Colorado Senators Won't Change Data Minimization Requirements in Privacy Law
Colorado senators removed language from an immigration civil rights bill that might have revised the Colorado Privacy Act (CPA) to include a Maryland-style data minimization standard. The Senate voted 22-13 on Monday to pass SB-276, sending it to the House.
Sign up for a free preview to unlock the rest of this article
However, under one amendment adopted before passage, senators struck data minimization language from Section 20 of the April 15 version of the bill, according to a snapshot of the amendment obtained by Privacy Daily. The previous language said a “controller’s collection of personal data must be limited to what is reasonable, necessary, and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.” The CPA currently says that collection must be “adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.”
The amendment left in place language that sought to prohibit controllers from selling consumers' sensitive data without opt-in consent. Existing law requires that type of consent only to process the sensitive data.
Another amendment added a new definition of precise geolocation data. The term means “information derived from technology that accurately identifies the present or past location of a device that links or is linkable to an individual within a radius of” 1,850 feet. It includes GPS coordinates and cellsite location information but not “the content of communications or any data generated by or connected to advanced utility meeting infrastructure systems or equipment for use by a utility.”
On the floor, SB-276 co-sponsor Sen. Michael Weissman (D) said one of the amendments struck “some language that had become a point of contention,” while introducing a definition of precise geolocation data would align Colorado with California’s stronger geolocation privacy language.
The bill’s Section 20 “ensures that Big Tech cannot monetize our data,” said Sen. Julie Gonzales (D), another bill sponsor, on the Senate floor Monday.
Future of Privacy Forum Senior Director Keir Lamont wrote in his newsletter Friday, before the amendments were adopted, that “distinguishing consent requirements between processing sensitive data and selling sensitive data may address concerns about consent ‘bundling’ and take-it-or-leave-it offers.” He added that the changes to data minimization requirements could have raised “novel complications.”