Following in the footsteps of California and Virginia, Colorado is the latest state to enact a sweeping data privacy law.
The Colorado Privacy Act (CPA) will go into effect on July 1, 2023. That means, businesses have roughly two years to fall in line with what the CPA has declared as compliance. The CPA will go after and fine any business that breaks the rules set forth.
So, if you don't already have prior mechanisms in place, there are many changes to make and a very steep hill to climb to protect your business.What you need to know:
Who must comply with the Colorado Privacy Act?
The Colorado Privacy Act will apply to any legal entities that conduct business or produce commercial products or services in Colorado and who are intentionally targeting residents. These companies either control/process data of at least 100,000 consumers per year or derive revenue from the sale of personal info and process 25,000 consumer records each day.
The CPA exempts air carriers, certain national securities associations that are subject to the Gramm-Leach-Bliley Act and entities that are subject to state and federal law. ''If a controller processes personal data exempted from the CPA, the controller bears the burden of demonstrating that the processing qualifies for the exemption.''
Under the new privacy law, personal data is the information that leads to the identification of an individual. Controllers and processors must collect it and use it only for specific purposes, protected by reasonable security measures.
Like the GDPR, the CPA classifies the data about religious beliefs, ethnic origin, sexual orientation as 'sensitive data.'
When it comes to ''affirmative consent,'' consumers should not be forced to consent through a ''click-wrap''agreement by checking an online box. Instead, they must have the option to agree to the terms by signing it, and it must be freely given. The agreement must be clear, specific and unambiguous.
What are the obligations under the CPA?
Controllers must fulfill their obligations to consumers when handling their personal data. Especially when they are handling sensitive data as well. Similar to the GDPR, consumers' rights refer to: transparency, purpose specification and data minimization. Also, the CPA requires controllers, to avoid secondary use of data and to conduct a data protection assessment,''before conducting processing that presents a heightened risk of harm to a consumer.”
Processors have the obligation to help controllers to fulfill their obligations regarding the security of the processing. The processing activities must be performed under a data processing agreement with instructions from the controller. They will ''ensure that each person processing the personal data is subject to a duty of confidentiality.''
With almost two years to reach compliance with the CPA, it may seem like not the most important thing. Yet July 1, 2023, will arrive faster than you think. Therefore, by acting now, businesses can save themselves from fines and other complications involved with non-compliance with the CPA.
Contact us for more information.