In a letter to Attorney General Weiser, SIIA highlighted the following points that we believe would make the Colorado Privacy Act (CPA) stronger in its implementation:
- Publicly available information. Many of our members depend on information in the public domain. The current version of the CPA does not appropriately address free speech concerns in its attempt to exempt publicly available information from the definition of personal data. We recommend a definition that adds widely available media – a defined phrase that clearly exempts the republication of information in databases of newspapers, and in unrestricted social media feeds – in addition to information released by the government, which is part of the existing statutory definition.
- Amend the language to strengthen consumer rights and freedoms. Without this language, covered entities will lack the necessary flexibility to consider when the fulfillment of an individual request may infringe on the privacy of others, especially in circumstances when devices are shared by more than one individual. Other states like Virginia and California take an approach to remedy this problem.
- Add accommodation for infeasible consumer requests. We recommend Colorado include additional guidelines in statute to denote action taken by data controllers, in the event of technically infeasible or unfounded consumer requests, in an effort to harmonize consumer requests with business compliance.
- Clarify provisions categorized as “sensitive data”. We recommend clarifying the definition of sensitive data to ensure that consumers and businesses are aligned on the expectations for how sensitive data is treated.
- First, the Colorado bill should include a clear and concise definition of biometric data. We recommend aligning with the definition of biometric data in Virginia’s privacy law to avoid confusion in practical application of the definition and help in the implementation of the Colorado bill, while avoiding costly implementation challenges.
- Second, we recommend that the Colorado bill clarify that sensitive data includes data collected from a child, rather than more generally about a child. This change would help the bill to focus on the issue of concern without leading to implementation challenges ancillary to children’s data.
You can read more in the full letter.