Colorado has become the third state in the country to pass a comprehensive data privacy law, joining California and Virginia.  Assuming the governor signs—as he is widely expected to do—the Colorado Privacy Act (the “CPA”) will go into effect on July 1, 2023.

Similar to the California and Virginia laws, the CPA affords Colorado “consumers” certain privacy rights and imposes duties on the “controllers” and “processors” of those consumers’ personal data.  While the CPA generally follows the model set by the Virginia law, it contains important differences that will put Colorado at the forefront of consumer privacy.

Thresholds to Applicability

The CPA defines consumer to mean an individual who is a Colorado resident acting in an individual or household context, and does not include an individual acting in a commercial or employment context.  The definition of consumer therefore has a built in exclusion for the employment and business-to-business contexts.

The CPA only applies to controllers—defined to mean any person that, alone or jointly with others, determines the purposes for and means of processing personal data—that conduct business in Colorado and meet at least one of two thresholds:  (1) controlling or processing the personal data of 100,000 or more consumers during a calendar year; and/or (2) deriving revenue from the sale of personal data and processing or controlling the personal data of 25,000 or more consumers.  Personal data processed by a “processor” on behalf of a controller counts towards those thresholds.

The CPA contains several substantive exclusions to applicability.  For example, unlike the California model’s limited exclusion, the CPA contains a full exclusion for financial institutions subject to the federal Gramm-Leach-Bliley Act.  The CPA also does not apply to certain types of health and patient information governed by HIPAA.

Consumer Rights Under the CPA

The law grants Colorado consumers specific rights over the way their personal data is processed by controllers.  Personal data means “information that is linked or reasonably linkable to an identified or identifiable individual.”  Publicly available or otherwise de-identified information, along with employment records, is not included within this definition.

The rights afforded to consumers include: (1) the right to opt out of certain processing of personal data; (2) the right to access personal data; (3) the right to correct inaccurate personal data; (4) the right to delete personal data; and (5) the right to data portability.

Consumers can exercise these rights by submitting formal requests, and controllers must act on the request within 45 days.

Duties of Controllers and Processors

The duties of controllers include: (1) the duty of transparency; (2) the duty of purpose specification; (3) the duty of data minimization; (4) the duty to avoid secondary use; (5) the duty of care; (6) the duty to avoid unlawful discrimination; and (7) duties regarding “sensitive” data.

With respect to the duty of transparency, controllers will need to ensure that their privacy policies clearly and meaningfully disclose specific types of practices, as well as the manner in which consumers may exercise their rights.  The CPA does not require a “Do Not Sell My Information” page like the California law, but the Colorado Attorney General will be promulgating rules that detail the technical specifications for one or more universal opt-out mechanisms.

With respect to sensitive data, controllers must obtain consent to collect personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, and the personal information of a known child.  In the case of a child below thirteen years old, consent should be given by the child’s parent or legal guardian.

Processors are required to adhere to the instructions of the controller and assist the controller in meeting its obligations under the CPA.  Processors must also enter into a contract with the controller setting out various criteria relating to what personal data will be processed, how the data will be processed and retained, and audit/compliance rights.

Data Security and Data Protection Assessments

Both controllers and processors are required to implement appropriate technical and organizational measures to ensure a level of security proportionate to the risk.  For many companies, this type of data security requirement already exists for personally identifiable information under Colorado’s data security law.  However, personal data under the CPA is significantly broader than personally identifiable information under Colorado’s data security law.

The CPA also has the new requirement of performing “data protection assessments” for controllers whose processing presents a heightened risk of harm to a consumer.  Processing that presents a heightened risk of harm is defined to include processing for the purpose of targeted advertising and profiling, selling personal data, and processing sensitive data.  When performing the data protection assessment, controllers will have to weigh the benefits against the risks to the rights of the consumer, as well as potential safeguards that may mitigate those risks.  Controllers must make the data protection assessments available to the attorney general upon request.

