Home Privacy Everything You Need to Know About the Colorado Privacy Act (CPA)

Everything You Need to Know About the Colorado Privacy Act (CPA)

On July 7, 2021, Colorado Governor Jared Polis signed The Colorado Privacy Act (SB 190) into law, just a month after the bill was passed by the Colorado House of Representatives. The Colorado Privacy Act (CPA) marks the third state to pass comprehensive privacy law in the United States, following California’s California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA).

In this article, we’ll outline the most salient points of Colorado’s new privacy legislation.


What You Need to Know About the Colorado Privacy Act


When does it take effect?

The CPA will go into effect on July 1st, 2023.              


What rights do Colorado residents have under the CPA?

The CPA outlines several new consumer rights for Colorado residents including:

  • Right to Opt-Out. The right to opt-out of the processing of personal data for the purposes of advertising, profiling, and the sale of personal data.
  • Right to Access. Consumers have the right to confirm whether or not a controller is processing their data, and to access their own data.
  • Right to Deletion. The right to delete personal data collected by a controller or processor.
  • Right to Correction. The right to correct inaccuracies in personal data.
  • Right to Data Portability. The right to obtain personal data in a portable and readily usable format.

If those rights seem familiar, that’s because they closely mirror some of the rights outlined in the EU’s General Data Protection Regulation (GDPR), as well as the CCPA and the CDPA.

Notably, the CPA requires a universal opt-out mechanism, which will let customers opt-out of data tracking on websites with a single click, rather than having to navigate sub-menus to turn off specific tracking capabilities.

Colorado’s privacy law does not include a private right of action (PRA).


How are Processors and Controllers defined under the CPA?

Colorado’s bill took another cue from the GDPR in outlining definitions of data “processors” and data “controllers.” The bill defines a controller as “a person that, alone or jointly with others, determines the purposes and means of processing personal data.” A processor is defined as a person or business that “processes personal data on behalf of a controller.”


What responsibilities do businesses have under the CPA?

In addition to outlining definitions of Controller and Processor, the CPA specifies how controllers fulfill their customer’s assertations of their rights and sets forth guidelines on purpose specification, transparency, avoiding unlawful discrimination, data minimization, and more.

The CPA also stipulates that controllers must conduct a data protection assessment for each data processing activity involving personal data which presents “a heightened risk of harm to consumers,” like targeted advertisement, consumer profiling, or the sale and processing of personally identifiable information (PII).


Who does it apply to?

The CPA will apply to any business that conducts business or produces commercial products or services that are targeted at Colorado residents and which either control or process data of at least 100,000 consumers per year or derive revenue from the sale of personal data and control or process data of at least 25,000 customers. The CPA is applicable even when a company derives less than 50% of its revenue from selling data.           


How Does Enforcement Work?        

Enforcement of the CPA falls to Colorado’s attorney general and district attorneys. Once the attorney general or district attorney has decided to start an action against a controller, the office must provide them notice. The controller then has a 60-day cure period in which they must remediate the violation. This cure period is not a permanent provision of the law, and will no longer be required as of January 1, 2025.

The CPA does not outline any fines for violations. Any violation of the CPA is considered a deceptive trade practice under Colorado law, and penalties are therefore governed by the Colorado Consumer Protection Act. Under the CCPA, a non-compliant business can be fined up to $20,000 per violation.


How Ensighten Can Help

The CPA is just the latest in a string of state laws that bring new rights to consumers while pressing new responsibilities—and penalties—on businesses and marketers. Ensighten offers organizations a solution to help build a fully compliant website and simplify compliance with the Colorado Privacy Act, as well as the CCPA, CDPA, and GDPR.

With Ensighten Consent Management Plus (CMP+), you can set up geo-targeted opt-out of sale links for Colorado consumers and give your customers a clear-cut choice on how their data is used, or whether it is collected. And our low-code, zero-integration deployment means Ensighten CMP+ is easy to use. A simple line of code added to your website is all you need to stop data from being collected before your customers give their consent, allowing real-time enforcement of customer consent regardless of tag management systems or 3rd party tags.

Request a demo to see how Ensighten can help your organization meet compliance with the Colorado Privacy Act.

Source link


California Releases Consumer Privacy Tool for Reporting CCPA Violations

It’s been nineteen months since the California Consumer Protection Act (CCPA) went into effect, and California is revealing the effectiveness as the legislation,...

The Italian DPA has Released New Guidance on Cookie Compliance

Italy's data protection authority (DPA), the Garante, has announced its finalized guidelines on cookies and tracking technologies. The Garante’s guidelines, first released as...

What’s left of the GDPR’s one-stop-shop? CJEU clarifies the competences of non-lead data protection authorities – Privacy Matters

Authors: Heidi Waem, Simon Verschaeve When the GDPR was adopted back in 2016, its new cooperation and consistency mechanism, coined as the one-stop-shop, was marketed...
- Advertisment -

Most Popular

Former Goldman Sachs CIO, joins fintech start-up Advisory Board

illumr removes bias in AI for financial services organisationsDamian Sutcliffe, the former EMEA CIO for Goldman Sachs...

Hackers Posed as Aerobics Instructors for Years to Target Aerospace Employees

An Iranian cyberespionage group masqueraded as an aerobics instructor on Facebook in an attempt to infect the machine of an employee of an...

Security breaches where working from home is involved are costlier, claims IBM report • The Register

Firms looking to save money by shifting to more flexible ways of working will need to think carefully about IT security and the...

Recent Comments