DENVER — Over the past year, where the pandemic kept people separated from one another physically, the internet helped people connect mentally.
As entire cities shut down, people went to work, attended school, entertained themselves, shopped for themselves and more online.
As consumers clicked away, internet companies collected data and built online profiles of their customers to sell, trade and target advertising to. The practice is not new but has evolved over the years to allow companies to collect big swaths of data on each visitor.
“They’re not only collecting your payment information but what you’ve looked at and what you might look at, what websites you might’ve looked at before you visited that thing, where you go after you look at that thing,” said Amie Stepanovich, the executive director of Silicon Flatirons at the University of Colorado Boulder school of law.
Colorado lawmakers are now considering two bills that would add more guardrails around data collection and auto-renewal of subscriptions services.
If passed, Colorado would be one of the first states in the country to add these restrictions for the benefit of consumers.
The Colorado Privacy Act
Senate Bill 190, otherwise known as the Colorado Privacy Act, would require companies that collect a consumers’ personal data to offer an opt-opt function.
“In the digital world we leave trails, breadcrumbs, everywhere and what this bill is about is helping us manage that digital footprint and our privacy,” said Sen. Paul Lundeen, R-Monument, the bill’s co-sponsor.
Along with allowing consumers to opt out, the bill requires companies to:
-provide access to consumers to their personal data
-allow consumers to correct any inaccurate personal data that is being collected
-allow consumers to delete their personal data
-allow consumers to take their personal data and move it to another platform
The new guardrails would apply to companies that process the personal data of 100,000 customers or more per year or controls and sells the data of 25,000 consumers a year regardless of whether the company is headquartered in Colorado.
“If a lot of people opt out of the advertising, (companies) might be disincentivized from collecting all of that information to begin with,” Stepanovich said.
It requires companies that collect data to be transparent about their practices, to specify why they are collecting the data, to collect as little as possible, to secure it, to not discriminate with it, to avoid using the data for other purposes and to not collect sensitive data without consent.
Beyond that, the bill requires the Colorado Attorney General’s office to come up with the rules by 2024 to create a universal privacy control that would allow consumers to opt out of the data collection on all sites with one move.
“You as a consumer would be able under the global signal to say I opt out of everything, I don’t want to do it unless I specifically give you the right,” Lundeen said. “Protecting that information and giving individuals more control over that information is what this bill is all about.”
During committee hearings, opponents of the bill argued each state having different tech laws would make things difficult for companies to comply by creating a patchwork of rules.
Others would prefer for the creation of an opt-in mechanism, as it was originally drafted last year, rather than an opt-out option.
“There’s a difference between an opt out and an opt in,” Stepanovich said. “A lot of people just default to whatever they’re told, but it does provide an additional control for your information.”
Two states, California and Virginia have already passed similar data privacy laws while several others are currently considering similar pieces of legislation.
Stepanovich says more steps are stepping up to act because the federal government has not been able to pass meaningful tech laws in years. Until Congress can come together on reforms, she believes this will continue to be the trend.
However, there are two portions of the bill Stepanovich is concerned with. First, a portion of the bill does away with local preemption for cities and counties that passed ordinances on the processing of personal data.
She believes local ordinances can be an important test for new laws and points out that city councils can pass rules much quicker than the state for a tech industry that’s constantly evolving.
“If something happens at the local level and it’s successful that can be sucked up into a state law which could then be into a federal law
Another portion of the bill she is concerned with deals with private right of action or allowing consumers to sue if their rights have been violated; the current bill foesn’t allow for that. Instead, consumers would have to go through the Attorney General’s office for privacy violations.
The bill already passed senate unanimously and was heard in a house finance committee Tuesday.
Dating Apps and Auto-renewal Subscriptions
A second tech bill works in two parts and would offer more leeway for people who subscribe to dating services and people involved in auto-renewal subscription services.
The first part of House Bill 1239 would require in-person and online dating services to allow consumers to have a three-day grace period to cancel their memberships not including weekends or holidays.
The contracts also must include allowances for cancellation in the event of death or disability or if the buyer moved to an area not covered by the dating service.
Rep. Cathy Kipp, D-Fort Collins, is the bill’s co-sponsor. She’s been married for more than 30 years and says she’s never tried an online dating site but has plenty of constituents who have. Some of them have had good experiences and others told her they felt like they were taken advantage of.
The bill also requires companies to have an online section talking about dating safety awareness and a way for consumers to report issues/concerns with the service.
The second portion of the bill requires subscription services to provide 25-40 day warning before auto-renewing a service and billing the consumer and receiving affirmative consent before doing so.
It also requires the companies to provide written acknowledgment of the terms of service.
The bill would apply to big companies like Netflix and Amazon memberships but also smaller companies like magazine or newspaper subscriptions, wine of the month clubs.
Kipp has had these auto-renewals happen to her and believes customers at least deserve to be notified before being charged.
“To just take the money out of my account, I mean, I might have chosen to renew anyway, but not having that option I thought was problematic,” she said. “They have to give you an easy way to opt out of that auto renewal as well.”
The bill does not apply to banks, insurance companies, airlines or cable television providers. If a consumer feels their rights have been violated, they would have to take their complaints to the Attorney General’s office, which could then impose a civil penalty on the company.
HB 1239 passed the state legislature with Democrats voting for it and Republicans mainly voting against it and now awaits the governor’s signature.