Rulemaking and Enforcement

Unlike the Virginia law, the attorney general has the authority to promulgate rules for the purpose of carrying out the CPA.  Whereas the authority to promulgate rules generally implies discretion, the attorney general is required to adopt rules relating to the technical specifications for universal opt-out mechanisms by no later than July 1, 2023.  The attorney general also has the discretion to adopt rules that govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for businesses that includes a good faith reliance defense of an action that may otherwise constitute a violation of the CPA, which must be done by January 1, 2025 if at all.

The CPA expressly provides that it does not create a private right of action for a violation of the CPA.  Instead, the attorney general and district attorneys will have exclusive enforcement powers, with violations punishable by civil penalties set forth in C.R.S. § 6-1-112.  Under that statute, penalties can be up to $20,000 for each violation, and each consumer involved constitutes a separate violation. The maximum penalty is $500,000 for one related series of violations.

*          *          *

Colorado’s entry into the privacy law world will require significant changes for many businesses.  The attorney general’s rules will provide more guidance, but businesses should, at the very least, begin ensuring that they have a full grasp of their data collection, usage, and documented policies so that they can prepare to meet their compliance obligations.

Ballard Privacy & Data Security partners Phil Yannella, Kim Phan and Greg Szewczyk recently wrote an article on managing compliance with the growing patchwork of state privacy laws for the Media Law Resource Center (MLRC).  The article was made available at last week’s  Legal Frontiers in Digital Media virtual conference sponsored by the MLRC and will appear in an upcoming edition of “Legal Frontiers in Digital Media,” MLRC Bulletin (June 2021).  A copy of the article is available here: Continue Reading Managing Compliance with a Patchwork of State Privacy Laws

2021 has so far been a year of conflicting impulses in biometrics law: two proposed bills in New York and Maryland would impose substantial new requirements on private entities, but in Illinois a proposed amendment would reign in that state’s existing Biometric Information Privacy Act (BIPA). Continue Reading The State of Proposed Biometrics Laws

On May 12, 2021, President Joe Biden issued an Executive Order to implement new policies aimed at strengthening the nation’s cybersecurity. The Executive Order was issued in response to the recent SolarWinds, Microsoft Exchange, and Colonial Pipeline cybersecurity incidents, which were, according to the White House, “a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals.” Continue Reading President Biden’s Cybersecurity Executive Order Has Implications for the Private Sector

On April 29, 2021, the Federal Trade Commission (FTC) hosted a virtual workshop, entitled “Bringing Dark Patterns to Light,” to examine “dark patterns.” In her opening remarks, Acting FTC Chairwoman Rebecca Kelly Slaughter broadly described “dark patterns” as “user interface designs that manipulate consumers into taking unintended actions that may not be in their interest.” Chairwoman Slaughter highlighted several examples of dark patterns, including confusing cancellation procedures that force users to navigate multiple screens, online applications that hide the material terms of a product or service through the use of inconspicuous drop down links and auto-scroll features, and the addition of products to users’ shopping carts without their knowledge or consent. Continue Reading FTC Workshop Signals Increased Regulatory Focus on Dark Patterns

In a thoughtful opinion that diverges from how other circuit courts have addressed the issue, the Second Circuit recently issued a ruling clarifying the circumstances when data breach plaintiffs can rely on fear of identity theft to establish Article III standing. Continue Reading Second Circuit Ruling Clarifies When Data Breach Plaintiffs Have Adequately Plead Article III Standing

In a unanimous decision, the U.S. Supreme Court limited the reach of the Telephone Consumer Protection Act (“TCPA”) by narrowing what technology qualifies as an Automatic Telephone Dialing System (“ATDS”).  Among other restrictions, the TCPA prohibits calls to phone numbers using an ATDS without prior express consent.  The TCPA defines an ATDS as “equipment which has the capacity (A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.”

In Facebook v. Duguid, the Court held that the key phrase “using a random or sequential number generator” modifies both “to store” and “to…produce.”  Therefore, automatic dialing technology only qualifies as an ATDS if it has the capacity to store numbers “using a random or sequential number generator” or to produce numbers “using a random or sequential number generator.”

