On July 7, 2021 the state of Colorado became the third U.S. state to have a comprehensive consumer privacy law, joining California and Virginia. The Colorado Privacy Act (CPA) becomes effective on July 1, 2023. The passage of this law is notable in that similar bills in over 20 other states over the past few years have failed of passage. Its passage may stimulate renewed efforts in other states to pass consumer privacy legislation. The Uniform Law Commissioners have been at work to develop a template for state action in an effort to promote uniformity on the subject.
The CPA governs the sale and management of consumers’ personal data. The California and Virginia laws do as well. All three are related to Europe’s General Data Protection Regulation in that they employ similar concepts and controls.
Businesses affected
The law applies to a business that produces or delivers commercial products or services that are intentionally targeted to residents of Colorado, and controls or processes the personal data of 100,000 or more consumers per calendar year. In addition, the business must derive revenue (or receive a discount) on the price of goods or services from the sale of personal data which it processes or controls. “Processor” and “controller” are defined terms under the CPA, as they are under Virginia’s law, they are not, however, important for the discussion that follows.
Whether this new law affects your business (or your clients’ businesses) depends on your type of business or your clients’ type of business. Similar to Virginia’s consumer privacy laws, the CPA has an exemption for financial institutions regulated under the Gramm Leach Bliley Act (GLBA) – this is considered an entity exemption. This provision would seem to eliminate most financial institutions from coverage. When it comes to exemptions for entities regulated by HIPAA (Health Insurance Portability and Accountability Act), the three states differ somewhat, with California and Virginia exempting HIPAA-regulated entities from coverage. Colorado does not; instead, Colorado exempts from disclosure certain HIPAA-regulated information (not an entity exemption, rather an exemption on the information itself.)
Among the three state laws, there are also differing levels of exemptions for human resources data and non-consumer data, with Colorado and Virginia seeming to exempt both types of data from disclosure. California does currently, but that will change in 2023 when the more-robust California Privacy Rights Act becomes effective.
The state privacy laws also contain provisions for consumers to opt-out of activities such as the sale of their personal data, sharing of personal information, targeted advertising, and others. Additionally, the laws contain different provisions for data of a consumer under the age of 13 and other data protections. For risk managers, the laws contain provisions for conducting data protection assessments. For vendor management professionals, the laws contain provisions for what must be considered in a contract with other business entities if they meet the definition of a controller.
Controlling data collection
Most interesting in the new Colorado law is the requirement that businesses specify the purpose for collecting and processing the data, how long they’ll have the data, and how they’re securing it. There is also the duty to minimize the amount of data collected to begin with, and to avoid using the data that is collected for a different purpose than necessary. This may go against the age-old belief that “more data is better,” or that once the data is obtained for a legitimate purpose that it can be used in any way whatsoever. In this day of data analytics, it might be difficult for businesses to rein in the slicing and dicing of data for other purposes once it’s obtained. For entities not enjoying an entity-level exemption, this restriction will require communication to IT, InfoSec, business development, and marketing departments, procedure updates, and re-training. There doesn’t seem to be wiggle room with these provisions. Once a business states the purpose for collecting the data, the business has to make sure they collect only the amount and type of data needed for that purpose, and cannot use the data for something other than the purpose. The documentation of compliance with these provisions will be key. If there is a small silver lining to this apparent cloud, it’s that the less data a business has, the less that can be compromised in a breach. It’s likely that data breaches are a driver of data privacy laws.
Expanded consumer rights
From a consumer perspective, the new Colorado privacy law provides them with the right to access their data, to correct it, and to delete it. The law does not provide consumers with a private right of action – meaning consumers cannot sue a business under this law.
The meaning for banks and Fintechs
What does this all mean to banks and Fintechs? For the most part, if they are covered under GLBA, they likely enjoy an entity exemption from Colorado and Virginia, but the customers they bank may not enjoy any exemptions at all. Risk managers at financial institutions and those who perform new account due diligence have to be concerned with their customers’ compliance with state privacy laws as they Know Their Customer.
A financial institution that is banking a Fintech has to understand whether the Fintech has an entity exemption, meaning is the Fintech itself covered by GLBA. GLBA is over 20 years old and does not clearly apply to all Fintechs. That application is such an esoteric topic, that a Fintech should obtain a legal opinion on that the subject, and a financial institution that banks a Fintech should do the same.
In late 2019 the Federal Trade Commission indicated that Fintechs (and other businesses) that facilitate financial operations on behalf of financial institutions may actually be financial institutions and thus be subject to GLBA. This is definitely a topic for attorneys, but risk managers at financial institutions should be aware.