Check out all the on-demand sessions from the Intelligent Security Summit here.
The Colorado Privacy Act (CPA) passed yesterday in the state’s senate, marking another step forward for consumer data protections in the United States. The new regulation is expected to be signed into law within 30 days and go into effect in July 2023.
Colorado is the third state to enact a cross-industry privacy rights law, following Virginia’s Consumer Data Protection Act (CDPA) and the California Consumer Privacy Act (CCPA). Overall, the U.S. still lacks a federal consumer privacy law and is instead advancing toward a fractured regulatory landscape, one that is already creating challenges for enterprises. Between the fast-changing nature of regulatory standards — including the evolution of what’s considered personally identifiable information (PIII) — and the variation between current laws, it can be tough to keep up. To meet this need, cybersecurity companies are increasingly trying to fill the gaps with tools that help automate compliance.
While the CPA was based on Virginia’s recent law, as well as the failed Washington Privacy Act, it contains some differences, particularly around exemptions and the rights granted to Colorado residents. The CPA is also the first law that can be enforced by both the district attorney and the attorney general’s office, which is “a reason to really take compliance obligations seriously,” Greg Szewczyk, a Denver-based data privacy and cybersecurity partner at Ballard Spahr law firm, told VentureBeat.
Here’s a breakdown of the CPA, what’s needed for compliance, and what it all means for enterprises.
How does this law differ from CCPA?
One major difference is the threshold for applicability, Szewczyk said, noting “it’s more of a geographically targeted type of direct applicability.” While CCPA has a global annual revenue threshold that essentially applies to every company over a certain size, the Colorado law — like the Virginia law — does not. Rather, the CPA is applicable to companies that either collect personal data from 100,000 Colorado residents or collect data from 25,000 Colorado residents and also derive some portion of revenue from sales.
Brandon Reilly, a partner with Manatt, Phelps & Phillips LLP, also pointed out some slight variations in data rights. The process required to respond to a privacy request, how long the business has to respond, and individual exceptions businesses may use to resist complying with a privacy request, for example, all differ between Colorado, California, and Virginia.
Another notable difference between CPA and CCPA is that consumers’ ability to opt out of a “sale” of data is arguably much broader in California.
“This is because the Colorado law is limited to ‘sales’ in exchange for monetary value only, whereas California does not include that limitation,” Reilly said. “As a result, we have seen much discourse about whether various types of data-sharing trigger the CCPA’s opt-out provisions, most notably for the adtech industry.”
Which businesses are exempt? And are there any exemptions related to the data itself?
There are some nuanced exemptions for businesses whose data is already regulated by federal law, such as health care providers, higher education, and financial institutions. There are also exclusions related to the Fair Credit Reporting Act. But Reilly explained that, as with the CCPA, these exemptions do not always apply at the entity level. “It may be that they apply to some or nearly all of the entity’s personal data, but not all of it,” he said.
Even for businesses not in these regulated industries, there are some notable exemptions, specifically employee and business-to-business exemptions. This aspect of the law marks a major difference from the EU’s General Data Protection Regulation (GDPU).
“You can have companies, especially some I have in the tech field, where they’re not selling directly to consumers, not collecting a ton of personal information, but they are interacting with a lot of businesses,” Szewczyk said. “The fact that that is excluded from the definition of consumer and coverage under the Colorado act is going to save them a lot of heartburn.”
If a business has already taken steps to be CCPA-compliant, what else is needed to meet Colorado’s requirements?
Companies that are already CCPA-compliant are in pretty good shape. The next step for enterprises in this position, Reilly said, would be to assess what additional rights to consider, with a specific focus on the company’s Colorado-based consumers.
As previously mentioned, there is some variation regarding specific consumer data rights, which even CCPA-compliant companies should evaluate. For example, in addition to targeted advertising, the Colorado law lets consumers opt out of having their information processed to create consumer profiles, which is not part of the current CCPA. Szewczyk said in many ways the CPA “goes past the CCPA and provides more protections” that are more in line with CPRA, the law that will replace the current California mandate in 2023.
What should businesses do between now and July 2023 to ensure compliance?
Both Reilly and Szewczyk stressed that enterprises should prioritize gaining a really deep understanding of their data — what data they’re taking in, how they’re processing it, the privacy risks to consumers and the general public, and how the risks weigh against the benefits.
This is essential for ensuring compliance, but there’s also the fact that conducting a data protection assessment is one of the new requirements under the Colorado law. Szewczyk notes that while this is a requirement of the Virginia law (which also goes into effect in 2023), and that CCPA has something similar, “it’s an area that we’re expecting the agency to really flesh out.”
“For companies, unless they are doing this under the GDPR or some other specific regulated statute for a specific industry, it’s gonna be a new concept,” he said.
Once an enterprise has a full picture of its data and practices, it should assess the degree of exposure under the Colorado law, as well as the other laws that will be enacted in 2023. From there, it can determine what specific projects might need to be budgeted and launched in order to meet compliance.
What’s the high-level impact this will have on enterprises?
Even without a federal law, these piecemeal regulations will start forcing enterprises toward new data principles, such as privacy by design. Holding large amounts of consumer data will increase liability, so designing products and services in a privacy-centric way will become increasingly popular (not to mention a good move for customer trust).
“I think all of these laws, to some extent, start driving at the concept of data minimization, which is only to collect what you actually need for the purpose that you’re collecting,” Szewczyk said. “And that’s really an underlying current as to how to protect consumers because you can’t lose or misuse what you don’t have.”
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.