New State Privacy Laws Impose Higher Restrictions on Processing Sensitive Personal Data

With the passage of the Colorado Privacy Act, Colorado joins Virginia and California as early adopters of state-level privacy legislation. These laws impose higher restrictions on companies processing specific sensitive categories of data that reveal information such as sexual orientation and ethnic origin. However, the law remains unclear on what constitutes “revealing” information. For example, do the data need to be explicit or is implicit information protected as well?

Grindr, for instance, infamously leaked the identity of a Catholic priest using its platform earlier this year [view related post]. The magazine that outed the individual had purchased “commercially available” location data from the app. So, does the fact that the user data leaked from an LGBTQ dating app count as “revealing” his sexual orientation? The U.S. Conference of Catholic Bishops seemed to think so – the priest resigned amid allegations of “possible improper behavior.”

Privacy law in the United States is developing quickly;  companies collecting, maintaining, and using personal data must comply with a confounding meshwork of state, federal, and industry standards. As a result, companies collecting, maintaining, and using potentially sensitive data (as that term is defined in several state statutes), particularly companies serving marginalized communities, may wish to consider watching this space especially carefully. The difference between classifying a user table as high or low risk could be thousands of dollars in fines and do incalculable damage to people’s lives.

*This post was co-authored by C. Blair Robinson, legal intern at Robinson+Cole. Blair is not yet admitted to practice law.