Colorado is the most recent state in the United States to pass comprehensive data privacy laws that control how companies handle people’s sensitive data. The new legislation in Colorado forces companies to comply with requests from consumers to delete sensitive information. Additionally, it also forces companies to ask for permission to hold data like Social Security numbers and more. While these laws only affect residents of the state, experts say the success of bills like the Colorado Privacy Act—and similar bills in California and Virginia—could lead to sweeping changes on a federal level. “These state laws are important because they are putting increasing amounts of pressure on Congress to finally get something done in the way of a federal data privacy law while laying down the blueprint for what such legislation should look like on the federal level,” Attila Tomaschek, a researcher and privacy expert with ProPrivacy, told Lifewire in an email.
Laying Foundations
Tomaschek says the limits that we’re seeing imposed on companies by states that pass these bills will give Congress and other national ruling bodies a good idea of what is working and what should be expanded. “In the absence of federal data privacy legislation that protects all Americans equally, it has been up to individual states to enact laws that protect their residents. Colorado is the latest, but certainly not the last state to step up and establish legislation that gives consumers more rights to control how their data is used,” Tomaschek explained. Of course, having privacy laws on a national level would prove far more valuable than state-based laws. For one, state laws don’t provide equal protection for all Americans throughout the country. Even as other states start to pass their own forms of privacy protection acts, it’s possible they could pick and choose the parts they want to support. Other issues, Tomaschek notes, could negatively affect consumer data privacy and possibly even put that data at risk. “One major concern about having multiple individual state laws on the books and no overarching federal legislation is that businesses may run into compliance issues and confusion over their obligations under each individual, differing state law,” Tomaschek said. “This could potentially lead to certain negative effects on consumer privacy if companies end up having trouble complying appropriately with a patchwork of data privacy laws.”
Keeping Up
This trend of data privacy laws comes in the wake of the EU’s General Data Protection Regulation (GDPR), pushing for stricter control over consumer data. The GDPR initially was implemented in 2018, but recent moves by big tech companies like Apple have helped highlight the need for consumers to have more control over how their data is collected and used. More and more users are learning that they don’t have to share the data that they’ve been freely giving companies for years, and it’s forcing the hands of government bodies. Colorado may only be the third state to pass a privacy protection act, but other states like Texas and Washington state are working on their own laws. Additionally, we’ve also seen states like Nevada making changes to older laws, trying to bring them more up to date. While states seem to be racing to get more privacy laws in place, Tomaschek says legislators must approach things correctly. Otherwise, these new laws could effectively be “watered down” before they even go into practice. One primary way to avoid this is to operate on an opt-in basis instead of forcing consumers to opt-out. “If a state’s legislation concerning data collection operates on an ‘opt-out’ basis—meaning that consumers must expressly opt-out of data collection by companies to prevent them from collecting their data on websites—the overall strength of the legislation is effectively watered down,” he explained.