Elevate your enterprise data technology and strategy at Transform 2021.
The Colorado Privacy Act (CPA) passed yesterday in the states senate, marking another step forward for consumer data protections in the United States. The new regulation is expected to be signed into law within 30 days and go into effect in July 2023.
Colorado is the third state to enact a cross-industry privacy rights law, following Virginias Consumer Data Protection Act (CDPA) and the California Consumer Privacy Act (CCPA). Overall, the U.S. still lacks a federal consumer privacy law and is instead advancing toward a fractured regulatory landscape, one that is already creating challenges for enterprises. Between the fast-changing nature of regulatory standards including the evolution of whats considered personally identifiable information (PIII) and the variation between current laws, it can be tough to keep up. To meet this need, cybersecurity companies are increasingly trying to fill the gaps with tools that help automate compliance.
While the CPA was based on Virginias recent law, as well as the failed Washington Privacy Act, it contains some differences, particularly around exemptions and the rights granted to Colorado residents. The CPA is also the first law that can be enforced by both the district attorney and the attorney generals office, which is a reason to really take compliance obligations seriously, Greg Szewczyk, a Denver-based data privacy and cybersecurity partner at Ballard Spahr law firm, told VentureBeat.
Heres a breakdown of the CPA, whats needed for compliance, and what it all means for enterprises.
How does this law differ from CCPA?
One major difference is the threshold for applicability, Szewczyk said, noting its more of a geographically targeted type of direct applicability. While CCPA has a global annual revenue threshold that essentially applies to every company over a certain size, the Colorado law like the Virginia law does not. Rather, the CPA is applicable to companies that either collect personal data from 100,000 Colorado residents or collect data from 25,000 Colorado residents and also derive some portion of revenue from sales.
Brandon Reilly, a partner with Manatt, Phelps & Phillips LLP, also pointed out some slight variations in data rights. The process required to respond to a privacy request, how long the business has to respond, and individual exceptions businesses may use to resist complying with a privacy request, for example, all differ between Colorado, California, and Virginia.
Another notable difference between CPA and CCPA is that consumers ability to opt out of a sale of data is arguably much broader in California.
This is because the Colorado law is limited to sales in exchange for monetary value only, whereas California does not include that limitation, Reilly said. As a result, we have seen much discourse about whether various types of data-sharing trigger the CCPAs opt-out provisions, most notably for the adtech industry.
Which businesses are exempt? And are there any exemptions related to the data itself?
There are some nuanced exemptions for businesses whose data is already regulated by federal law, such as health care providers, higher education, and financial institutions. There are also exclusions related to the Fair Credit Reporting Act. But Reilly explained that, as with the CCPA, these exemptions do not always apply at the entity level. It may be that they apply to some or nearly all of the entitys personal data, but not all of it, he said.
Even for businesses not in these regulated industries, there are some notable exemptions, specifically employee and business-to-business exemptions. This aspect of the law marks a major difference from the EUs General Data Protection Regulation (GDPU).
You can have companies, especially some I have in the tech field, where theyre not selling directly to consumers, not collecting a ton of personal information, but they are interacting with a lot of businesses, Szewczyk said. The fact that that is excluded from the definition of consumer and coverage under the Colorado act is going to save them a lot of heartburn.
If a business has already taken steps to be CCPA-compliant, what else is needed to meet Colorados requirements?
Companies that are already CCPA-compliant are in pretty good shape. The next step for enterprises in this position, Reilly said, would be to assess what additional rights to consider, with a specific focus on the companys Colorado-based consumers.
As previously mentioned, there is some variation regarding specific consumer data rights, which even CCPA-compliant companies should evaluate. For example, in addition to targeted advertising, the Colorado law lets consumers opt out of having their information processed to create consumer profiles, which is not part of the current CCPA. Szewczyk said in many ways the CPA goes past the CCPA and provides more protections that are more in line with CPRA, the law that will replace the current California mandate in 2023.
What should businesses do between now and July 2023 to ensure compliance?
Both Reilly and Szewczyk stressed that enterprises should prioritize gaining a really deep understanding of their data what data theyre taking in, how theyre processing it, the privacy risks to consumers and the general public, and how the risks weigh against the benefits.
This is essential for ensuring compliance, but theres also the fact that conducting a data protection assessment is one of the new requirements under the Colorado law. Szewczyk notes that while this is a requirement of the Virginia law (which also goes into effect in 2023), and that CCPA has something similar, its an area that were expecting the agency to really flesh out.
For companies, unless they are doing this under the GDPR or some other specific regulated statute for a specific industry, its gonna be a new concept, he said.
Once an enterprise has a full picture of its data and practices, it should assess the degree of exposure under the Colorado law, as well as the other laws that will be enacted in 2023. From there, it can determine what specific projects might need to be budgeted and launched in order to meet compliance.
Whats the high-level impact this will have on enterprises?
Even without a federal law, these piecemeal regulations will start forcing enterprises toward new data principles, such as privacy by design. Holding large amounts of consumer data will increase liability, so designing products and services in a privacy-centric way will become increasingly popular (not to mention a good move for customer trust).
I think all of these laws, to some extent, start driving at the concept of data minimization, which is only to collect what you actually need for the purpose that youre collecting, Szewczyk said. And thats really an underlying current as to how to protect consumers because you cant lose or misuse what you dont have.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.
Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more