to implement for the state and for businesses. Plus, the bill doesn’t take effect immediately and it gives businesses the opportunity to fix violations within 60 days until 2025.
“(Companies) are going to have to do a significant lift in order to get ready, just to figure out what they have, how they’re using it, who they’re sharing it with and putting all the specific compliance mechanisms in place … For companies that haven’t looked at these issues, it’s going to take some time,” she said.
Casey Fiesler researches technology ethics, internet law and policy and online communities data privacy and ethics as a fellow at the Silicon Flatirons Institute at the University of Colorado Law School, and has found people tend to develop an attitude of learned helplessness — “why would I bother to try to protect my privacy when there’s so little that I have control over and all these companies are going to do whatever they want with my data?”
The “opt-out” portion of Colorado’s bill also may not “have as much of an impact except for the people who really do care a lot about this stuff,” Fiesler said, noting that, often, people will accept terms of agreement without fully reading or understanding them.
“I feel like there’s a big gap between the people who are really paying attention to this and really care about their privacy and are going to all of this extra work to protect their privacy,” she said, “ … and the average person who’s just like, ‘I want to go on Facebook, I want to go use Amazon, and, oh I have to click through a thing.’”
That’s why privacy proponents like the Colorado Public Interest Research Group prefer an “opt-in” method — information would remain private unless a person asked a company to collect it, campaign organizer Allison Conwell said.
Her group is also pushing for the bill to include a “private right of action,” which would allow individuals to sue companies for violations, rather than just leave it in the hands of the AG’s office. Rodriguez also prefers an opt-in method like in Europe and the right to sue, but said it would be a transformative change for companies to make in the U.S. and not one he thought could pass the statehouse this year.