The next article in this series is about the Colorado Privacy Act (CPA). This law will go into effect on July 1, 2023. Although your business may have already been preparing for CPRA and CDPA compliance, here are the unique provisions of CPA you need to be aware of.
This is the third article in Ethyca’s blog post series for businesses that need to comply with the new privacy laws in 2023. The next law we’ll discuss is the Colorado Privacy Act (CPA). CPA will go into effect on July 1, 2023. Although this act will be enacted half a year after California’s CPRA and Virginia’s CDPA, it’s important for businesses to start preparing in the coming months.
This article will go over the provisions of CPA, briefly compare it with California’s and Virginia’s state privacy laws, and show how your business can use Ethyca to get ready for compliance next year.
According to this the Colorado Privacy Act, business entities will need to comply with CPA if their products or services target Colorado residents and:
Like Virginia’s CDPA privacy law, CPA does not use a revenue threshold to determine which businesses are subject to the law. A unique aspect of the CPA is that it does not exempt nonprofits from privacy obligations. Thus, nonprofits operating nationwide in the US will find that the CPA is the first state data privacy law that they’ll need to prepare for.
If your business falls under either of these categories, it must provide specific guardrails to protect Coloradans’ data privacy. We’ll go over important provisions your company needs to consider now.
Like with CPRA and CDPA, CPA states that businesses must provide consumers with privacy policies online. These policies must be a “reasonably accessible, clear and meaningful privacy notice.” They should include information about what data is collected or processed, if the business is selling or sharing personal data, and how.
CPA is primarily based on an opt-out model, meaning companies don’t need to obtain user consent before processing most personal information from consumers. However, data that is considered “sensitive data” does require consent from consumers to collect and process.
“Sensitive data” is defined as the “personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data.” These restrictions are similar to what’s found in CPRA.
As a whole, Colorado requires specific data categories to be opt-in and others to be opt-out. These hybrid consent models can yield some confusion for businesses in both frontend design consideration and backend technical implementation. Fortunately, an Ethyca Privacy Center is a suitable way for businesses to have granular control over managing Coloradans’ consent preferences.
Like with CPRA and CDPA, Coloradans will have the right to access, delete, correct, and data portability. Similarly, consumers will also have the right to opt out of businesses processing their personal data for selling, targeting advertising, and certain types of profiling.
California’s and Virginia’s privacy law also allows consumers to opt out of data processing. What’s unique to Colorado, however, is the universal opt-out mechanism. Businesses will need to implement the universal opt-out mechanism on their websites in 2024.
CPA defines a universal opt-out mechanism as a way for consumers to manage their consent preferences on a website. Although specific requirements over the mechanism’s design have not been decided on yet, they must be user-friendly and let users easily select their preferences.
Colorado residents are still submitting ideas for the universal opt-out mechanism. By July 1, 2023, the Colorado Attorney General must adopt these standards. All businesses must honor the universal opt-out mechanism on their websites by July 1, 2024.
The Colorado Protection Act requires businesses to submit Data Protection Impact Assessments (DPIAs) for any data processing that could pose a heightened risk of harm to consumers. Details on what constitutes “risk of harm” are still being decided upon in the law’s rulemaking process.
It can be challenging to keep track of so many different state privacy laws. Luckily, Ethyca can enhance your company’s privacy practices to stay compliant no matter where you do business.
To prepare for the new regulations coming in 2023, Ethyca will make updates to the Consent Management experience for your users. Your business will be able to classify the data you collect under different data categories. Ethyca’s Consent Management Platform will also allow consumers to take control over their opt in or opt out preferences. Additionally, your business will be able to store users’ consent preferences for reporting and auditing.
Your company also has the option of using the Fides privacy engineering platform. Fides will help your business orchestrate users’ privacy requests. You’ll be able to create a dynamic data map of where all of the PII lives across your business systems in real time. No more dealing with out-of-date data maps! Instead, your business will be able to seamlessly access, delete, and correct user requests on their personal data.
Since the Colorado Privacy Act will be enacted on July 1, 2023, your business will have a bit more time to prepare for this state law. If you’re also preparing for CPRA and CDPR, which will go into effect on January 1, 2023, your business already has a head start getting ready for CPA. To comply with CPA, your business simply needs to build on what it has already prepared for California’s and Virginia’s privacy laws.
Although there are different nuances to be mindful of between state privacy laws, Ethyca can help your company stay compliant throughout the U.S. no matter where you do business.
Introducing consent management in Fides 2.0. With the coming state privacy laws in 2023, your business needs to have granular control over users’ data and their consent preferences. Learn more about how Fides can enable this for your business, for free.
Ethyca launched its privacy engineering meetup, P.x, where Fides Slack Community members met and interacted with the Fides developer team. Two of our Senior Software Engineers, Dawn and Steve, gave presentations and demos on the importance of data minimization, and how Fides can make data minimization easier for teams. Here, we’ll recap the three main points of discussion.
We enjoyed two great days of security and privacy talks at this year’s Symposium on Usable Privacy and Security, aka SOUPS Conference! Presenters from all over the world spoke both in-person and virtually on the latest findings in privacy and security research.
At Ethyca, we believe that software engineers are becoming major privacy stakeholders, but do they feel the same way? To answer this question, we went out and asked 337 software engineers what they think about the state of contemporary privacy… and how they would improve it.
The UK’s new Data Reform Bill is set to ease data privacy compliance burdens on businesses to enable convenience and spark innovation in the country. We explain why convenience should not be the end result of a country’s privacy legislation.
Our team at Ethyca attended the PEPR 2022 Conference in Santa Monica live and virtually between June 23rd and 24th. We compiled three main takeaways after listening to so many great presentations about the current state of privacy engineering, and how the field will change in the future.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Get a Demo