The Battle for ATTENTION: Will AI Save The Advertising Industry in a Privacy-Driven Economy?

The Future of Data Privacy: Colorado's Latest Forges New Standards

By SCUBA Insights


In July 2021, the Colorado Privacy Act (CPA) emerged as a landmark in U.S. Data privacy legislation, and was the first conferring specific rights upon Colorado residents regarding their personal data and imposing stringent obligations on data controllers and processors. It was only the third state to grant comprehensive privacy laws to it's citizens, following California and Virginia.

Yet again, this law made waves as its recent amendments make it the first to include biometric data in its scope.


The Colorado Privacy Act
The Colorado Privacy Act mandates that businesses disclose to consumers the nature and purpose of data collection and processing, alongside mechanisms for individuals to safeguard their privacy. 


Initial Provisions

The CPA initially afforded consumers the right to access, correct, and/or delete data held by organizations. It also provided the right to opt-out or opt-in to targeted ads, the sale of sensitive data, and consumer profiling.


The laws initial definition of sensitive data encompassed:

  • Personal data: race/ethnicity, religion, mental or physical health condition, sexual orientation, citizenship, etc.
  • Personally Identifiable Information: Generic identification data that is used to identify an individual.


Recent Amendment and its Implications 

On April 17th, 2024, Colorado enacted H.B. 1058 which amends the CPA and makes Colorado the first state to extend a privacy law to neural data. More specifically, this bill expanded the scope of sensitive data to include biological and neural data. It defines neural data as generated from the measurement or analysis of an individual’s biological, physiological properties, body or bodily functions.


How does this apply to the advertising industry?

The bill has widespread implications for the use, and accuracy, of AI and technological advancement. There are two ways in which it bears impact upon both media owners and buyers, and the ad industry at large:


  • Data Privacy and Consent: Publishers and brands must now obtain explicit consent, compensate individuals, and clearly communicate the purpose for collecting neural and biometric data. This adds layers of compliance and may increase operational costs and administrative burdens.


  • Data Destruction: Media sellers and buyers must also establish and follow strict guidelines for the permanent destruction of biometric data once it is no longer needed, within 24 months after the last interaction, or at the earliest reasonable date. This necessitates robust data management and auditing systems.


It also bears larger implications within the privacy legislation talk tracks. This may include:


  • Enhanced Data Privacy Protections: The inclusion of neural data in privacy and data privacy legislation sets a new precedent, potentially prompting other states or countries to adopt similar measures. This could lead to a broader, more comprehensive approach to data privacy.


  • Data Protection Assessments: Businesses must conduct thorough data protection assessments before engaging in activities that involve data collection, such as targeted advertising or selling data. This increases the demand for privacy experts and compliance tools.


  • Annual Data Reassessment: The law's requirement for annual reassessment of the necessity and relevance of data storage places continuous pressure on businesses to justify data retention, emphasizing the need for ongoing data privacy management solutions.


Case Studies: CPA In Practice


Innovative Technologies
Apple’s new AirPods aim to measure electrical activity in the brain, transforming them into advanced healthcare devices. These devices could monitor users' physical and mental states, similar to the Apple Watch. Under the CPA, Apple must obtain explicit user consent for collecting and processing neural data, ensure transparency about data usage, and adhere to data minimization principles, collecting only necessary information for specified health monitoring purposes.


Pharmaceutical Applications

A pharmaceutical company might collect neural data to monitor how patients' brains respond to medications, improving treatment efficacy and safety. Under the CPA, these companies must obtain explicit user consent for collecting and processing neural data, ensure transparency about data usage, and adhere to data minimization principles, collecting only necessary information for specified purposes.


Impacts of the CPA

The CPA's influence has already extended to major brands like Google, which has introduced Restricted Data Processing (RDP) and will honor user opt-outs via Global Privacy Controls. 


With RDP, Google limits data usage to show only non-personalized ads for these new state laws. This allows Google to act as a data processor instead of a controller for partner data with RDP. Furthermore, it ensures compliance with the CPA and other state data privacy laws, such as in Florida, Texas, Oregon, and Montana, impacting ad targeting efficiency and personalization capabilities. 


To comply with the CPA’s universal opt-out mechanism, Google will respect Global Privacy Control signals sent directly from users. This will disable personalized ad targeting, and remarket lists for opted-out users. These changes could impact ad targeting efficiency and personalization capabilities in the future. The key takeaway: Google is taking steps to help its partners comply with increasing data privacy rules, even if it means limiting its own ad targeting.


The Colorado AI Act: Building on the CPA, Colorado introduced the Colorado AI Act, again, the first of its kind in the United States. It is set to take effect in February 2026. This legislation imposes new regulations on developers and deployers of high-risk AI systems, mandating transparency, consumer rights, and measures to prevent algorithmic discrimination. Businesses must inform consumers when AI systems are used and allow complaints regarding inappropriate use.


The Colorado AI Act is similar to the EU AI Act in applying a risk-based approach to regulating AI. However, there also are notable differences, such as the Colorado AI Act’s more limited territorial scope and more extensive requirements for deployers of high-risk AI systems. 


CPA Enforcement

The Colorado Attorney General's office enforces the CPA, imposing penalties of $20,000 per offense, up to a maximum of $500,000. Unlike California, Colorado does not provide a private right of action (individuals can’t sue), but treats violations as deceptive trade practices under the Colorado Consumer Protection Act. 


Looking Forward: Next Steps

Businesses adhering to California or Virginia privacy laws will find themselves better prepared for CPA compliance, and perhaps legislation of the future. To ensure adherence, businesses must clearly define the data they collect, its sources, and ownership to assess their obligations under the CPA, California Privacy Rights Act, and Virginia's Consumer Data Protection Act.


For brands looking to gain an edge, a sound privacy approach must act as a business conduit rather than an expensive infrastructure addition. With this in mind, platforms and solutions that go to the edge, and democratize access to data with schemaless ingestion and no-code queries, provide a significant advantage. These privacy-enhancing technologies provide in-the-moment insights for measurement and activation, while truly prioritizing privacy.


SCUBA Analytics is one of these solutions. Learn more today.


Stay Updated

Stay in touch with Scuba with fresh insights delivered to your inbox.

Ready to dive in?

We'd love to connect.

Talk to an Expert