Categories
Data Privacy

Navigating and Complying with Colorado’s New Consumer Privacy Act

Navigating and Complying with Colorado’s New Consumer Privacy Act

Michael Callahan

Share Post:

On July, 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA or “the Act”) into law. With that pen stroke, Colorado joined California and Virginia as the third state to enact comprehensive consumer privacy legislation. While the law does not take effect until July 1, 2023, Colorado businesses would do well to study up on the new law to ensure compliance when it does become active.

In some ways, the CPA goes further than the California and Virginia privacy statutes. The CPA defines personal data as “information that is linked or reasonably linkable to an identified or identifiable person.”[1] Not only is that a broad definition, but it also applies to a wider range of businesses than the California and Virginia statutes.
 
For example, while all three statutes will apply to businesses that control and/or process the personal data of 100,000 or more consumers per year, the CPA also applies to businesses that control and/or process the personal data of 25,000 consumers per year and derive revenue or receive a discount on the price of goods/services from the sale of personal data. Unlike other statutes, the CPA has no revenue threshold for determining whether an entity is covered. Given how common it is for businesses to sell personal data, this added wrinkle means that the CPA’s effective threshold for applicability is controlling or processing the data of just 25,000 consumers.

In addition, while all three statutes provide similar consumer rights, like special protections for “sensitive” data like race, religion, and sexual orientation, the CPA also contains a user-selected universal opt-out mechanism. This mechanism gives Colorado residents the right to opt out of targeted advertising, the sale of their personal data, and specific types of user profiling (the practice of using automated processing of personal data to evaluate and predict personal aspects concerning an individual’s location, behavior, personal preferences, and even economic situation).

The CPA comes with exceptions and exemptions, of course. “Consumers” under the Act only include Colorado residents acting in their individual or household capacities. That means individuals acting in commercial or employment contexts are not covered. Buying a new smartphone? Covered. Applying for a job? Sorry, that data isn’t afforded the same protection. The Act also does not extend to publicly available information or information that has been de-identified (private data where personal identifiers have been removed). Finally, entities covered by Federal privacy laws, like HIPAA and FERPA, are mostly exempted from the CPA.

So, what does all of this mean for covered Colorado businesses? Well, for one, every covered entity should begin a review of their current cybersecurity practices to evaluate whether they will be able to keep up with the CPA’s new suite of consumer rights and regulatory rules beginning in July 2023. In addition, all covered entities ought to begin drafting up new processes by which consumers can contact them and submit requests regarding their personal data as well as a process by which consumers can appeal the covered entity’s decision regarding the use of that data. Privacy policies will universally require updates to include the notices required under the CPA regarding how and why the covered entity uses consumer data. Covered entities will also be required to obtain consumer consent when it comes to collection and processing of “sensitive” data. Finally, all covered entities should also begin the process of designing and implementing the CPA’s unique “universal opt-out” mechanism which becomes mandatory for all covered entities on July 1, 2024.

Colorado is at the forefront of protecting consumer data and privacy with the CPA. However, these protections invariably come with significant regulatory and compliance hurdles for Colorado businesses. The CPA is only one of three such laws in the United States, so there is not a whole wealth of compliance experience that covered entities to look to for guidance. It goes without saying, then, that the earlier  covered entities can start working on their compliance regime, the better!


[1] See Colo. Rev. Stat. § 6-1-1303

ABOUT THE AUTHOR

LAW CLERK

Michael joins Milgrom & Daskam as a law clerk, where he works in the litigation and intellectual property practice groups. During his time at CU Law, Michael has served as a volunteer with the Korey Wise Innocence Project as part of a small team advocating on behalf of wrongfully convicted individuals in Colorado. He also serves as vice president of the Student Animal Legal Defense Fund, where he has organized fundraisers and donation drives for local animal shelters. Before joining the firm as a law clerk, he worked as a constitutional law research assistant for the University and as a litigation intern at a small Denver law firm.

More Articles

Business & Corporate Law

Recent Crypto Enforcement Actions and the Brewing Battle Between Regulators for Jurisdiction Over Digital Assets

Readers of my last, irresistibly juicy blog post, “First-Ever Court Ruling Means Your Utility Token May Be an Unregistered Security,” know that the Securities and Exchange Commission (“SEC”) recently landed a blow against blockchain-based media company LBRY when a district court in New Hampshire held that LBRY’s native “utility token,” LBC, was an unregistered security.

Read More »
Entrepreneur & Startup

Entity Selection: How QSBS Could Save You Millions in Taxes

I often work with entrepreneurs starting new ventures. While there are multiple considerations for new businesses, the first important item to address is entity formation, governance, and finance/ownership. This is the starting point to get your venture headed in the right direction.

Read More »
Business & Corporate Law

Do Colorado Courts Still Enforce Liquidated Damages Provisions?

Do Colorado courts still enforce liquidated damages provisions? When are such provisions enforceable? As a litigator, I notice this is a frequent topic of conversation among my transactional attorney friends when they are drafting contracts with no real consensus. So, what does Colorado law say?