Although the Court repeatedly mentioned “capacity,” it likewise highlighted current use.  Practically then, “equipment that merely stores and dials telephone numbers” (as Justice Sotomayor, writing for the Court, described the devices that would be an autodialer under the plaintiff’s interpretation), no longer necessarily runs afoul of the TCPA’s ATDS prohibitions.  Importantly, as the Court makes clear, the ruling does not affect the TCPA’s prohibition on calls that use “an artificial or prerecorded voice,” such as prerecorded voice messages.

While this ruling will likely curb litigation, clients should remember that they can still face stiff statutory penalties for violations of other TCPA provisions unaffected by the ruling as well as other federal and state statutes that restrict communication.  The Supreme Court’s opinion can be found here.

We will soon be releasing a podcast discussing the ruling and will publish a separate blog post to announce the release.

Sixth Post in an Extended Series on Legislative Changes to BSA/AML Regulatory Regime

As we have blogged, the Anti-Money Laundering Act of 2020 (“AMLA”) contains major changes to the Bank Secrecy Act (“BSA”), coupled with other changes relating to money laundering, anti-money laundering (“AML”), counter-terrorism financing (“CTF”), and protecting the U.S. financial system against illicit foreign actors.

A recurring theme of the changes offered by AMLA is information sharing. AMLA mandates that the Department of Treasury’s supervision priorities must include “appropriate frameworks for information sharing among financial institutions, their agents and service providers, their regulatory authorities, associations of financial institutions, the Department of the Treasury, and law enforcement authorities.” The increased emphasis on information sharing is accompanied by provisions requiring confidentiality and data security protocols.

The Financial Crimes Enforcement Network (“FinCEN”) is already beginning to address AMLA’s focus on the sharing and protection of information, as it explained in its recent detailed Report on FinCEN’s Innovation Hours Program, which focuses on fostering technological innovation in AML/CTF compliance.  In this post, we explore AMLA’s expansion of information sharing, corresponding privacy and data security protections, and the tensions that lie therein.

InformationSharing Provisions

AMLA is replete with new avenues for information sharing. We address those provisions here, which fall into three categories: (1) the information-sharing provisions of the Corporate Transparency Act (“CTA”), (2) expansions to information sharing via public-private partnerships, and (3) expansions to information sharing within financial institutions, specifically between a domestic and foreign branch.

Information Sharing under the CTA

Arguably, the most important information-sharing provisions are in the CTA. The CTA establishes a beneficial ownership (“BO”) database housed within the Department of Treasury. This database will include a BO’s full name, date of birth, current address, and a unique identifying number from an acceptable identification document (or an acceptable FinCEN identifier). In a previous blog post in this series, we discussed how the new BO database may relieve financial institutions of some customer due diligence obligations and could allow regulators to spend more time on investigation of substance, rather than determining an entity’s BOs. Although the BO database will be stored at the Department of Treasury, the CTA provides for interagency, state, cross-border, and public-private sharing of BO information to assist in law enforcement and prosecution efforts. If requested, access will be given to regulators and law enforcement only to the information needed and only to those individuals that require access. Financial institutions may also satisfy customer due diligence requirements by requesting information from the BO database, but only if given consent by the reporting company.

Although we discuss AMLA’s privacy and data security provisions in detail below, the CTA’s privacy and data security provisions are important enough to highlight here. While the privacy and data security regulations described by the CTA are likely not to be published until later in 2021, their general contents are explained by AMLA.

The CTA requires each requesting agency to establish and maintain a secure system to store BO information, establish privacy and data security protocols, and certify compliance with the Secretary of Treasury on a semi-annual basis. The regulations will also limit access to the BO database information in two ways. First, the BO database information will only be available to requesting agencies upon written request describing the reasons for the request. Second, access to the BO database information is limited to personnel who must go through appropriate training, use identity verification to obtain access to the BO database information, and must also be authorized—by agreement with the Secretary of Treasury—to access that information.

