As of July 2021, Colorado officially enacted the Colorado Privacy Act (CPA), making it the third US state to pass dedicated privacy legislation, following in the footsteps of California’s Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (VCDPA).
The CPA will apply to any organization that conducts business in Colorado as well as any organization that has information relating to the state’s residents. This is focused primarily on data controllers and processors – two terms commonly found in the European General Data Privacy Regulation and CCPA.
There are some notable similarities between the CPA and other data privacy regulations like GDPR, CCPA, and VCDPA, meaning organizations that are compliant with any of the above regulations already have a foundation to work from. For example:
- The CPA is handing certain rights back to the consumer.
- Organizations that store, handle and process personal data have a duty to protect this information.
- If violations occur or if the data holder is found guilty by the state attorney general and local authorities, penalties will be imposed to prevent future violations.
The CPA also allows citizens to inquire about how their data is being used and whether it is being processed. Consumers can make changes if inaccuracies are found, and they can request to have their information deleted. Also, the CPA mandates that if these requests are made, they must be actioned by the data processor or controller within 45 days.
In essence, the CPA is welcomed in today’s digital society, but it is by no means ground-breaking in what it is trying to achieve with its privacy agenda. However, there are differences that set the CPA apart and must be noted. For instance:
- There is no revenue threshold on which organizations must comply, meaning small businesses are just as accountable as their larger counterparts when collecting personal data.
- Non-profits are not exempt – which is opposite to the VCDPA and CCPA.
- The CPA gives controllers the right to object to any sub-processors, while the VCDPA and CCPA do not.
The definition of sensitive information and how it is treated is also different when comparing the CPA, CCPA, and VCDPA. While all demand consent to be required from consumers to collect their data, the CPA is much stricter with its definition of consent. It states:
Consent must be “freely given, specific, informed and unambiguous agreement” which does not include general or broad terms, “hovering over, muting, pausing, or closing a given piece of content,” or “agreement obtained through dark patterns” (although “dark patterns” is not defined).
Essentially, consumer consent must be obtained in a clear and specific manner leaving no ambiguity or confusion between the data processor and the individual.
The CPA won’t come into effect until July 2023, giving organizations ample time to have the necessary processes and procedures in place to be compliant. Moreover, it shows a clear approach taken by the State of Colorado to ensure their citizens’ data security and privacy are being duly cared for by businesses. Organizations that are concerned about whether their security is adequate should act now and adopt a data-centric approach to protect consumer data. This will ensure compliance is met by addressing the core concerns of keeping data private.