Why The Colorado Privacy Act Could Cost You

We’ve entered an era of heavy regulation where the costs stemming from mishandling of an individual’s personal details are borne primarily by any organization that collects and uses information. In July 2021, the Colorado Privacy Act (CPA) was signed into law, making Colorado the third U.S. state to pass comprehensive privacy legislation.

The CPA borrows in part from the European Union’s General Data Protection Regulation (GDPR), but more significantly from the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA). So, how does the CPA compare to other compliance acts and who is at risk?

How does the Colorado Privacy Act Differ From Other State Laws?

The CPA contains a few notable distinctions compared to its California and Virginia counterparts. First, the CPA applies to nonprofit entities that meet certain thresholds, whereas the California and Virginia laws exempt nonprofit organizations. Similar to the VCDPA, the CPA doesn’t apply to employee or business-to-business data and won’t provide a private right of action. The laws in all three states differ with respect to the required process for responding to a consumer privacy request and the applicable exceptions for responding to such requests.

The CPA applies to controllers and processors, which differs from law to law. Companies that conduct business in Colorado have to control or process personal data of 100,000 or more consumers during a calendar year and/or derive revenue or receive discounts from the sale of personal data and control to qualify as a controller or processor. At Ground Labs, we anticipate the rollout of several more statewide regulations, so familiarizing yourself with each law and its influence could be the difference in earning customer trust and avoiding penalties.

Your Rights Under the Colorado Privacy Act

For companies to comply with the CPA, it’s imperative to understand consumers’ rights as they relate to the law. According to the CPA, a Colorado resident acting only in an individual or household context is protected. Controllers don’t need to consider the personal data of employees they collect and process when evaluating the law’s applicability. Anyone acting in a commercial or employment context isn’t protected.

Under the CPA, consumers have five main rights:

1. Right of Access: Consumers can find out whether a controller is processing personal data concerning the consumer and access their personal data.
2. Right to Correction: Just what it sounds like– consumers can correct inaccuracies in their personal data.
3. Right to Delete: This is another right that’s easy to understand. Consumers have the right to delete personal data concerning them.
4. Right to Data Portability: Consumers have the right to obtain personal data in a portable and readily usable format that allows them to transmit the data easily.
5. Right to Opt-Out: Consumers can opt-out of personal data processing for targeted advertising; the sale of personal data and profiling in decisions that produce legal or similarly significant effects concerning a consumer.

Staying Ahead of It: CPA Enforcement and Violations

The CPA is enforceable by Colorado’s Attorney General and state district attorneys, and subject to a 60-day cure period for any alleged violation until 2025. A violation of the CPA constitutes a deceptive trade practice for purposes of the Colorado Consumer Protection Act, with violations punishable by civil penalties of up to $2,000 per violation with a maximum penalty of $500,000 for related violations. 

To avoid being penalized, businesses need to take ownership when it comes to data privacy and protection — that includes knowing the location, amount and type of information being stored by your company.

Ahead of July 1, 2023, when the new law is set to take effect, partner with Ground Labs to solidify your organization’s data privacy and compliance plan by finding where all business data resides. Our data discovery platforms, like Enterprise Recon, have the ability to scan all of your organization’s surfaces and locate and categorize over 300 data types!

Book a demo today to get ahead of Colorado’s privacy law.