Colorado may be joining a handful of states trying to fill a federal void in regulating personal data privacy and security, but most experts agree the state-level patchwork is far from an ideal solution to a problem that’s been growing online for decades.
Legislation, titled Protect Personal Data Privacy and introduced in the state Senate Business, Labor & Technology Committee, would create personal data privacy rights for Colorado consumers. Colorado’s proposed law (Senate Bill 190) is modeled after similar laws in Washington and California.
Committee chair Robert Rodriguez, a Denver Democrat, admits lawmakers are way behind the curve on regulating personal data privacy and that the U.S. Congress should be taking the lead, but he says Coloradans deserve some form of protection.
“It’s mostly a consumer protection bill,” Rodriguez said. “It’ll give them the ability to opt out if they choose to; it’ll give them the ability to access their data; it’ll give them the ability to correct it if there’s errors.”
The legislation as currently proposed applies to companies that control or process the personal data of more than 100,000 consumers a year or derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers. It would not apply to personal data governed by certain state and federal laws.
While many industry experts and media observers agree the most effective form of data privacy protection is “opt-in” regulation–rather than requiring consumers to opt out of automatic collection–Rodriguez says opt-in was a non-starter in Colorado.
“As much as I would love to do an opt-in, I don’t know where the will is,” Rodriguez said. “Nobody has an opt in other than GDPR [General Data Protection Regulation] in Europe. No other states have that. I would love to do that, but I don’t think we’re at that point.”
Opt-in laws would do away with the automatic collection of personal data and require companies to ask consumers for permission. Some proposals at the federal level, where there is currently no national data privacy standard, would allow consumers to opt in.
Rodriguez laments being behind the curve on data privacy and security, where data breaches and a lack of accountability have destroyed consumer confidence, but he says there’s still an opportunity for Colorado to lead on some forms of tech regulation.
“[This bill] doesn’t deal with facial recognition or biometrics; there’s actually a separate bill coming for that, which I would be the sponsor of [in the Senate]. That bill’s being worked on in the House,” Rodriguez said. “It’s not good to mix this technology, because it’s all so different.”
Lawmakers need to get out ahead of rapidly developing technology, he added.
“It’s an emerging technology, so it’ll be an interesting fight, but one that’s needed,” Rodriguez said. “We’re way too late on data privacy now because it’s been out and it’s so ingrained. Facial recognition is new and innovative, and it might be good to get ahead of the curve.”
Frannie Matthews of the Colorado Technology Association says these deliberations need to be happening much more robustly in Congress.
“A lot of this regulation should be happening at the federal level so we have consistency, because what we have now is inefficient,” Matthews said. “This is a federal issue because it certainly seems like interstate commerce, and we need to understand if states have jurisdiction over this.”
Matthews agrees that personal data privacy and security is a critical issue for consumers.
“We are, for convenience, just giving [our data] away,” Matthews said. “A great example of not very effective regulation is how many times a day do you see ‘this website uses cookies,’ but if you really want to get into it, you say OK? You have no idea really what that means about where your data goes and what data they’re utilizing.”
Another concession Rodriguez says he made to get Republican support in the form of Senate co-sponsor and Minority Whip Paul Lundeen of El Paso County was ceding all enforcement to the Colorado attorney general and district attorneys.
“[Colorado Attorney General Phil] Weiser is pretty knowledgeable on data privacy; we’re trying to get him on the bill,” Rodriguez said. “One of the compromises is this bill’s being run with a Republican, and we’re housing all the enforcement under the AG’s office. We’re not going after a private right of action … I can’t get Republicans if I have that.”
Weiser spokesman Lawrence Pacheco said: “The attorney general has not taken a public position on the legislation. He is reviewing it and having discussions with the bill sponsors.”
Weiser, a former Justice Department anti-trust attorney who is now going after Google as lead plaintiff in a lawsuit against its search domination and has joined with other states in suing Facebook, recently expressed his frustration with the lack of congressional action on data privacy.
Speaking on a University of Colorado Law School panel in February entitled Trust and Trustworthiness in the Tech Sector, Weiser offered these comments:
“It’s important to think about this issue around privacy and recognize that we have an institutional problem in the U.S. in that Congress is not able to function … There is bipartisan support to address a national data privacy law,” Weiser said. “Fifty states have data breach laws. Congress has been unable to act. What that has meant in practice is that the state attorneys general have had to pick up slack. You’re seeing states passing data privacy laws, which Congress would call a second-best solution. I’d rather see a federal law with state AGs able to enforce it.”
Fellow panelists from the Federal Trade Commission and the Federal Communications Commission, whose agencies have tried to regulate without an overarching federal law, agreed.
“The point holistically is that the issues of privacy are so complex there is intersectional jurisdiction, but it is really important that Americans be able to trust and know that they can use these services,” FCC Commissioner Geoffrey Starks said.
FTC Commissioner Christine Wilson concurred.
“Consumers need transparency about what is happening with their data … So much of our most personal data and information is being hoovered up and consumers don’t understand what’s being collected, how it’s being shared, used, monetized, sold to third parties, and so we need to get a handle on that and provide guardrails for businesses,” Wilson said.
“Businesses need certainty and predictability, and the patchwork that is emerging among the states is in the end not, as General Weiser noted, the first, best solution,” she added. “We cannot be a leader in the discussions about protecting consumer privacy and data security globally if we don’t have federal privacy law and data breach legislation.”