Finally, the CTA requires regulations enforcing strict compliance with minimum data security protocols and access requirements. The regulations will require recordkeeping by the requesting agency showing what information was requested (and by whom), audits by the requesting agency and the Secretary of Treasury, and any other additional safeguards deemed necessary by the Secretary of Treasury. Violations of these regulations may lead to criminal or civil penalties.

Public-Private Partnerships

AMLA also codifies public-private partnerships for information sharing in three ways. First, AMLA creates the “Office of the Domestic Liaison,” which reports to FinCEN’s Director. The Office of the Domestic Liaison will contain a Chief Domestic Liaison and regional, Domestic Liaisons. The Domestic Liaisons will be a conduit between the federal functional regulators and BSA officers at financial institutions. Importantly, the Domestic Liaisons will receive confidential feedback from financial institutions on BSA examinations and will help coordinate public-private information sharing matters. Having individuals dedicated to facilitating and strengthening these public-private partnerships may help foster more and more useful information sharing.

Second, AMLA acknowledges the FinCEN Exchange, a “public-private information sharing partnership among law enforcement agencies, national security agencies, financial institutions, and FinCEN” that has existed since December 2017. AMLA codifies this ad hoc program into the statutory scheme. Although AMLA does not provide details, it appears the FinCEN Exchange will continue to share information on “broader typologies” and “high priority issues” for AML/CTF issues with financial institutions.

Third, AMLA instructs the Secretary of the Treasury to “convene a supervisory team of relevant Federal agencies, private sector experts in banking, national security, and law enforcement, and other stakeholders to examine strategies to increase cooperation between the public and private sectors.” This supervisory team may use its diverse perspectives to offer insights into future avenues for information sharing within public-private partnerships.

Information Sharing within Financial Groups

AMLA also contains a pilot program allowing financial institutions to share information related to suspicious activity reports (“SARs”), as well as the fact that a SAR has been filed, with foreign branches. This would allow financial institutions to more effectively combat cross-border money laundering or terrorist financing. While the animating regulations must be developed, the contours of the pilot program are relatively clear. The pilot program will allow information sharing with foreign branches, but will impose penalties on foreign branches for public disclosure of the information shared. The pilot program will also not permit financial institutions to share information with foreign branches in China, Russia, or jurisdictions that are state-sponsors of terrorism or are subject to sanctions.

Privacy and Data Security Provisions

Along with information sharing, AMLA provides additional provisions on privacy and data security. Most notably, AMLA creates the role of Bank Secrecy Act Information Security Officers (“BSA ISOs”), each of whom will serve within the federal functional regulators, FinCEN, and the IRS. The BSA ISOs will be central to marrying the new information-sharing provisions to data security protocols. To perform this function, the BSA ISOs will help create data security regulations and internal protocols, be consulted on information-sharing policies and data security concerns, and may help develop new technologies to strengthen future data security.

They will also be given a seat at the table on the Subcommittee on Information Security and Confidentiality, an AMLA-created subcommittee within the Bank Secrecy Act Advisory Group. AMLA instructs that the Subcommittee will “advise the Secretary of the Treasury regarding the information security and confidentiality implications of regulations, guidance, [and] information[-]sharing programs.” In addition to the BSA ISOs, the Subcommittee will also include the heads of the federal functional regulators and representatives from financial institutions, law enforcement, and FinCEN. The Report on FinCEN’s Innovation Hours Program details that FinCEN’s BSA ISO and the Subcommittee will work closely with the Bank Secrecy Act Advisory Group on Innovation and Technology to “support responsible AML/CFT innovation.” The combination of voices hopefully will provide the necessary BSA expertise, technological know-how, and industry experience to advise the Secretary of Treasury into the future.

