The Colorado Privacy Act — the Mile High State’s take on comprehensive CCPA-like data privacy legislation — is expected to be signed into law imminently. While the bill will empower consumers to take greater control over their personal information, it will also erect new hurdles for marketers, who generally rely on the collection and sale of consumer data to track consumer behavior and serve targeted ads.
Colorado is expected to join California and Virginia in passing comprehensive consumer data privacy legislation. The Colorado House voted 57-7 Monday night to pass the Colorado Privacy Act (CPA), which passed in the state Senate on May 26 with a unanimous vote. Governor Jared Polis (D) is expected to sign the bill into law shortly.
If signed, the bill will provide consumers with the right to opt out of data processing, but will introduce additional challenges for businesses — and marketers in particular — that depend on the collection, processing and sale of consumer data for a number of operations. Here’s what you need to know.
An overview of CPA
The law will apply to any organization conducting business in Colorado or targeting its products or services to Colorado residents that either: process or control the personal data of more than 100,000 consumers annually; or that derive revenue from the sale of personal data in addition to processing or controlling the personal data of 25,000 consumers or more.
Under CPA, consumers will have the right to not only opt-out of the processing of personal data — which is often sold and used for targeted advertising purposes — but also to authorize another person to opt out on one’s behalf. Further, CPA will allow consumers to request deletion of personal information and correct inaccuracies concerning one’s personal data. The bill also requires that businesses obtain consumers’ opt-in — rather than simply an opt-out — for the collection of certain “sensitive” personal data, which may include religious beliefs, sexual orientation, race/ethnicity, citizenship status and physical or mental health information
Subjected organizations are obliged to give consumers a “reasonably accessible, clear, and meaningful” privacy notice that discloses information about the organization’s data collection and sharing policies and practices. Plus, before transferring personal data, organizations must agree to data processing contracts with service providers. Similar to the California Consumer Privacy Act (CCPA), CPA’s protections don’t apply to employment records and some other types of information.
“It is great to see a third US state could pass a comprehensive privacy law,” says Ivana Bartoletti, Deloitte’s technical director of privacy and digital ethics and the author of An Artificial Revolution: on Power, Politics and AI. “Increasing privacy protection around the world is crucial for the flow of information.”
While the bill includes no private right of action — meaning that consumers can’t file personal lawsuits against organizations they believe to be in violation of the law — the Colorado Attorney General’s office and state district attorneys will enforce CPA and may fine noncompliant organizations up to $500,000.
How CPA differs from other US privacy legislation
Though CPA shares much of the same anatomy as CCPA, the upgraded California Privacy Rights Act of 2020 (CPRA) and the Virginia Consumer Data Protection Act (VCDPA), it does differ in a few key areas.
According to Jessica Lee, partner at law firm Loeb & Loeb and co-chair of the company’s privacy, security and data innovations, the Colorado bill includes a few additional protections that haven’t been seen in either the Virginia or California bills.
For one, she says, the bill includes stringent limitations on secondary uses of data, requiring an opt-in for such uses. “This is meaningful in that the bill also requires companies to specify the purpose for which they may collect information,” she says. “The practice of collecting data for one purpose (or describing the purpose in very broad and general terms) and using it for another down the line will be constrained by the addition of this requirement. This goes beyond the CPRA (which requires additional notice) and appears stronger than the VCDPA’s secondary notice requirements.”
CPA also incorporates consumers’ right to use a “universal” opt-out, which Lee says is similar to the recently introduced Global Privacy Control solution. “It continues the trend towards allowing consumers, whether through an authorized agent or browser-based tools, to exercise their opt-out rights on a global level, rather than going site by site or company by company,” Lee says.
And while CPA introduces a number of new hurdles for businesses, it’s not all bad news for them, according to Lee. A 60-day cure period — which will be phased out on Jan. 1, 2025 — provides organizations with some much-welcomed wiggle room. “These laws are always more complicated to implement than they appear, and once companies start to get into the weeds on how to navigate these new obligations, mistakes will inevitably be made,” says Lee. “This cure period allows companies to work with regulators on solutions [for] how to navigate the grey areas without fears that unintentional missteps will result in fines.”
Polly Sanderson, policy counsel at privacy-focused think tank Future of Privacy Forum, notes that another key difference concerns CPA’s overarching position on consent and its implications for marketing practices. “Coupled with [the bill’s requirement that businesses obtain opt-in for the processing of ‘sensitive’ information], the consent standard explicitly bans covered entities from using so-called ‘dark patterns,’ which means manipulative user interfaces or design. Taken together, this sets a higher bar than both California (which is opt-out) and Virginia (which does not include anti-dark patterns language).” The bill’s language will set a higher bar for marketers to be transparent in their communications and avoid the use of potentially deceptive tracking methodologies and interfaces.
Bartoletti, like many techno-ethicists, is particularly pleased with this restriction. “I like the focus on dark patterns — I think this is excellent, as dark patterns are interfaces that really impair people's dignity and autonomy,” she says.
What it means for marketers
The consumer protections introduced by CPA create new challenges for marketers, many of whom depend on the collection, storage and sale of consumers’ personal information for tracking and ad targeting purposes. Even so, with CCPA/CPRA, VCDPA and the EU’s General Data Protection Regulation (GDPR) already in play, CPA doesn’t create too many stumbling blocks with which businesses weren’t already contending.
However, the momentum building across the US to pass more state-level privacy legislation — and perhaps even a federal-level bill — combined with recent changes by Google, Apple and other major tech players to restrict business’ access to consumer data — spell trouble for marketers.
For one, while the existing state-level laws share many similarities, marketers may find themselves in hot water should they not understand the subtle definitional differences between various privacy laws. “Marketers will need to read the law's definitions and requirements carefully,” says Future of Privacy Forum's Sanderson. “For instance, [CPA’s] definition of ‘pseudonymous’ data differs slightly from existing standards, and marketers should closely compare Colorado, Virginia and California's definition of [terms like] ‘sale’ and ‘sensitive’ data. Likewise, the scope of the consumer rights — such as access and deletion — varies between the state laws.” She notes that one approach to dealing with such a challenge would be to pinpoint the most comprehensive standard and implement it universally. Strategies such as geofencing could also be applied, though Sanderson advises that businesses assess such possibilities within the larger framework of their strategies, risk tolerance and compliance practices.
Ultimately, experts agree that new approaches are needed if marketers are going to be able to continue connecting with audiences in relevant ways — while sidestepping the potential risks of engaging in practices like "dark patterns." Whether that entails contextual advertising approaches, new universal ID solutions or something else entirely remains to be seen. “It’s hard to say that increasing consumer protection is a bad thing,” Lee says. “It will drive more innovation around consumer trust and increase transparency. Businesses need to figure out how they are going to deal with these larger industry changes — which of the myriad of new solutions will they adopt — and then turn to applying these new regulatory requirements in that context. I don’t know that I would spend too much time trying to figure out how these laws will impact how we do tracking and ad targeting today, because once these laws go into effect, those practices are going to be completely different.”
Right now, Lee’s advice to marketers is to tread carefully and make the data value exchange apparent to target audiences. “Marketers will have to be more intentional and specific in their communications with consumers about how and why they are collecting information,” she says. “Most marketers will want to avoid the friction of having to get consent for additional purposes. I think we are going to see more creative approaches to describing the value proposition to consumers of sharing their data. We are already starting to see companies tell consumers that data is how they keep their websites and apps free; We will see more of that as marketers will have to work harder to get access to data, particularly where opt-in consent is required or a universal opt-out is made available.”