In this Capitol Report:
Is Your Company Prepared for the Colorado Privacy Act?
The Colorado Chamber kicked off its November Labor and Employment Council meeting with experts to talk about the Colorado Privacy Act, SB 193 from the 2021 legislative session. If your company handles large amounts of consumer data, this new law will likely apply to you!
The comprehensive data privacy bill has been the subject of rulemaking and implementation, and it will go into effect on July 1, 2023. Our guest speakers on the topic were Jeffrey Riester, with the Colorado Office of Attorney General, and Victoria Edwards & Derrick Maultsby, attorneys with the Law Firm of Jackson Kelly. They discussed how this new law will impact Colorado businesses and what they can do to prepare.
According to Edwards, in 2021 alone there were 27 states that looked into passing data privacy laws. Virginia and Colorado were the only two that were successful, becoming the second and third states to pass such legislation after California.
About the bill and current rulemaking status:
In passing Colorado’s version of the bill, some of the major disputes were:
- The issue of consent versus opting out.
- Dispute over the definition of sale. This was ultimately expanded to match California’s definition.
- Expanding the consumer’s right to deletion.
In terms of implementation, there are several rules that need to be developed before the bill takes effect. One issue that still needs to be fully addressed in rule is the universal opt-out mechanism of the bill. This provision gives the consumer the right to opt-out with one button that satisfies all opt-out obligations. The button must be clear and conspicuous and the opt-out must represent the consumer’s affirmative consent, be consumer-friendly, and accurately authenticate the consumer. This universal opt-out will have particularly significant implications for the marketing industry. It must be implemented by January 1, 2024.
The bill also expands four primary consumer rights: 1) the right to opt out of processing certain personal data, 2) the right to know if a company is using or processing their data, 3) the right to access, correct and delete personal data and appeal decisions, and 4) the right to obtain a copy of personal data.
Business and individuals that are subject to the Colorado Privacy Act will be required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that outlines categories of personal data collected, the purpose for processing the data, categories of data shared with third parties, categories of third parties data is shared with, and how consumers can exercise their rights under the Privacy Act. The bill will require businesses to take “reasonable measures” to secure personal data, limit data collection to what is adequate, relevant and reasonably necessary, conduct data protection assessments, among other provisions.
There will likely be more revisions to the Privacy Act rulemaking before the effective date, and it may require some clean-up legislation as well. There is no private right of action under the law, and it will be enforced by the Colorado Attorney General and District Attorneys.
Who does the Colorado Privacy Act apply to?
This new law will apply to individuals and organizations conducting business in Colorado (or intentionally targeting Colorado residents with commercial products or services) that either control or process the personal data of:
- 100,000 consumers or more; or
- 25,000 consumers or more, and derive revenue from personal data sales (including by receiving a discount on the price of goods or services)
Types of data excluded from the bill:
- B2B exchange of data
- Data for hiring purposes
- Certain exempt data already regulated by federal law (like HIPPA).
- De-identified data that can’t be linked to an individual.
- Publicly available information.
- Fictitious names/pseudonyms.
Entities excluded from the bill (under certain circumstances):
- Public utilities
- Colorado state colleges
- Colorado government entities
- Financial institutions
- Air carriers
- National securities association registered pursuant to the Federal Securities Exchange Act of 1934
- The regulated business or individual bears the burden of demonstrating that it qualifies for an exemption.
The bill does NOT exclude:
- HIPPA-regulated entitles
- Small business: The bill generally applies to businesses dealing with large processing of data, however, so it likely doesn’t apply to most small businesses. However, there is no revenue threshold – so it could apply to business of any size.
What should businesses be doing now to prepare for the Colorado Privacy Act?
What should Colorado companies be doing ahead of the Privacy Act’s July 2023 implementation?
Determine if and how the law will apply to you. If you collect, maintain, buy, own, or use personal data in large quantities…
- Pay attention to how you use that data and does it count as a “sale”
- How much information are you working with?
- Who has access to that data and for what purpose?
- How long have you kept that data?
- Where and how is it stored? Is it secure with encryption?
- Examine current use of emerging technologies that could be deemed sensitive data – like facial recognition.
- Develop processes for responding to consumer requests and appeals.
- Conduct privacy and security risk assessments.
- Ensure your vendors have cyber liability insurance.
- Make sure you have an appropriate contract in place with venders handling data.
- Start talking with vendors about how “universal opt-out mechanism” could be implemented.
