How to navigate the new Colorado Privacy Act (CPA)

The Colorado Privacy Act (CPA) passed yesterday in the state's senate and will go into effect in July 2023 – creating an additional regulation that organizations must comply with or face hefty fines and eroding consumer trust. Colorado is the third state to enact a cross-industry privacy law, following following Virginia’s Consumer Data Protection Act (CDPA) and the California Consumer Privacy Act (CCPA).

As noted by JD Supra, the CPA will be enforced by the attorney general or district attorneys. There is not a private right of action, but violations do constitute a deceptive trade practice, and penalty amounts are up to $2,000 per violation with a maximum of $500,000 for related violations.

The CPA applies to legal entities that conduct business or produce commercial products or services that are intentionally targeted at Colorado residents, JD Supra says, and that either:

Control or process personal data of more than 100,000 consumers per calendar year; or
Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.

According to JD Supra, the CPA provides Consumer Access Rights including:

The right to receive a copy of the personal data the business is processing;
The right to know what data is collected and the processing and sharing activities;
The right to correct any inaccurate personal data;
The right to delete;
The right to opt-out of processing of personal data (for targeted advertising, profiling, and sale); and
An appeals process for refusal of any rights.

In addition, organizations are required to ensure they operate from common privacy principles, such as purpose specification, data minimization, purpose limitation and duty of care.

Without one federal law in place, more states will continue to pass consumer data protection legislation, making it challenging for businesses that operate in multiple jurisdictions to navigate a fractured regulatory landscape. Fortunately, there are ways that businesses can prepare for this privacy regulation onslaught, says and David Valovcin, Senior Director, Global Data Security for Imperva.

“Organizations are overwhelmed by the onslaught of multiple privacy regulations and most are not prepared to meet the coming compliance challenges,” said David Valovcin, Senior Director, Global Data Security for Imperva. “At the same time, the definition of personally identifiable information keeps expanding, going beyond social security numbers to include political affiliations, religion and even IP addresses. Furthermore, most organizations don’t know where their PII data is stored, how it is controlled or who has access to it. Fortunately, there are new ways to streamline these processes, allowing organizations to automate compliance initiatives.”

Heather Paunet, Senior Vice President at Untangle, a San Jose, Calif.-based provider of comprehensive network security for SMBs, explains, "As businesses navigate privacy laws, it can begin to look a bit like word soup: General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Consumer Data Protection Act (CDPA) and now the Colorado Privacy Act (CPA). However, most companies that operate in the U.S. and internationally will have gone through various steps for the European Union’s GDPR rules, as well as the CCPA. Having already complied with these regulations will make it easier to make it easier to comply with the CPA."

Paunet adds that to ensure compliance with current, and new regulations, businesses need to understand the data they’re taking in and who has access. "The Colorado law, with similar versions in CCPA and CDPA, includes a requirement to conduct a data protection assessment. This is an important step that any business collecting consumer data should begin. Businesses will need to understand what is being collected, and how to protect customer data while also continuing employee education about data ownership and protection," Paunet explains. "In addition, businesses will need an effective strategy to communicate when customer information may be sold or disclosed for business-related purposes. Transparency in data collection will be a foundational pillar for businesses looking to maintain a trusting relationship with their customers."

According to Venture Beat, while CCPA has a global annual revenue threshold that essentially applies to every company over a certain size, the Colorado law — like the Virginia law — does not. Rather, the CPA is applicable to companies that either collect personal data from 100,000 Colorado residents or collect data from 25,000 Colorado residents and also derive some portion of revenue from sales.

Monti Knode, Director of Customer & Partner Success at Horizon3.AI, a continuous automated security assessment and validation company, says, "What I love about this Act is that it goes above the CCPA, where companies processing this data will be assessed; what I don't like is that the Act does not specify frequency. The last thing any of us--government, industry, and citizens--need are more annual compliance standards that gear up for a test and gear down the rest of the time. What we all need is continuous assessment. With escalating data theft, ransomware attacks, and AI-enabled credential attacks, anything less is irresponsible. Risk is persistent, so assessment and verification should be as well."

In addition, Venture Beat reports, the process required to respond to a privacy request, how long the business has to respond, and individual exceptions businesses may use to resist complying with a privacy request, for example, all differ between Colorado, California, and Virginia.

"The mounting requirements from compliance simply reflects that people care about how their personal data is handled -- and wish to see the data more respectfully and transparently. From a company's standpoint, this is a major opportunity to add visibility into how data flows and is used inside their organization -- compliance is a good forcing function, but most organizations will find that visibility can drive top-line revenue and save on cloud costs," Mohit Tiwari, Co-Founder and CEO at Symmetry Systems, a San Francisco, Calif.-based provider of cutting-edge Data Store and Object Security (DSOS).

Tiwari adds, "For example, visibility into data enables responsible sharing and allows analysts to work with the freshest purchase and partner/supplier data; or removing dormant data and permissions improves cloud cost while driving down risk. As a result, I'd encourage organizations to not settle for a web-service that simply orchestrates privacy requests among developers and privacy officers, and look into more substantive tools to observe and protect data in their hybrid cloud."

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.