The information-sharing provisions discussed above also contain their own requirements. Whether information sharing is interagency, between federal and state or federal and foreign authorities, or between public and private actors, the privacy and data security provisions remain the same:

  • AMLA requires the collecting agency to, by regulation or otherwise, establish protocols for privacy and data security;
  • AMLA requires the collecting agency to impose its protocols for privacy and data security on those receiving the information;
  • AMLA restricts sharing to the narrowest possible group of individuals on the narrowest possible amount of information and generally restricts its use to AML/CTF functions; and
  • AMLA suggests the collecting agency should revisit its privacy and data security protocols often, by requiring annual or biannual reports or by requiring the protocols to be created by regulation (as opposed to baking them into the statutory scheme).

Key Takeaways

AMLA provides more avenues for information to be shared between agencies, states, foreign law enforcement, and financial institutions. As the opportunities for information sharing expand and personal, confidential information continues to spread, concerns over privacy and data security multiply—especially when that information has national security implications.

AMLA acknowledges the centrality of information sharing as a regulatory response to increasingly complex, cross-border and interagency schemes. Allowing more—and more seamless—information sharing may give regulators and law enforcement the ability to use that information to more effectively fuel their investigations and track down wrongdoers. Information sharing will also give financial institutions insight into regulatory focus and industry trends, theoretically allowing the financial institutions to better track and triage AML/CTF priorities.

But increased information sharing is necessarily in tension with privacy and data security concerns. With more people given access to sensitive information, there are more chances for inadvertent disclosure or nefarious actors to gain access. Moreover, to the extent a small subset of agencies or vendors may serve as a hub for information-sharing purposes, lessons from the SolarWinds hack apply (which we blogged about). A data security weakness in one is a weakness for all. Finally, sharing across borders brings its own set of challenges, including translating protocols linguistically and technologically and ensuring maintenance of proper systems and data security protocols.

Pursuit of increased information—and increased information sharing—almost always leads to heightened privacy and data security concerns. But these concerns need not lead to barriers. AMLA contains a number of provisions that require creation of protocols and procedures, mandate continuing maintenance, narrowly restricts access, and solicits ideas from a variety of perspectives. These are sensible solutions on paper, but only time will tell whether this legislative vision will create both robust information sharing and adequate privacy and data protection.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team. Please also visit CyberAdviser, our blog focused on the latest news and developments in privacy and cybersecurity law, produced by the members of our Privacy and Data Security Group.

The latest wrinkle in the ever-changing world of data privacy litigation is the recent surge in state wiretap claims. What began as a trickle over the summer of 2020 has grown into a clear wave as plaintiffs have filed dozens of lawsuits against prominent tech, eCommerce, entertainment, and retail companies under state wiretap laws.  These lawsuits seek statutory damages for the alleged interception of consumers’ electronic communications through the defendant’s use of various website analytic tools.  Insofar as the use of website analytics tools is ubiquitous on the internet, privacy litigators are carefully watching the progress of these state wiretap claims. If successful, state wiretap claims could become the next TCPA, threatening virtually every company with a sizable web presence in the U.S. Continue Reading Exploring the Rise in State Wiretap Claims

After a pandemic-related hiatus in 2020, a number of U.S. states have proposed new data privacy laws in 2021 – and several are very close to passage.  Virginia’s proposed data privacy law appears to be the closest and is likely to be signed into law by Governor Northam in the near future.  Washington and Florida’s legislatures also have privacy bills that are making their way through the legislative process, with a good likelihood of becoming law this year.  The following is an overview of some of the similarities and differences among the three bills most likely to become law in the near future.

In general, the Washington Privacy Act (“WAPA”), the Virginia Consumer Data Protection Act (“VCDPA”), and Florida’s proposed bill contain the following key similarities and distinctions:

  WAPA VCDPA FL Proposed Bill
Applicability Thresholds Conducts business in WA and: (i) controls or processes the personal data of 100,000 consumers or more; or (ii) derives over 25% of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.

*The WAPA would apply to nonprofit corporations starting July 31, 2026.

