Legislature considering bevy of new consumer privacy rights

Colorado Senate Minority Leader Paul Lundeen speaks at a Colorado Chamber of Commerce Technology Alliance meeting on Jan. 25 while his privacy-bill co-sponsor, Rep. Lindsey Daugherty, appears virtually behind him.

Less than eight months after Colorado implemented a groundbreaking set of rules aimed at letting consumers control their personal data, the Legislature is awash in a slew of new privacy proposals designed to keep up with the rapid pace of technological advances.

On Monday, a bipartisan quartet of legislators introduced a bill to give new protections to consumers’ and employees’ biometric data like fingerprints, voiceprints or retina scans that are being used more often for identification. And on Tuesday, a House committee unanimously advanced a bill to stop the sale or distribution of biological and neural data without consumers’ consent at a time when more medical and commercial devices are recording brainwaves.

Another proposal — Senate Bill 41 — would require enhanced protections by companies that handle the personal data of minors. And one of its sponsors, Democratic Senate Majority Leader Robert Rodriguez of Denver, is working on another measure to regulate artificial intelligence, though no details have come forward yet of what that will involve.

“Chasing the policy horizon”

Senate Minority Leader Paul Lundeen, the Monument Republican who co-authored the recently enacted Colorado Privacy Act and who is sponsoring the biometric and children’s’ privacy bills, is concerned about proliferation of personal data and potential for its misuse. The needle he is seeking to thread is allowing for innovation that uses and collects such data while also protecting consumers from the “potential nefarious outcome” of the unauthorized sale of such data.

“We are chasing the policy horizon as we continue to move some of these things forward,” Lundeen told Colorado Chamber of Commerce’s Technology Alliance at a meeting on Thursday. “There are principles of privacy that deserve to be honored. And if we create confusion in the law, there are principles that may be lost.”

A laptop user plugs away on a keyboard.

Passed in 2021 and then implemented after two years of rulemaking, the Colorado Privacy Act made the state one of the first in the U.S. to require companies that collect personal data to let consumers see it, correct it and delete it. Applying to companies doing business in Colorado that collect or sell large amounts of personal data, it requires consent from consumers for sales of their data and mandates creation of universal opt-out mechanisms that can block all websites from keeping such data beyond the time of transaction.

Privacy changes coming quickly

The Colorado Chamber and other business organizations have expressed concern that the new batch of changes to the CPA is coming so soon after it was put into effect, meaning the law is being amended before it’s even had time to be tested. But Jeff Riester, director of legislative affairs for the Colorado Attorney General’s office, argued during a hearing on the biological/neural data bill Tuesday that the act was written to undergo such rewrites as new technology dictates.

“We think this is a great step forward for the CPA,” Riester told the House Judiciary Committee about House Bill 1058, which is sponsored by Democratic Rep. Cathy Kipp of Fort Collins and Republican Rep. Matt Soper of Delta. “It was always the goal that additional policies or regulations would be added on top of the CPA.”

Maybe the most substantial regulations this year could come from HB 1130, the biometric identifiers bill sponsored by Democratic Rep. Lindsey Daugherty of Arvada, Republican Rep, Mike Lynch of Wellington, Lundeen and Democratic Sen. Chris Hansen of Denver. With businesses increasingly employing biometric identifiers to verify customer identities, streamline transactions and control access to their properties, consumers are growing wary of how their biometric data could be manipulated if stolen, the bill notes.

Like with the CPA, HB 1130 requires that companies inform consumers that they will be collecting biometric identifiers and explain the purposes for which the biometric identifiers will be used. It bars them from selling or trading the identifiers without consumer consent. And it requires they create guidelines for destruction of the identifiers by no more than one year after the consumer interacted with the company.

Business concerns with privacy bills

Loren Furman is president and CEO of the Colorado Chamber of Commerce.

Colorado Chamber President/CEO Loren Furman argued that one of the biggest pain points of the bill is the requirement for employers to receive consent from workers to collect and use their biometric identifiers. The bill permits usage only to allow access to secure locations or hardware/software applications and to record the start and end of shifts, with a provision barring use of the data for employee location tracking or the tracking of how much time the worker spends using a hardware or software application.

HB 1058 is more focused, as it defines the terms “biological data” and “neural data” and inserts them into the CPA to spell out what data requires explicit permission for transmission and sharing. While the federal Health Insurance Portability and Accessibility Act (HIPAA) bars the sharing of medical records containing such data, the number of consumer devices that collect that same data are increasing rapidly and are not subject to privacy restrictions in any other state yet.

While the bill may seem designed for futuristic applications, neural technology is advancing at an astonishing pace, Kipp told the committee on Tuesday. In the past year, scientists have been able to recreate a Pink Floyd song by tracking the brain waves of the person thinking of it and have been able to translate thoughts based upon brain activity, all as at least 150 companies now are selling therapeutic neural devices.

“The most important data”

Jared Genser — a human-rights attorney and co-founder of the Neurorights Foundation — noted that implantable medical devices already can translate 25 words per minute from brainwaves at 94% accuracy. While commercial wearable devices only operate at 40% accuracy now, he suspects they will catch up to implantable devices in only a few years as future generations of smartphones may be equipped to respond to users’ thoughts rather than to their touches on a screen.

“We want to put this line in the sand that no one should cross,” said Dr. Rafael Yuste, a professor of neurological science at Columbia University. “It’s the most important data that we have.”

Leaders from several industry coalitions agreed with the premise of the bill but worried Tuesday that it is written so broadly as to potentially chill innovation of products that collect such data.

Threading the needle

Colorado state Rep. Cathy Kipp speaks to a Colorado Chamber of Commerce policy council about some of her bills earlier this month.

Ruthie Barko, executive director of TechNet for Colorado and the central United States, said the regulations should apply only to biological data that can be used to identify a specific individual and that the definition of neural data should be narrowed to exclude consumer-facing technologies like virtual-reality games. And Andrew Kingman, general counsel for the multi-industry State Privacy & Security Coalition, agreed that limitations on use of neural data should be limited to information gleaned from the peripheral nervous system rather than the broader central nervous system.

In response, sponsors added an amendment narrowing the definition of biological data to that which “could be used singly or in combination with other data for identification purposes.” They did not narrow the definition of the neural system as requested, however.

Kipp said that her bill and future bills will seek to guard consumers without stifling this new technology — an effort that business groups will be monitoring closely.

“Nobody wants to quash technological innovations,” she said. “What we are looking to do is protect people’s privacy so we can go even bigger and ensure this technology has the privacy protections that it needs.”