The Colorado Privacy Act: Key steps toward compliance and data governance
Across the United States and the world, authorities are enacting data privacy laws. Since 2016, we’ve seen adoption of Europe’s General Data Protection Regulation (GDPR) and, in the United States, the California Consumer Privacy Act (CPCA), Virginia Consumer Data Protection Act (VCDPA), and now the Colorado Privacy Act.These laws, including the new Colorado legislation, require organizations to have a deep understanding of the data they collect, process, and store about consumers. This includes where and how data is maintained, how data is used and protected, and how organizations ensure consumers’ rightful access to their information.
With enforcement of the Colorado Privacy Act likely beginning in early 2024, organizations need to identify gaps in their data privacy and information security practices and potential noncompliance issues as early as possible. Identifying, planning, and executing remediation efforts can take time.
What organizations are covered under the new Colorado legislation?
The Colorado Privacy Act applies to organizations that process data for more than 100,000 consumers in a year or receive revenue or discounts from the sale of personal data of more than 25,000 consumers.
“Processing” is defined as collecting, updating, sharing, or deleting data. An organization doesn’t have to be based in Colorado; any consumer-facing entity that conducts business in Colorado or targets or processes data for Colorado residents, offers rewards programs, or has a website that collects consumer data is covered by the law.
Many organizations may be surprised to learn they must comply with Colorado’s new data privacy law. Not-for-profit groups, such as political organizations and foodbanks, are covered. The act doesn’t apply to B2B customer data, and some consumer-facing organizations are exempt, including law enforcement and other government agencies, K-12 and higher educational institutions, and financial institutions covered by the GLBA (Gramm-Leach-Bliley Act).
Many organizations may be surprised to learn they must comply with Colorado’s new data privacy law.
What types of data are covered by the Colorado Privacy Act?
The act requires safeguards of consumer PII, or personally identifiable information. Consumer PII includes data such as name, age, marital status, address, and other information, including IP (internet protocol) addresses commonly tracked via traffic analytics applications or a consumers digital preference profile. Required safeguards include a number of practices and controls, such as restricting access to sensitive data, which many organizations currently don’t do.
One major difference between the Colorado Privacy Act and other state data privacy laws is the requirement for organizations to disclose the purposes of data processing activities that involve consumer information.
Colorado Privacy Act: Risks of noncompliance
Noncompliance with the act can lead to fines levied by the State of Colorado and other governing bodies. But the risks go beyond financial and regulatory. Without properly safeguarding consumer data and PII, an organization’s reputation could sustain long-term damage, especially if customers’ privacy is violated in a breach. Similarly, organizations that improperly share consumer data with outside parties or engage in consumer-profiling activities that can lead to harm risk losing their customers’ trust and support.
What actions should organizations take to prepare for the Colorado Privacy Act?
While state laws can be overwhelming, particularly related to privacy, there are steps organizations can take to begin preparing for compliance with the new Colorado legislation.
Conduct a business data inventory assessment
First, you’ll want to conduct a business inventory or assessment of your organization’s data to:
- Identify what consumer PII data you collect.
- Understand where consumer PII data is housed.
- Identify the purpose for collecting and storing PII data.
- Determine if you can minimize the data you collect.
Conduct an information security assessment
If you’re one of the prepared organizations that has a handle on your data, or you’ve completed a business data inventory, you’ll want to ask:
- What safeguards do we have in place to protect consumer data and PII?
- Who can access consumer information? Who can update it?
- What safeguards do we have over consumer data when it’s sent to third parties?
- Where are the gaps in safeguards over PII data protection and management?
- How will our organization close the gaps to mitigate vulnerabilities and noncompliance issues?
An information security assessment can help answer these questions and provide recommendations to close gaps in data security risks. Security and privacy go hand in hand, so a strong cybersecurity program can assist with compliance with the Colorado Privacy Act and other privacy regulations. General framework assessments over NIST CST, CIS, HITRUST, and other frameworks also can help your organization achieve a comprehensive, mature cybersecurity program.
Other Colorado Privacy Act provisions to note
The new Colorado legislation sets forth a number of other provisions, including consumer rights and specific requirements for website privacy policies. Additionally, organizations using data for certain purposes will need to submit a formal data protection assessment to the state. It’s important to review the law and understand the many requirements to comply.
Strengthen data governance
Strong data management and data loss protection practices are critical, both to Colorado Privacy Act compliance and to your organization’s overall data governance. Do you have established and documented data management policies and procedures, so your employees — including marketing staff, sales teams, and customer service reps — are trained and competent when handling consumer data?
Strong data management and data loss protection practices are critical, both to Colorado Privacy Act compliance and to your organization’s overall data governance.
By establishing mature data governance policies and practices, you’ll also facilitate compliance with the Colorado Privacy Act requirements around controller obligations. This is where the ultimate accountability and responsibility lies for handling PII data in accordance with the law.
When is the Colorado Privacy Act effective date?
The act takes effect on July 1, 2023, with enforcement expected to begin in early 2024. Organizations should identify noncompliance issues as early as possible in order to plan and implement remediation efforts.
Colorado Privacy Act and data privacy trends
Data privacy laws aren’t going away. If anything, authorities and consumers alike are placing increasing emphasis on data security and privacy. As a result of the new Colorado legislation, consumers will ask about their data and, by law, expect organizations to respond promptly and effectively to their requests. Managing data correctly and efficiently within a data governance framework lets your organization minimize the risk of noncompliance, hefty fines, and losing your customers’ valuable trust.
Contact our authors
Navigating your organization’s data privacy position and data governance requirements can be challenging. Let our experts help give you the clarity you need. Discover the key steps to take by contacting our team for tailored guidance.