Conducts business in VA and: (i) controls or processes the personal data of 100,000 consumers or more; or (ii) processes or controls personal data of 25,000 consumers or more and derives over 50% of gross revenue from the sale of personal data.

*Nonprofits are exempt from the provisions under the VCDPA.

Conducts business in FL and: (i) has global annual gross revenues of more than $25 million; (ii) annually buys, receives for business purposes, or shares for commercial purposes the personal data of 50,000 or more consumers, households, or devices; or (iii) derives 50% or more of its global annual revenues from selling or sharing personal data.

* Nonprofits are exempt from the provisions under Florida’s proposed bill.

Contractual Requirements Imposed Between Data Controllers and Processors? Yes Yes Yes
Consumer Rights Right to access, correct, delete, and opt out of the sale of personal data or certain types of processing of personal data (e.g., targeted advertising, profiling for decisions that have legal consequences). Right to access, correct, delete, and object to the sale of personal data or certain types of processing of personal data (e.g., targeted advertising). Right to access, correct, delete, and opt out of the sale or sharing of personal data.
Risk Assessments (or similar measures) Required Required Not required
Private Cause of Action No No Yes (limited) – private plaintiffs can seek damages of not less than $100 and not more than $750, whichever is greater, if their non-encrypted personal information or email address (together with information that would allow account access) is subject to unauthorized access due to a business’ failure to implement reasonable security measures.
Consent Generally not required except for the processing of sensitive data. Required where a consumer has restricted processing or a risk assessment indicates the risks of processing outweigh the benefits to the consumer. Required before a business may enter a consumer in a financial incentive program.
Opt-Out Required for targeted advertising, sale of personal information, or profiling decisions that have legal effects. Required for targeted advertising, sale of personal information, or profiling. Required for the sale or sharing of personal information.
Exceptions Does not apply to personal data regulated under HIPPA, the FCRA, the GLBA, the DPPA, the FERPA, the Federal Farm Credit Act, clinical trial data collected pursuant to the Common Rule (45 C.F.R. 46), and employment-related data. Does not apply to protected health information under HIPAA, personal data regulated under the GLBA, employment-related data, certain types of data regulated under the FCRA, personal data under the DPPA, and clinical trial data collected pursuant to the Common Rule (45 C.F.R. 46). Does not apply to personal data regulated under HIPPA, the FCRA, the GLBA, the DPPA, the FERPA, clinical trial data collected pursuant to the Common Rule (45 C.F.R. 46), and employment-related data.
Cure Period? Yes – 30 days after receipt of a warning letter from the Attorney General. Yes – 30 days after receipt of notice of alleged noncompliance. Yes – 30 days after being notified in writing of alleged noncompliance.
Damages/Penalties Up to $7,500 per violation. Up to $7,500 per violation. Not less than $100 and not more than $750 per consumer per incident or actual damages, whichever is greater.

Attorney General can seek up to $2,500 for each unintentional violation or $7,500 for each intentional violation.

As noted in the table above, the WAPA, VCDPA, and Florida’s proposed bill contain similarities with one another, such as imposing contractual requirements between data controllers and processors, providing various consumer privacy rights such as the right to access, correct, delete, and opt out of/object to the sale or certain types of processing of personal data, and requiring transparent privacy notices concerning the collection and sharing of personal data.  Further, the WAPA, VCDPA, and Florida’s proposed bill do not impose a fiduciary duty on data controllers, unlike the proposed New York Privacy Act, which is currently pending in the New York state legislature.  One notable difference between the WAPA and the VCDPA and Florida’s proposed bill, however, is that the WAPA and the VCDPA do not include a private right of action whereas Florida’s proposed bill allows consumers to bring a private cause of action for actual or statutory damages.

The VCDPA has passed in both the state House and Senate and its enactment appears imminent.  If enacted, the VCDPA would become effective on January 1, 2023.  The WAPA and Florida’s proposed bill are currently pending review by their respective legislatures, but momentum appears strong for passage in 2021.