While a uniform federal privacy law in the United States continues to be an uncertain prospect overshadowed by other national priorities such as infrastructure and COVID relief, state legislatures have pushed forward with their own privacy regimes, resulting in an increasing patchwork of laws which businesses must parse in order to remain compliant. State legislatures across the country continue to develop and expand privacy protections for their citizens, as Colorado recently became the third state in the USA to create a privacy regime with echoes of the European Union’s General Data Protection Regulation (“GDPR”), and Nevada adjusted its existing data broker law in a manner that will require companies doing business in that state to reassess their exposure and compliance needs.
On June 8, 2021, the Colorado legislature passed the Colorado Privacy Act (“CPA”), a consumer privacy law giving Colorado residents various rights in their personal data, and requiring transparency from businesses that collect and process such data. The CPA is currently awaiting signature by the governor, and once enacted, Colorado will join California and Virginia as the third state with its own comprehensive consumer privacy regulation. If signed into law, the CPA will go into effect on July 1, 2023. (Update – the CPA was signed into law on July 8, 2021.)
Colorado’s CPA is in some respects a blend of the California Consumer Privacy Act of 2018 (“CCPA”) and Virginia’s recently enacted Consumer Data Protection Act (“CDPA”). Like the CDPA, Colorado’s CPA borrows nomenclature from the GDPR, and chiefly applies to “controllers,” which are defined as businesses that, alone or jointly with others, determine the means and purposes for processing Colorado individuals’ personal data. The CPA only applies to controllers who (a) do business in Colorado or whose products or services are targeted to Colorado residents, and (b) meet or exceed one or both of the following thresholds: (i) process data regarding 100,000 or more Colorado residents, and/or (ii) derive revenue or receive a discount on the price of goods or services as a result of the sale of personal data and process data regarding 25,000 or more Colorado residents. Like the CCPA and unlike the CDPA, Colorado’s CPA defines “sale” to include not only the exchange of data for “monetary” consideration, but also “other valuable consideration,” meaning that disclosing data in exchange for agreeing to perform services or assume other contractual obligations could be considered a “sale” in Colorado as well as California. And, as is the case under both the CDPA and CCPA, the CPA excludes various types of data covered by other legal regimes, including protected health information covered by HIPAA, as well as financial information and financial institutions that are regulated by the Gramm-Leach Bliley Act. Finally, unlike the CCPA, the CPA also categorically exempts personal information about Colorado residents when they are acting in a “commercial or employment context, [or] as a job applicant[.]”
The CPA defines “personal data” very broadly (similarly to the GDPR) as “information that is linked or reasonably linkable to an identified individual”. However, the CPA establishes carve-outs for (a) de-identified information, defined as data that can no longer “reasonably be used to infer information about, or otherwise be linked to” an individual “or a device linked to such an individual”, as well as (b) “publicly available information”, which is defined to include government records as well as “information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.”
The CPA gives Colorado residents a suite of rights that closely mirror those recognized by its predecessor privacy laws, including the right to opt out from targeted advertising, sales, or profiling activities producing legal or other significant effects, as well as rights to delete, correct, or access personal data held by the controller. Additionally, the CPA creates a unique “universal opt-out” requirement, whereby controllers must allow individuals to opt out via a “user selected universal opt-out mechanism.” While it is currently unclear exactly how such a universal mechanism will function or what requirements might apply to this process, the CPA requires the Colorado Attorney General to adopt rules and technical requirements by or before the date the CPA becomes effective, i.e. by July 1, 2023. Controllers will also have to complete data protection assessments (only regarding the processing of data acquired by the controller on or after July 1, 2023) which weigh any risks to the data subjects against the benefits/value of the relevant processing activities, and make such assessments available to the Colorado Attorney General upon request.
The CPA does not create a private right of action, and instead can only be enforced by the Colorado Attorney General and district attorneys.
The full text of the CPA is available here.
On June 2, 2021, Nevada’s governor signed an amendment to the state’s existing privacy law, making several significant changes, including the creation of a newly defined category of “data brokers” who will be obligated to afford certain rights to Nevada residents. The amendment’s changes to the existing law will go into effect on October 1, 2021.
Nevada’s current privacy law requires certain types of entities who “sell” (defined as the exchange for monetary consideration only) personal information to afford Nevada residents with opt-out rights. The amendment will create a new category of “data brokers”, which are entities “whose primary business is purchasing covered information about consumers with whom the [entity] does not have a direct relationship and who reside in [Nevada] from [other covered entities] and making sales of such covered information.” Data brokers are required to afford Nevada residents with the ability to opt-out of sales of their data, and must respond to opt-out requests within 60 days of receipt (although they can invoke an additional 30-day extension if “reasonably necessary”). Data brokers are also obligated to comply with the current law’s transparency and disclosure requirements.
The amendment also creates significant new exemptions for certain types of data and entities. Consumer reporting agencies, financial institutions covered by GLBA, and entities engaged in fraud prevention activities are made exempt from the law’s requirements, as is any personal information regulated by the Fair Credit Reporting Act or personal information that is “publicly available” (a term that the amendment does not define).
Lastly, the amendment also gives covered entities a “second chance” in the event of any non-compliance, allowing entities to correct any failure to comply within 30 days of being notified of the failure. However, this second chance only applies to “first time offenders”, i.e., to entities which have not previously failed to comply with the law.
The full text of the amended Nevada law is available here.
Other state legislatures across the country continue to consider and debate their own privacy bills, including Pennsylvania, New York, North Carolina, and Massachusetts. While the passage of such privacy bills is certainly not assured, as evidenced by recent rejections of proposed privacy laws in Florida and Connecticut, the incremental march of state privacy laws seems likely to continue for the indefinite future, especially in the absence of a bipartisan consensus around privacy regulation at the federal level. We will continue to monitor the development of these state privacy laws and report on new developments.