What is the Colorado Privacy Act?
The Colorado Privacy Act (CPA), signed into law on July 7, 2021, is a comprehensive privacy legislation that aims to enhance data privacy rights for residents of Colorado. The CPA provides consumers with greater control over their personal data and imposes obligations on businesses that process personal data. It is designed to offer protection similar to that of the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR),while incorporating additional protections for biometric data, minors, and consent interface design.
Who is it relevant to?
The CPA applies to entities that conduct business in Colorado or produce commercial products or services that are intentionally targeted to residents of Colorado and that either:
- Control or process personal data of 100,000 or more consumers during a calendar year,
- Derive revenue or receive discounts from the sale of personal data and control or process the personal data of 25,000 or more consumers.
The law is relevant to a wide range of industries including but not limited to:
- Technology
- Retail
- Finance
- Healthcare
- Marketing and advertising
- Any business involved in data collection, processing, and monetization
Who Needs to Comply?
The CPA mandates compliance from both data controllers and processors. Controllers are entities that determine the purposes and means of processing personal data, while processors are entities that process personal data on behalf of a controller. Processors and employers processing biometric identifiers must now also obtain documented consent.
What rights do consumers have under the CPA?
- Access: Consumers have the right to access their personal data.
- Correction: Consumers can correct inaccuracies in their personal data.
- Deletion: Consumers can request the deletion of their personal data.
- Data Portability: Consumers have the right to obtain a copy of their data in a portable format.
- Opt-Out: Consumers can opt out of the sale of their personal data, targeted advertising, and profiling
- Universal Opt-Out: Controllers must honor user-selected universal opt-out mechanisms, including for minors where applicable
What are the requirements for the Colorado Privacy Act?
Data Protection Requirements:
- Transparency: Provide clear and conspicuous privacy notices explaining data collection, use, and sharing practices.
- Data Security: Implement reasonable security measures to protect personal data.
- Data Protection Assessments: Conduct assessments for high-risk data processing activities, including targeted advertising, sale of personal data, and processing sensitive data.
Obtain consumer consent before processing sensitive data, such as data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship status, genetic or biometric data, and personal data of children.Consent flows must be free from deceptive or manipulative “dark patterns,” and withdrawal must be as easy as giving consent.
Actionable Steps to Comply
- Data Inventory and Mapping
Identify and document all personal data processed by the organization, including data sources, storage locations, processing activities, and data sharing practices. - Update Privacy Notices
Ensure that privacy notices are clear, comprehensive, and easily accessible. Include details about consumer rights and how to exercise them, as well as required disclosures for biometric identifiers and minors’ data. - Implement Consumer Rights Management
Establish procedures to handle consumer requests for data access, correction, deletion, portability, and opt-out of data sales or targeted advertising.
Include automated recognition of universal opt-out signals. - Data Protection Assessments
Conduct and document assessments for processing activities that pose a heightened risk to consumer privacy, including biometric processing and any minors-related data practices. - Review and Update Contracts
Update contracts with third-party service providers to ensure they comply with CPA requirements.
Include data processing agreements that outline responsibilities and data protection measures, including biometric data handling where applicable. - Train Employees
Provide training to employees on CPA requirements and the organization’s data protection policies and procedures, especially regarding biometric identifiers and minors’ data obligations. - Implement Data Security Measures
Ensure that appropriate technical and organizational measures protect personal data against unauthorized access, disclosure, alteration, and destruction, including safeguards specific to biometric identifiers. - Monitor and Review Compliance
Regularly review and update privacy practices and compliance programs to align with CPA requirements and any new guidance or amendments.
Why should you be Colorado Privacy Act compliant?
The CPA is enforced by the Colorado Attorney General and District Attorneys, with fines for non-compliance reaching up to $20,000 per violation. Given the potential for substantial financial penalties and legal actions, it is crucial for businesses to ensure compliance with the CPA to protect both their finances and reputation.
In addition, given the enhanced rules around biometrics, minors, consent design, and universal opt-out increase the risk of enforcement for non-compliance.
How to achieve compliance?
To comply with the Colorado Privacy Act (CPA), organizations can leverage Centraleyes’ comprehensive risk management and compliance platform. Centraleyes offers automated data collection and analysis, prioritized remediation advice and real-time risk scoring.
The Centraleyes platform maps the CPA to an extensive control inventory, facilitating seamless data exchange across various systems within the network. This not only saves time and money but also ensures more reliable and accurate data management.
Read more: https://leg.colorado.gov/sites/default/files/2021a_190_signed.pdf
