Blog Post
BY Stephen Cavey | 22 June 2022
We’ve entered an era of heavy regulation where the costs stemming from mishandling of an individual’s personal details are borne primarily by any organization that collects and uses information. In July 2021, the Colorado Privacy Act (CPA) was signed into law, making Colorado the third U.S. state to pass comprehensive privacy legislation.
The CPA borrows in part from the European Union’s General Data Protection Regulation (GDPR), but more significantly from the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA). So, how does the CPA compare to other compliance acts and who is at risk?
The CPA contains a few notable distinctions compared to its California and Virginia counterparts. First, the CPA applies to nonprofit entities that meet certain thresholds, whereas the California and Virginia laws exempt nonprofit organizations. Similar to the VCDPA, the CPA doesn’t apply to employee or business-to-business data and won’t provide a private right of action. The laws in all three states differ with respect to the required process for responding to a consumer privacy request and the applicable exceptions for responding to such requests.
The CPA applies to controllers and processors, which differs from law to law. Companies that conduct business in Colorado have to control or process personal data of 100,000 or more consumers during a calendar year and/or derive revenue or receive discounts from the sale of personal data and control to qualify as a controller or processor. At Ground Labs, we anticipate the rollout of several more statewide regulations, so familiarizing yourself with each law and its influence could be the difference in earning customer trust and avoiding penalties.
For companies to comply with the CPA, it’s imperative to understand consumers’ rights as they relate to the law. According to the CPA, a Colorado resident acting only in an individual or household context is protected. Controllers don’t need to consider the personal data of employees they collect and process when evaluating the law’s applicability. Anyone acting in a commercial or employment context isn’t protected.
Under the CPA, consumers have five main rights:
The CPA is enforceable by Colorado’s Attorney General and state district attorneys, and subject to a 60-day cure period for any alleged violation until 2025. A violation of the CPA constitutes a deceptive trade practice for purposes of the Colorado Consumer Protection Act, with violations punishable by civil penalties of up to $2,000 per violation with a maximum penalty of $500,000 for related violations.
To avoid being penalized, businesses need to take ownership when it comes to data privacy and protection — that includes knowing the location, amount and type of information being stored by your company.
Ahead of July 1, 2023, when the new law is set to take effect, partner with Ground Labs to solidify your organization’s data privacy and compliance plan by finding where all business data resides. Our data discovery platforms, like Enterprise Recon, have the ability to scan all of your organization’s surfaces and locate and categorize over 300 data types!
Book a demo today to get ahead of Colorado’s privacy law.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.
Please submit the form below and we’ll contact you to schedule a discovery call. Want to skip the email? Go here to schedule a meeting directly on our calendar.