Technology

What’s Working: Colorado ranked as one of the top states for protecting consumer data, but it still gets a C+

Published

1m ago

Mar 04, 2024 / 5951 Views

Quick links: Colorado’s C+ grade | Neural data privacy | More privacy bills | Starbucks union wins again

Colorado has the second strongest law in the land that protects consumer privacy and data, according to a new report card from a consumer public interest group. But the state also scored a mere C+ for its efforts.

Though it has initiated consumer-friendly rules — such as one that will let Coloradans press a button to opt out of having their personal data collected and sold online starting in July — the state’s protections could be much stronger, said R.J. Cross, director of the Don’t Sell My Data campaign for the U.S. Public Interest Research Group, a progressive advocacy group based in Denver. Most of the 14 states with privacy laws on the books received a D or F rating. As for the other 36 states with no laws? She calls them “incomplete.”

Since 2018 44 states have considered comprehensive consumer privacy bills but only 14 states have passed them so far, according to the U.S. Public Interest Research Group, a progressive advocacy group based in Denver. Colorado’s was rated as the state with the second strongest consumer privacy law. But PIRG still gave Colorado a C+ because it has room for improvement. (Screenshot)

“We have high standards because the stakes are really high,” Cross said. “Right now, there is a secret economy that is gathering data about us and selling it and sharing it to a bunch of companies we’ve never heard of and doing all sorts of stuff with it. And the more companies that hold data about us and the more companies are selling it, the more likely our information is going to be exposed in a breach or hack and end up with identity thieves, fraud and damage to your credit score. There’s a lot of things that can happen.”

The Colorado Consumer Privacy Act, passed in 2021, attempts to return control of a person’s personal data to the individual. The first set of rules went into effect in July. Last month, the Colorado Attorney General approved the first tool to give consumers a single universal opt-out button. Global Privacy Control, a technical standard developed by a coalition of privacy-minded tech companies and organizations, has instructions on how to integrate the tech into a website. It’ll send a signal to stop collecting unnecessary data. The AG could approve more such tools before July 1.

Companies that control the data from 100,000 Colorado residents or more must disclose their data collection practices and allow customers to ask what personal data is being collected. Businesses must also let customers correct or delete their data, allow them to download it and opt out of it being sold or shared with third parties that use it for targeted advertising.

Why Colorado got a C+

🎧 Listen here!

Go deeper into this story in this episode of The Daily Sun-Up podcast.

Subscribe: Apple | Spotify | RSS

But Cross said Colorado doesn’t let consumers take a company to court for violating their privacy rights nor does it restrict controversial data use by making its “data minimization” language clearer. “Colorado’s includes data minimization language but it’s very industry friendly and essentially says that a company can gather most types of data and do pretty much whatever they want as long as they disclose it in a privacy policy,” she said. “That’s not really being transparent with people about what’s happening with their data.”

Business groups like the Colorado Chamber of Commerce opposed efforts to roll out a universal opt-out tool calling it “premature” and saying it doesn’t allow companies to “sufficiently (and) accurately confirm the identity and residency of the consumer,” according to a Dec. 10 letter to the AG’s office. Such applications also don’t “ensure consumers make an informed choice” and customers may wind up with permanently deleted accounts.

According to the AG’s office, companies found to be in violation will be sent a letter to fix the issue within 60 days. But Colorado Attorney General Phil Weiser said he plans to work with Businesses to make compliance easier.

“And for those businesses who make honest mistakes, we will work to enable them to comply with the law,” he said. “(While) for those willfully violating the law, we will work to enforce it vigorously.”

Weiser called PIRG’s C+ grade the result of “a demanding curve,” he said. “I view this as they’re giving us feedback that we have room to improve and I’m always open to suggestions on how we can improve when you grade us against other states. They’re saying we’re No. 2. And I say, we try harder.”

➔ Read the Colorado report, U.S. report

➔ 50 million users already use Global Privacy Control. Consumers can install browser extensions like the Electronic Frontier Foundation’s Privacy Badger, Abine’s DeleteMe and others, or switch to private browsers from DuckDuckGo or Firefox, which are all part of the GPC coalition. The tools help users see what sites track personal data and then block or allow the trackers.

We’ll look further into consumer privacy in Colorado and how the law protects residents and applies to businesses in future stories. If you have concerns and comments, please share them by emailing [email protected]

At an event last spring, Rep. Cathy Kipp, a Fort Collins Democrat, met neurologist Sean Pauzauskie in her district. Pauzauskie had concerns about what’s happening with products that scan brain waves and translate them into something humans can understand.

“Things like an Australian cap that they’ve just come with, a skullcap, which if you wear it, has a 40% accuracy rate on the thought-to-text translation,” Kipp said. “The technology for mind reading, frankly, and reading your thoughts is coming along very rapidly. And the place the technology is going next is to influence your thoughts and behavior.”

In other words, she added, if it helps you quit smoking, that’s great. But if the company collects customer brain waves and tries to mine or sell them, then what? There are about 30 products out right now and many are already reselling customer data, she said. “You don’t want people poking around your mind otherwise,” she said.

A man tests a device that uses brain activities and virtual reality to control other machines at the annual World Robot Conference at the Beijing Etrong International Exhibition and Convention Center, Wednesday, Aug. 16, 2023. (AP Photo/Ng Han Guan) AP

House Bill 1058, also called Protect Privacy of Biological Data, passed the House 61-1 Friday and moves on to the Senate. Kipp, the prime sponsor of the bipartisan-backed bill along with Rep. Matt Soper, R-Delta, said she wants Colorado to set limits as to how a person’s neural and biological data, such as genetic information, can be shared and sold in the future. The bill seeks to amend the state’s Consumer Privacy Act to include neural and biological data as sensitive personal data to be protected.

If it passes, Colorado would be the first state to protect brain rights, according to Kipp. Chile passed a law in 2021.