Read More »
Categories
Data Privacy

Privacy Wars: Will Apple’s App Tracking Transparency Disrupt the Tech Industry?

Privacy Wars: Will Apple’s App Tracking Transparency Disrupt the Tech Industry?

Milgrom Team

Share Post:

Earlier this month, The Washington Post revealed that in 2016, Australian firm Azimuth Security unlocked the iPhone of the San Bernadino terrorist. The hack followed a public battle between Apple and the FBI over privacy versus national security interests, with Apple arguing that permitting the FBI to unlock the iPhone would be a breach of Apple’s privacy policy.

Increasingly, Apple’s position on customer privacy has become central to its brand.

“Privacy is a fundamental human right,” declares Apple on its website. “At Apple, it’s also one of our core values.”

Underscoring this stance, Apple has rolled out sweeping privacy measures for the iOS 14.5 update, which introduces a feature called App Tracking Transparency (ATT) that promises to change the way apps handle privacy. While Apple customers may appreciate these measures to protect personal data, tech giants whose business models depend on data-tracking advertisements find the features disruptive.

As described by Apple, “App Tracking Transparency will require apps to get the user’s permission before tracking their data across apps or websites owned by other companies. Under Settings, users will be able to see which apps have requested permission to track, and make changes as they see fit.”

In practical terms, this means that users will now have an opt-out choice to limit an app’s ability to track the user across other apps and websites. If the app would like to track a user, the user will receive a pop-up notification that reads, “X would like permission to track you across apps and websites owned by other companies. Your data will be used to deliver personalized ads to you.” A user will then be able to choose between “Allow Tracking” or “Ask App Not To Track.” As privacy is becoming more of a concern to customers, most privacy advocates expect the feature to be embraced by users, which could impact not only the advertising platforms but also the advertisers’ bottom lines. 

This promised change by Apple has already led to pushback. Google announced that it will stop using tracking tools that trigger the pop-up. Mail Online stated it may have to delete its Apple app and force readers to access content via its website. Facebook has bickered with Apple publicly and framed the decision as an attempt to undercut the business model used by Facebook and other free, ad-supported apps. 

While it’s easy to paint the complaints of pro-advertising companies as self-serving, it is certainly true that Apple’s privacy emphasis may help its bottom line as well. Apple is angling to be a one-stop tech company for everything. Whether it’s helping its users get in shape, collecting financial data, or mining other sensitive information, Apple wants its users to trust its hardware and ecosystem. Having such data requires strong privacy assurances to ensure customers are not creeped out. (Just ask the Amazon Halo what can happen if users don’t fully trust its privacy fundamentals.) In addition, this privacy move may increase Apple’s power over its app store and generate more money for Apple by funneling users to download applications through its app store, rather than through in-app ads.  

In a larger context, this fight heightens the drastically different privacy principles among tech companies. On one hand, companies such as Apple have argued that users’ control over their data is a fundamental principle and that the more the user controls, the better the experience will be for the customer. Other companies such as Facebook have argued that their advertisement model allows companies to better target ads at customers, thus giving customers a better experience by offering ads they might want to see, as opposed to ads that are irrelevant to the user. They have also further argued that this model ensures that users will always be able to use the platform for free, whereas, without ad-supported products, Facebook users would have to pay to access the platform.

The effect of Apple’s new privacy features on the ad-supported platform model may be the most interesting outcome. If this update affects this model as much as Facebook or other SaaS providers expect it to, it may jeopardize the effectiveness of the model in general. If users are not “paying” with their data, the platforms may become less attractive to advertisers, who leverage this data to create more effectively targeted ads. In the absence of this advantage over traditional advertising, the utility of the platforms for advertisers may decline. This impact could force ad-supported providers to rethink their business models.

Then again, innovation is the bread and butter of tech. As Apple and other providers start to implement more stringent privacy measures, ad-supported platforms and advertisers may simply create new technology to evade privacy regulations in a never-ending arms race. To wit: Proctor & Gamble may have already found a way around Apple’s privacy changes.

For additional information, please contact us.

More Articles

Business & Corporate Law

The Importance of Morality Clauses in Contracts with Public Figures

In the age of social media and the 24-hour news cycle, opportunities for public figures to be called to the mat and canceled over their statements and behavior are plentiful. Whether looking at Kanye West, aka Ye, with his antisemitic statements on Twitter, “White Lives Matter” t-shirt at Paris Fashion Week, and a myriad of other public offenses, T.J. Holmes and Amy Robach’s affair, or Try Guys’ Ned Fulmer’s affair with an employee, when the transgressions become public, so do the calls from the public for the brands and companies they work with to cut them loose.

Read More »
Employment Law

U.S. Supreme Court Hears Oral Arguments on Colorado Business’s First Amendment Speech Rights

The U.S. Supreme Court heard oral arguments last month in a case challenging the Colorado Anti-Discrimination Act (CADA) in a scenario similar to the Masterpiece Cakeshop decision of 2018. 303 Creative LLC, a Colorado based graphic design service is seeking to provide wedding website design services but only for opposite-sex weddings due to the owner’s religious beliefs that preclude her from providing the same services for same-sex couples.

Read More »