Introducing the Colorado Privacy Act (CPA), which came into effect on 1 July 2023, and made Colorado the third U.S. state to get its very own comprehensive data privacy law when it was signed into law in July 2021. But hold on tight because the CPA is not just following in the footsteps of its California and Virginia counterparts—it's ready to blaze its own trail, setting stricter standards for data privacy (and higher penalties, too).
Who does the CPA apply to, and what does it mean for your business?
What is the 2023 Colorado Privacy Act?
At its core, the CPA aims to protect the privacy rights of Colorado residents and bolster data security measures. It sets guidelines for how businesses handle sensitive data, and what they are and aren’t allowed to do with it. Consumers, on the other hand, gain new rights and more control of their data.
Consumer rights under the CPA in a nutshell:
- Opt-out of targeted advertising
- Opt-out of the sale of personal data
- Access personal data
- Correct and update personal data
- Delete personal data
- Portability of personal data
For businesses, it means they are required to obtain consent before engaging in various data processing activities.
What are “data processing activities”?
- Any kind of collection or storage of sensitive or personal data (special considerations for data regarding children),
- the sale of personal data (for money or for other “valuable considerations“, like getting a discount on goods or services),
- targeted advertising,
- and profiling.
Essentially, the CPA ensures that businesses respect individuals' privacy preferences and limits unnecessary data processing.
In another refreshing move, the CPA places a strong emphasis on data minimization. It encourages businesses to only retain personal data that is necessary, adequate, and relevant to their specified processing purposes. This means periodically reviewing data storage practices and ensuring that information like biometric identifiers, photographs, or voice recordings is stored with a purpose and not kept just for the sake of it.
The CPA aims to strike a balance between empowering consumers with control over their data and helping businesses navigate the evolving data privacy landscape.
The scope of the CPA: Who does it apply to?
The CPA follows the philosophy of “go big or go home” and casts its net wide, covering a broad range of organizations.
To be more specific, that means all entities that conduct business in Colorado, produce or deliver commercial products or services intentionally targeted to Colorado residents, and meet specific thresholds outlined in the CPA.
To determine applicability, the CPA takes into account both consumer thresholds and revenue. Unlike the California Consumer Privacy Act (CCPA), the CPA does not have a monetary threshold for applicability. Instead, it focuses on the volume of data processing, with two possible variants. If a business:
- controls or processes the personal data of 100,000 or more consumers during a calendar year,
- or if it sells personal data and processes or controls the personal data of 25,000 or more consumers, it’s caught in the CPA’s net.
And there’s an interesting twist – non-profits are not excluded from the CPA's scope (another difference between the CPA and the California and Virginia laws).
Of course, no law would be complete without some exemptions. For example, financial institutions subject to the Gramm-Leach-Bliley Act, certain healthcare-related data, and data governed by FERPA (Family Educational Rights and Privacy Act) don’t need to worry about the CPA. Businesses already subject to federal privacy laws should carefully review the CPA's exemptions to determine their applicability.
The purpose: Understanding the CPA’s intentions
Now that we know what it is and who it applies to, let’s take a closer look at the driving forces that led to the creation of Colorado’s new data privacy regulation.
The primary motivation for the CPA is to safeguard individuals’ privacy rights in the ever-evolving digital landscape. With the increasing reliance on technology there is a pressing need to ensure that consumers have control over how their information is handled.
Another crucial goal of the CPA is to protect sensitive data from data breaches and unauthorized access by cyber criminals.
The CPA aims to find a balance between giving individuals control over their personal information and encouraging responsible data handling by businesses. Its goal is to create a transparent and privacy-focused environment where consumers feel confident sharing their data.
How to comply with the CPA
Complying with the Colorado Privacy Act (CPA) may sound like a daunting task, but fear not! We're here to help you navigate the compliance journey and ensure that your business is on the right track. Let's dive into some key points to consider.
To kick-start your compliance efforts, here are a few practical steps to consider:
1. Data protection assessments and risk mitigation
Regular assessments are a fundamental CPA requirement. Assessments should cover all aspects of data processing: the nature, purpose, scope, and potential risks involved. It's important to evaluate the entire lifecycle of personal data, from collection to storage, use, sharing, and eventual disposal.
