The Colorado General Assembly is considering two bills addressing personal privacy and biometric data. But with the legislation following in the footsteps of other states, experts are concerned that the bills’ passage would create a patchwork of laws that could make compliance difficult.
“Businesses are tearing their hair out at the moment,” said Liz Harding, a shareholder at Polsinelli who counsels clients on EU and UK privacy matters. “It’s somewhat like ‘Jaws,’ right? Just when you thought it was safe to go back in the water … along comes Colorado.” The main concern for businesses is that compliance becomes more and more difficult as each additional state adopts new laws.
Colorado’s Bills
The two bills currently being considered by the Colorado General Assembly are SB-190 and HB-1244, which focus on what information can and should be collected, internet users’ rights and their ability for opting in and out of data collection.
SB-190 looks to create personal privacy protections that would apply to legal entities doing business, production or offering services targeted to Colorado residents. The bill would apply to entities that process or control the data of more than 100,000 consumers in a calendar year or derive revenue from selling personal data of at least 25,000 consumers. It also gives consumers a right to opt out of personal data processing, the ability to correct, access or delete that data or obtain a copy of it.
HB-1244 would also prohibit legal entities targeting their products or services in Colorado from storing, collecting or using consumers’ biometric information, such as retina scans, voice prints, face prints or fingerprints, unless the entity provides the consumer with information about what has been collected, obtains their consent and informs them of how to revoke that consent at any time.
The bill would also prohibit governmental entities from using, acquiring or possessing that biometric information unless it’s authorized by statute. Government entities would also be prohibited from selling, releasing or publicly disclosing biometric information unless necessary by court rule or law or the person whose data is sold consents in writing.
Emily Keimig, a member at Sherman & Howard who advises and represents clients on workplace issues and internet use, said she is concerned that the two bills pick and choose from California’s and Virginia’s privacy laws and the European Union’s General Data Protection Regulation.
“I think it’s interesting that these two models [from California and Virginia] are popping up,” she said. “Honestly, most businesses would prefer if there was a single federal law because it makes compliance a lot easier for them.”
Existing Regulations
The California Consumer Privacy Act, passed in 2018 and updated since then, gives consumers control over their own personal information collected by businesses. The law secured consumers’ rights to know about the personal information collected and how it’s used, to delete that information, to opt out of the sale of their data, and the right to non-discrimination for using their rights.
The California act applies mainly to for-profit businesses that either have an annual gross revenue of $25 million; buy, sell, use, receive or share the personal information of 50,000 or more consumers, households or devices; or derive 50% or more of their annual revenues from selling consumer personal info.
The Virginia Consumer Data Protection Act, entered into law on March 2, does not set a revenue threshold for its obligations. Instead, large businesses are required to comply with the law if they process or control the personal data of 100,000 consumers in a year or 25,000 consumers and gain 50% of gross revenue from personal data sales. The law also doubles the number of residents’ data that must be collected or processed before it becomes applicable to businesses in comparison to California’s model.
The GDPR imposes obligations on organizations anywhere in the world, so long as they target or collect data related to people in the EU, and levies fines against entities that violate its privacy and security standards.
Between the GDPR and the U.S. states’ laws, companies face an inconsistent “patchwork” of obligations that they have to comply with, Keimig said. Companies want to do what they’re supposed to do, in her experience, but when faced with different laws inconsistent with other states, it creates a practical problem.
Comparing and Contrasting
Harding said she thinks Virginia’s law is a more business-friendly version of the GDPR and its thresholds — which are similar to those proposed in Colorado — make it easier for companies to comply in comparison to the California law. The Virginia law is focused on businesses either in specific states or that target services to that state — a common theme in state-level privacy legislation and similar to what’s seen in Europe under the GDPR.
Compared with GDPR and California, the Virginia framework and Colorado’s proposed framework push the thresholds higher for businesses that might be subject to the rule, such as those companies only needing to comply when controlling data for 100,000 of their residents. In comparison, California’s $25 million gross revenue threshold is a “big catch” for businesses, because even if they don’t do much business in the state, they might still be required to comply. Keimig said that despite their differences, once a business is caught under Virginia and California requirements, they’re similar.
However, for other aspects, such as agreeing to data usage, Colorado’s proposed 190 appears to mix what the other models have done, Keimig said. For example, the data relating to personal privacy in 190 has an opt-out provision for consumers and selling data, like California, but Virginia and the EU have opt-in requirements. For 1244, the option provided is for opt-in, Keimig said. The mix of opt-in and opt-out standards in Colorado’s proposed bills is one of the primary aspects companies might struggle with.
Another issue is the question of who can enforce the laws, Keimig said. If a state attorney general’s office or other government entity will be charged with enforcement, there is a fiscal impact, which brings questions about funding. Colorado’s HB 1244 includes an option for private cause of action against the government if an agency violates the biometric privacy requirements, Keimig said.
Colorado’s Path Forward
Harding said Colorado’s proposed bills look to mirror the GDPR by providing broader rights to consumers than what Virginia or California’s laws cover. In Senate Bill 190, Harding said she feels Colorado is going its own way with its own model, thus creating another set of compliance requirements, which can be frustrating for businesses.
The mix of regulations prompts a conversation for businesses about whether to apply the same California requirements across its operations, instead of just for California residents.
This in turn forces businesses to make choices about how to handle multiple laws, Harding said. “The choices that businesses are really going to have is do they adopt a different approach for each state in which they operate, or they have customers?” she asked. “Or, do they just say we’re just going to operate on what is the state with the most comprehensive laws, and the most consumer friendly laws, and apply those.”
Harding said this mix of laws creates a preference among businesses for federal regulation. The state regulation is similar to a Venn diagram with each state having its own circle that overlaps with other states, but if every state has a nuance different from another, that creates problems for businesses.
Keimig believes that some of the impetus for these state privacy laws comes from the increasing usability of technology to record data, such as fingerprints, for security reasons. At the same time, she said she thinks state legislatures are working to protect residents from “bad guys” trying to obtain important personal data from companies.
With an increase in data that can be stored and used, and the more personal that data becomes, the more lucrative it is for someone with nefarious goals to obtain it and use it to their advantage, Keimig said. As such, it makes sense to take steps to ensure protections and procedures.
If the U.S. wound up with a federal law on privacy, Harding said she thinks it will be more practical than the laws that currently exist in Europe. In the GDPR, there are many provisions that Harding said don’t add a lot of consumer protection but do create busywork and time —consuming checks of process for businesses.
“I suspect that it will be something that sits midway between what we have under GDPR and what we have under the [California act],” she said.
Editor’s Note: This story was updated at 3:15 p.m. on May 4 to correct the intention of a quote.