<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=654132&amp;fmt=gif">

Colorado House Votes on SB190, Senate Reconciliation is Next

Updated 6/9/21 @ 11am: The Colorado Senate unanimously voted 34-0 on concurrence and final passage of SB190. It now heads to Gov. Polis, who will have 10 days to sign or explicitly veto it.CPA applies to businesses collecting data on more than 100,000 individuals, or those earning revenue from the data of more than 25,000 consumers. It includes standard data subject rights, an opt-out consent model with a universal opt-out mechanism, and a right to cure, all subject to normal AG rule-making and enforcement.

CPA is effective July 1, 2023 unless vetoed by the Gov. The biggest difference when compared to Virginia or CPRA is the broad requirement (with fewer exemptions) for data protection privacy assessments.

A more specific compliance issue Colorado presents, according to attorney David Zetoony, is the required data protection assessment. Such examinations are also required in the Virginia Consumer Data Protection Act, but Colorado does not exempt companies from these assessments like Virginia.

Original Post

The Colorado Privacy Act SB190 has passed the Colorado House of Representatives by a vote of 57-7. While the bill must return to the Senate for final reconciliation of amendments made by the House, it’s most likely. Unless the Governor vetos it, which is improbable, the amendments will be reconciled in the next few days.

All Posts

Round Three of Proposed Modifications to the CCPA

The California Consumer Privacy Act (CCPA) proposed updates continue to roll in as the third set of proposed modifications released by the California Department of Justice were submitted for comment through October 28, 2020. According to Michael Hellbusch of Rutan & Tucker, the latest modifications are a big deal for a lot of businesses and their websites. However, the biggest news is that the AG proposed these modifications at all especially being so close to the November 2020 election.

Modification to Section 999.306 – Offline Notice of Opt-Out

Hellbusch says, “the proposed modifications add an offline notice requirement when a business that collects personal information in the course of interacting with a consumer offline. The offline opt-out notice is required even if the business only sells the personal information it collects online via cookies or otherwise.” 

Businesses, especially those in brick-and-mortar settings, should not assume that they do not need to provide offline notices just because the only personal information they sell is collected or sold online.  In other words, if the business sells personal information, the opt-out notice must be provided at all points of collection of personal information, both online and offline. 

Modifications to Section 999.315 – Easier Methods to Opt-Out

“The modifications to this section are clearly intended to prevent dark patterns or convoluted opt-out processes,” said Hellbusch. As the proposed updates would require a business’s method for submitting requests to opt-out be easy for consumers to execute along with minimal steps to opt-out, such as the following:

  • The process for submitting a request to opt-out shall not require more steps than the business’s process for a consumer to opt-in to the sale of personal information, after previously opting out
  • A business must not use confusing language in the opt-out process
  • A business shall not require consumers to click through or listen to reasons why they should not submit a request to opt-out prior to confirming their request
  • The business’s process shall not require the consumer to provide personal information that is not necessary when submitting a request to opt-out
  • Lastly, upon clicking the “Do not sell my personal information” link, a business must not require the consumer to search or scroll through the text of a privacy policy or similar document, or webpage to locate the mechanism for submitting an opt-out request

Modifications to Section 999.626 – Authorized Agent

The modifications to the authorized agent section reinforce the need to deal with authorized agents. It also clarifies that all agents must have written proof of permission from the consumer to submit the request. In addition, businesses may require the consumer to directly verify their own identity with the business and/or directly confirm with the business that they provided the agent permission to submit the request.

Regardless of these new modifications, Truyo’s Privacy Rights platform already includes the ability to provide a link in signage or in paper form to accommodate offline opt-outs along with the workflow to process authorized agents.

Conflicting Timeline

The California Privacy Rights Act, also known as Proposition 24, is currently on the ballot in California on November 3, 2020, which will amend any CCPA regulations including these proposed modifications. The timeline associated with the proposed modifications conflicts with the CPRA and comes at an odd time, considering CPRA is likely to pass in less than a month’s time.

Although, businesses will have more considerations to keep in mind in devising a pass/no pass strategy when it comes to the CCPA vs. CPRA. We will keep you informed as new updates arise in the new set of modifications.

Monique Becenti
About Monique Becenti
Monique Becenti is the Product Marketing Manager at Truyo. She has deep technical knowledge in technology with an emphasis on data privacy.
Recent Posts

Colorado House Votes on SB190, Senate Reconciliation is Next

Updated 6/9/21 @ 11am: The Colorado Senate unanimously voted 34-0 on concurrence and final passage of SB190. It now heads to Gov. Polis, who will have...

4 Tips for Choosing the Right Privacy Tool

First, there was technology, then came the data collection. As that technology rapidly grew more intelligent and pervasive, so too did the data. As th...

The California Privacy Protection Agency Is Not Wasting Time

In a meeting agenda released today, the California Privacy Protection Agency made it clear that they are going to move quickly and start implementing ...

Update: Senate Vote on Colorado Privacy Act is In

The Colorado State Senate has unanimously passed the Colorado Privacy Act which will now move to the State Assembly for voting. The current session co...