The CPA emphasizes the involvement of key stakeholders from across your organizational structure to guarantee a holistic assessment.
When conducting an assessment, consider both internal and external risks, such as vulnerabilities in your systems, third-party relationships, and cybersecurity threats. Once risks are identified, you have to introduce measures to mitigate them effectively. This may involve implementing safeguards, such as:
- encryption
- access controls (see the Zero Trust Approach)
- incident response plans
- employee training
- ongoing monitoring and auditing practices
The Colorado Attorney General has the authority to request data protection assessments from businesses. The CPA does not explicitly specify the required frequency of assessments, but you must be ready to present your assessment within 30 days of when it is requested.
A best practice is to reassess regularly, and especially when there are any changes in existing processing activities or in a situation where the data security risk level could be heightened.
2. Personal data under the CPA
Remember, personal data under the CPA is any information linked or reasonably linkable to an identified or identifiable individual. This includes not only obvious identifiers like birth dates and contact details but also indirect identifiers like IP addresses, location information, transaction history, or even behavioural patterns.
3. Minimize your data
The CPA encourages you to minimize the data you collect and process. Collect only what is necessary for the specified purpose and avoid processing data for purposes unrelated to the original intent.
4. Consent for sensitive data processing and opting out
When processing consumer information, especially sensitive data such as that revealing racial origin, sexual orientation or health conditions, obtaining explicit and informed consent is a must. It's worth noting that simply accepting general terms and conditions won't cut it when seeking consent.
Specifically, consent must:
- be obtained through the consumer's clear, affirmative action
- be freely given by the consumer
- be specific
- be informed
- and reflect the consumer's unambiguous agreement.
Colorado residents can also choose to opt-out of targeted advertising and the sale of their personal data.
5. Data Processing Agreements
Each business that collaborates with so-called processors – 3rd party entities that process data that that business collects – requires a data processing agreement (DPA) to be signed by both parties.
DPAs set out a framework for lawful data processing. Ensure your DPA includes elements such as the nature and purpose of processing, the type of personal data involved, confidentiality requirements, security measures, provisions for data return or deletion, audit rights, as well as the requirement for processors to have their own agreements with sub-processors.
What if you already obtained consumer consent?
Entities that obtained consumer consent to data processing before 1 July can continue processing consumer personal data, including sensitive information. But there’s a ‘but’ – this prior consent will remain valid only if it adhered to the CPA's requirements for valid consent back then, too. So, if you had the right consent in place before the CPA's implementation, you can keep processing personal data. Otherwise, you need to update your procedures.
CPA enforcement and penalties
The Colorado Attorney General and district attorneys have the authority to take action against non-compliant entities. They have the power to investigate violations, issue notices of violation, and give out monetary penalties.
Finally, the CPA also imposes stricter and higher penalties compared to both the CCPA and the Virginia Consumer Data Protection Act. Non-compliant entities could face monetary penalties ranging from USD 2,000–20,000 per violation. And, the penalties accumulate! If a business is found to have multiple instances of non-compliance with different provisions of the CPA, each violation may result in a separate penalty, and they can add up fast.
How can Safetica secure your data for CPA compliance?
All this talk about compliance and the potential penalties may leave you feeling a bit overwhelmed. But Safetica is here to help you navigate the complex landscape of data privacy and protection.
At Safetica, we understand the importance of safeguarding sensitive data and meeting regulatory requirements. We also know that you don’t want to spend unnecessary time or resources on a DLP solution.
Safetica's DLP products provide a user-friendly interface and robust security features that support your compliance and data protection efforts. For example:
- Data classification: Easily identify and classify personal data within your organization, ensuring proper handling and protection.
- Data monitoring and auditing: Monitor data usage in real time, track sensitive data transfers, and generate detailed audit logs for compliance reporting and analysis.
- Access controls: Implement access controls to ensure that only authorized personnel can access sensitive data, reducing the risk of data breaches.
- Incident response: Safetica's software enables you to quickly respond to potential data breaches, allowing you to investigate incidents, contain the impact, and mitigate risks.
By partnering with Safetica, you can proactively address the challenges of data privacy and compliance. We’ll help you navigate the complexities of data protection while maintaining productivity and efficiency.