What Colorado’s Privacy Act Could Mean for Brands

Colorado became the latest state with its own framework of privacy regulations when the Colorado Privacy Act (CPA) passed the state’s senate last week. The bill, which now sits on Governor Jared Polis’ desk, would mark a step forward for consumer data protection. It’s also creating some major headaches for businesses around the country.

Colorado’s privacy regulations are just the latest in a string of privacy rights laws in the United States and Europe designed to protect consumers’ online data and the way digital information is shared. While the CPA is similar to Virginia’s Consumer Data Protection Act and the California Consumer Privacy Act, it also differs in some key ways that will have a major impact on businesses and brand marketers more specifically.

With Colorado now being extremely close to becoming the next state with an omnibus privacy law, questions about implementation and compliance are coming from the business community.

What Is the Colorado Privacy Act?

The CPA is a framework of privacy regulations that applies to legal entities that conduct business in Colorado or produce products or services aimed at Colorado residents. It was based largely on Virginia’s Consumer Data Protection Act and the Washington Privacy Act, which failed for the third year in a row after lawmakers were unable to come to consensus back in April. Colorado’s lawmakers had a much easier time coming to an agreement, which means the CPA is now headed for Governor Polis’ desk.

Under the CPA, consumers have the right to receive a copy of their personal data from businesses, and they have the right to know what data is being collected and shared. They also have the right to correct any inaccurate information and the right to delete. Requests must be honored within 45 days, and they must be done free of charge.

When the CPA goes into effect in 2023, it will become the first state privacy regulation that can be enforced by the attorney general’s office and the district attorney’s office. That’s just one of a number of enforcement mechanisms that have been baked into the legislation. Violations to the CPA will constitute a “deceptive trade practice,” and penalties could be up to $2,000 per violation. 

Although the CPA includes certain elements also seen in the California Privacy Rights Act (CPRA) and the European Union’s General Data Protection Regulation (GDPR), it has fewer exemptions and could therefore become a sticking point for businesses across the U.S.

How Will Businesses Be Impacted?

The impact of the CPA on businesses is substantial. According to privacy rights and compliance expert Dan Clarke, president of the privacy compliance platform Truyo, companies should be preparing now for the CPA’s implementation in 2023. 

“Provided Colorado passes, which I think it will, I think we’re going to continue to see more states get on board with this,” Clarke says. “This is going to make navigating privacy laws and compliance very difficult for businesses that conduct business across state lines, especially if every law is as nuanced as [the California, Virginia, and Colorado laws] have been so far.”

The Colorado law applies to companies that process the data of 100,000 Colorado consumers per year or derive the majority of their revenue from the sale or control of the personal data of just 25,000 consumers. That means many more businesses are going to fall under the umbrella outlined in Colorado’s Act than similar legislation in California and Virginia. For data brokers, this means the law is most likely going to apply across the board. 

Clarke says the CPA’s data protection assessments are the most significant part of the law. Controllers can’t conduct data processing that could harm consumers without first conducting a data projection assessment on each of the processing activities. Unlike similar legislation, the CPA does not offer exemptions when it comes to data protection assessments.

“The data protection assessments are really the most significant part of this law if you are already complying with CCPA and prepared for CPRA, and I don’t think companies understand that they will have to do them to remain compliant,” Clarke says. “And not only do they have to do them for each major project or product, but they will have to repeat them anytime there’s a change to the risk associated with that particular assessment. That ongoing requirement is going to be the biggest hurdle businesses will be faced with unless they have a tool in place to help automate this process.”

Clarke recommends that companies begin preparing now.

“Now is the time to start planning, especially for assessments, and the implications around sensitive data and this universal opt-out mechanism — and that’s a technical challenge for many organizations,” he says. “Manual processes and workflow management processes are likely to be overwhelmed, particularly as more states introduce laws, which is likely to happen.”

Stephanie Miles is a senior editor at Street Fight.