New Colorado Laws Aim to Protect Consumer Privacy

This story by Faith Miller appeared on Colorado Newsline on June 18, 2021.

With COVID-19 accelerating global digital activity — and amid recent high-profile hacks of major companies — more Coloradans may be thinking about where their personal data lives online.

Coincidentally, state lawmakers from both parties helped pass major new data privacy protections this year. With Senate Bill 21-190, Colorado would become the third state in the country to pass a law regulating how companies are allowed to use consumers’ personal information. The two other states are California and Virginia, according to Greg Szewczyk, a Denver-based privacy and cybersecurity attorney at Ballard Spahr.

California was the first to pass a data privacy law — the California Consumer Protection Act, which is the only one currently in effect, Szewczyk said. And Colorado’s law, in some ways, goes further than that.

“Under the CCPA, which only applies to California residents, you have the right to access your personal information and to delete personal information and to opt out of the sale of personal information,” he explained. “The Colorado law has all of those things as well, but it also gives consumers the right to correct personal information, the right to data portability — so the right to receive your data in some sort of portable form.”

Notably, Szewczyk added, SB-190 also lets consumers opt out of being profiled. Under the legislation, “profiling” means using someone’s personal information to evaluate their economic situation, health, or other factors. Consumers would be able to opt out if such profiling determines whether they can access “goods or services or education or housing — things along those lines,” Szewczyk said.

The push for more data privacy is part of a growing shift, Szewczyk said: Until now “there hasn’t really been that much that has specifically regulated how companies can use data, and I think we are on the trend to try to restore some power back to consumers.”

The bipartisan team that sponsored SB-190 included Sens. Robert Rodriguez, a Denver Democrat, and Paul Lundeen, a Monument Republican, along with Reps. Monica Duran, a Wheat Ridge Democrat, and Terri Carver, a Republican from Colorado Springs.

If signed into law by Gov. Jared Polis, SB-190 would direct the Colorado attorney general to write rules for companies to follow in order to comply with the legislation. The state attorney general or district attorneys could penalize companies that violated SB-190’s requirements using existing laws on deceptive trade practices.

A long list of tech heavyweights including Amazon, AT&T, Comcast and Facebook wanted changes to SB-190, but it passed unanimously in the Senate and by a vote of 57 to 7 in the House.

Another data privacy bill grew out of concerns that the Division of Motor Vehicles was sharing the personal information of immigrants without proper documentation.

Senate Bill 21-131 would prevent state agencies from sharing non-public personal identifying information with federal immigration authorities except when they’re ordered to do so by a court of law. Sen. Julie Gonzales and Rep. Serena Gonzales-Gutierrez, both Democrats from Denver, crafted the bill when they learned state employees helped Immigration and Customs Enforcement obtain undocumented Coloradans’ personal information.

In 2013, a state law allowed Colorado residents without U.S. citizenship or lawful permanent resident status, as well as people with temporary permission to live in the country, to apply for and receive driver’s licenses through the Division of Motor Vehicles.

According to the Colorado Immigrant Rights Coalition, or CIRC, 150,000 undocumented people subsequently supplied their names, addresses and other personal information to apply for driver’s licenses. But in the years following Senate Bill 13-251’s passage, community members began to raise concerns about how their information was being used.

CIRC requested public records showing communication between immigration authorities and the Colorado DMV. Through the Colorado Open Records Act request, CIRC obtained 235 emails showing “consistent and deliberate communication” between DMV staff members and ICE agents, sent between January 2018 and May 2020. The emails showed DMV staff helping ICE monitor, locate and in some cases detain undocumented people, according to CIRC.

May 2020 guidance issued by Polis in response to community concerns directed state agencies not to share information with federal agencies solely for immigration enforcement. If signed into law, SB-131 would strengthen the governor’s guidance and incorporate it in state statutes.

SB-131 addresses “that foundation of trust that has been broken here in Colorado because of the interactions that we have seen between ICE and state departments such as the DMV,” Gonzales-Gutierrez told Newsline. “We want to rebuild that trust, and that’s really what the bill was about, was making sure we have guardrails in place so that trust can be rebuilt.”

In the Senate, five Republicans joined Democrats to vote in favor of SB-131. The bill passed the House by a party-line vote of 41-23, with an amendment to clarify reporting requirements for the Department of Revenue. Minority Leader Hugh McKean of Loveland was the only Republican to vote for the bill in the House.

McKean sponsored his own data privacy bill, House Bill 21-1111, with Democratic Sens. Jeff Bridges of Greenwood Village and Gonzales. It would convene an advisory group to research which state agencies store Coloradans’ personal identifying information, who has access to the data, and what kind of work would be required to store and protect all of that data in one central place.

The original bill would have gone a lot further, requiring state agencies that house the personal data of Colorado residents to give notice to those people every 90 days. Coloradans would have been able to request that the state dispose of any paper or electronic documents with their information.

The rewritten HB-1111 would instead have the advisory group report to the General Assembly on its findings and recommendations for potential legislation by Jan. 1, 2023. The advisory group would consist of members of the Government Data Advisory Board, a representative of the attorney general’s office, and experts on personal identifying information who are appointed by the chief information officer.

HB-1111 passed the House and Senate with unanimous support from all lawmakers present when the votes were recorded.

House Bill 21-1214 would provide privacy protections for certain people who’ve interacted with the criminal justice system. The legislation would update the process of sealing criminal records, create an automatic process to seal eligible drug convictions, and retroactively allow adults and juveniles to petition for relief from collateral consequences to improve their chances for success after incarceration.

A person’s criminal record often bars them from housing and employment opportunities long after they have completed their sentence for a crime, and HB-1214 aims to eliminate these so-called “collateral consequences” that can linger for years and impact a person’s life and livelihood.

While HB-1214 first passed the House without bipartisan support, four Senate Republicans later joined Democrats to vote in favor of the bill on May 27. It will become law if Polis adds his signature.

Polis signed House Bill 21-1236 on June 7. Along with aiming to bolster cybersecurity in state government, the bill allows lawmakers on the Joint Technology Committee to request information about data privacy and data security from state agencies.

Moe Clark contributed reporting.

Post Contributor

The Pagosa Daily Post welcomes submissions, photos, letters and videos from people who love Pagosa Springs, Colorado. Call 970-903-2673 or email pagosadailypost@gmail.com