- Start talking with vendors on how to implement consent mechanisms if you collect sensitive date or if you sell personal data.
- Develop employee training as needed.
Public Option Update: What Businesses Need to Know
The Colorado Chamber’s Health Care Council this week hosted Kyle M. Brown, Deputy Commissioner for Affordability Programs at the Colorado Division of Insurance, to provide an update on the state’s “Colorado Option” rulemaking. The program stems from HB 1232 passed in the 2021 legislative session, which requires that insurers offer lower cost standardized plans to the small group and individual health care markets.
The state is tasked with defining the parameters of the plan and the Division of Insurance began holding stakeholder meetings over the summer. The division held a total of 15 public meetings with 2 regulatory comment periods. The most recent draft of the plan was shared with stakeholders on November 4th.
Details of the current draft public option plan:
- The cost-sharing elements of the division’s proposal includes a mixture of copays and coinsurance, with a number of services pre-deductible.
- The plans will be tiered from Bronze, Silver, and Gold. Brief overview below:
- 2023 Gold Plan: $1,500 deductible, $7,700 max out of pocket
- 2023 Silver Plan: $5,000 deductible, $8,550 max out of pocket
- 2023 Bronze Plan: $7,000 deductible, $8,700 max out of pocket
- The division also intends to focus on addressing three key racial health disparities impacting Coloradans: maternal and infant mortality, diabetes, and tobacco cessation. Additional details below:
- $0 unlimited primary care office visits
- $0 mental health office visits
- $0 prenatal and postnatal visits in Gold/Silver plans
- $0 diabetic supplies and $5 copay for Diabetes Education
The public comment period for this proposal ends today, November 12th at 5pm. The plan will be revised after public comment, then will be adopted via emergency rulemaking. It will take effect January 1, 2022.
You can view DOI’s proposed rules and other key rulemaking information here.
Other health care policy updates:
In Thursday’s policy council meeting, the Colorado Chamber also reviewed several anticipated bills upcoming in the 2022 legislative session, including:
- Physician “gold card” law to make changes to prior authorization process
- Out-of-network alignment legislation for state and federal laws
- Healthcare worker assault protection legislation
- Allowing minors to bring claims to recover economic damages
- Mandatory reporting updates and clarifications
- Mental health hold changes
2021 Colorado Chamber Performance Awards
The Colorado Chamber Performance Awards have been a time-honored tradition that take place during the Association for Colorado Chambers of Commerce (ACCC) annual conference, which took place in Fort Collins October 27-28. The awards are a chance for local chambers of commerce from around the state to reflect on the successes from the prior year, spur ideas among chamber professionals, and simply celebrate what chambers were able to accomplish in the prior year.
And what a year 2020 was! In addition to the pandemic, it’s important to recall that Colorado faced its own set of challenges when some of the largest wildfires ever recorded in Colorado’s history ravaged the state. Yet through it all, our chambers were at the center holding it all together, and providing a lifeline to the lifeblood of our communities—our businesses. Our chambers got creative, they provided important and timely resources and information to their constituents and their communities, and they advocated tirelessly on behalf of the businesses that provide critical goods, services and jobs to our state.
At the Colorado Chamber, we think all chamber presidents, along with their teams, boards and volunteers deserved an award for 2020, but certain chambers stood out. The honorees for the 2020 Colorado Chamber Performance Awards were:
- Highest Increase in Members: Estes Chamber of Commerce
- Runner-up for Highest Increase in Members: Superior Chamber of Commerce
- Highest Increase in Member Dues Revenue: Estes Chamber of Commerce
- Runner-up for Highest Increase in Member Dues Revenue: Southern Colorado Women’s Chamber of Commerce
- Best Communications Campaign: The Arvada Chamber of Commerce for its “Badass Women of Arvada” campaign
- Government Affairs Award: Vail Valley Partnership for its leadership role in the Save Small Business Coalition (SSBC) initiative
- Best Idea: Grand Junction Area Chamber of Commerce for the Mesa County Five-Star Program
- Team Member of the Year: Kara Massa with the Parker Chamber of Commerce
- CEO of the Year: Diane Schwenke, CEO of the Grand Junction Area Chamber of Commerce
- President’s Award: Kami Welch, CEO of the Arvada Chamber of Commerce and immediate past-president of ACCC
Congratulations to all of our chamber peers throughout the state of Colorado!