<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=654132&amp;fmt=gif">

Colorado House Votes on SB190, Senate Reconciliation is Next

Updated 6/9/21 @ 11am: The Colorado Senate unanimously voted 34-0 on concurrence and final passage of SB190. It now heads to Gov. Polis, who will have 10 days to sign or explicitly veto it.CPA applies to businesses collecting data on more than 100,000 individuals, or those earning revenue from the data of more than 25,000 consumers. It includes standard data subject rights, an opt-out consent model with a universal opt-out mechanism, and a right to cure, all subject to normal AG rule-making and enforcement.

CPA is effective July 1, 2023 unless vetoed by the Gov. The biggest difference when compared to Virginia or CPRA is the broad requirement (with fewer exemptions) for data protection privacy assessments.

A more specific compliance issue Colorado presents, according to attorney David Zetoony, is the required data protection assessment. Such examinations are also required in the Virginia Consumer Data Protection Act, but Colorado does not exempt companies from these assessments like Virginia.

Original Post

The Colorado Privacy Act SB190 has passed the Colorado House of Representatives by a vote of 57-7. While the bill must return to the Senate for final reconciliation of amendments made by the House, it’s most likely. Unless the Governor vetos it, which is improbable, the amendments will be reconciled in the next few days.

All Posts

4 Tips for Choosing the Right Privacy Tool

First, there was technology, then came the data collection. As that technology rapidly grew more intelligent and pervasive, so too did the data. As the oceans of data that companies handle on a regular basis have grown and evolved, so have the often gray areas of consumer privacy. 

Click here to learn about Truyo with 3 in-depth videos of our Privacy Center, Consumer Portal, and Administration Portal. 

Now, privacy legislation is taking direct aim at that gray area and attempting to give consumers more control over the use of their personal and sensitive information. Naturally, this has put an increased strain on organizations of all sizes to not only maintain compliance but also provide customers tools to easily manage individual rights and consent, as well as make requests. Fortunately, there are data privacy rights management solutions that can do the heavy lifting –– maintaining compliance amid ever-evolving privacy laws and automating consumers’ requests for access, deletion, correction and Do Not Sell. 

But, not all solutions are created equal. So, how do you choose the right one? Here are some best practices.

Tip 1: Start with the Right People

Depending on your industry, where you’re located and whose data is in your systems, your company may be subject to General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VA CDPA), Health Insurance Portability and Accountability Act (HIPAA), or other such privacy laws. Each has its own criteria and requirements, so it’s important to understand which you’re subject to, and how to meet full compliance.

Under GDPR, you’re required to appoint a data protection officer (DPO) to manage your data privacy. But even if you don’t need to comply with GDPR, it’s still wise to designate an individual or small team committed to overseeing your data privacy strategy. This could be someone from a particular business unit like IT, your vendor management office, legal department, security group or some combination of key stakeholders. These are the folks who should meet to discuss compliance requirements, vendor solutions and how to achieve the former optimally by implementing the latter.

Tip 2: Ask the Right Question

Once you have your team in place, the next step is to define what you want in a solution. To help flesh this out, consider the following questions:

  • What are your current data protection needs, and how do you expect them to evolve?

Maybe your only goal right now is to achieve compliance with a given law. But, what about next year? And five years from now? Look ahead and try to envision how your needs might change. Even if consumer request management isn’t a significant need right now, what if there’s a breach or an event that triggers a major uptick in requests? You’ll want the reassurance of partnering with a vendor that can scale with your organization’s need and automate the most time-consuming parts of your workflow. Seek out a system that protects your data in its current state, and also can protect it down the road as it grows and changes.

  • How does the value of each solution you’re evaluating stack up against others?

Is the vendor a generalist or a specialist? While it can be alluring to go with a one-stop, all-encompassing solution, often you forego having deep domain expertise in privacy rights management. For instance, Truyo specializes in privacy rights management and automation and because we’ve doubled down on this specific focus, we’ve come to be known as the best-in-class solution. 

Additionally, with some of the one-stop systems, you often end up paying for a handful of features and functions that you don’t need. This can also add complexity to the user experience. When evaluating solutions, investigate the user experience, how well they know specific areas of data privacy and compliance, and whether you’ll be stuck with features and functions you don’t need. 

  • How will implementing a particular privacy management platform impact your customer experience?

It’s easy to overlook the fact that, while data protection changes are ultimately positive for the consumer, they also disrupt their experience with your business to some degree. Whether it’s a pop-up consent button or a portal that shares how your company uses customer data, it’s imperative that the experience your customer has remains smooth and positive. Ask potential vendors how their particular solution impacts the customer experience. It should aim to improve it. 

Tip 3: Look for a Partner, Not a Vendor

Gathering the data and the change management that comes with developing and implementing a privacy rights program can be a daunting and big lift for many organizations. Chances are data is not housed in one, easy-to-locate place. For most, that data is spread across a smattering of systems. A true partner should take a vested interest in alleviating your organization’s biggest pain points when it comes to implementing a privacy rights program. That means taking the time with you in one-to-one conversations to truly understand your organization’s needs and create the right solution for you. A good partner should also take on the work of wrangling your data for you rather than leaving you to the task.

Tip 4: Watch for Red Flags

Finally, there are a few key warning signs to look for as you evaluate vendors, including:

  • Lack of emphasis on security. If a vendor doesn’t go out of their way to share their security measures with you, run. Anything less than identity validation with bank-level security is insufficient.
  • Limited reporting. With regulations often come audits. If you don’t have automatic logging and detailed reporting, you’ll be in a pickle when you have to prove compliance.
  • Inadequate automation. The entire purpose of a privacy rights management system is to help you achieve compliance, while sparing you from operational overhead. You can’t have both of these components without advanced automation. The right system should automatically delete, change or anonymize data across all systems, automatically search, extract and present data to users rather than simply create the workflows for your team to execute on.

With privacy legislation growing more complex than ever, do your due diligence. Involve the right stakeholders and opt for a vendor with deep domain expertise and one that will serve as a true partner. Don’t entrust this mission-critical part of your organization to a generalist. And above all, set yourself up for success. The privacy legislation is only going to get more complex and comprehensive. You want a complete solution in place long before you get a flood of data requests or an audit. 

Truyo is a complete solution for your privacy needs. We automate your documentation so that you're always compliant with new privacy laws, we handle your consumer data requests so you save time and money, and we create your full data map in the case that you're ever audited. We're a complete solution because we want to help you be always ready, always compliant. Request a demo today to see how simple it is to start with Truyo, or switch from another platform. 

Ale Johnson
About Ale Johnson
Ale Johnson is the Marketing Content Specialist at Truyo.
Recent Posts

Colorado House Votes on SB190, Senate Reconciliation is Next

Updated 6/9/21 @ 11am: The Colorado Senate unanimously voted 34-0 on concurrence and final passage of SB190. It now heads to Gov. Polis, who will have...

4 Tips for Choosing the Right Privacy Tool

First, there was technology, then came the data collection. As that technology rapidly grew more intelligent and pervasive, so too did the data. As th...

The California Privacy Protection Agency Is Not Wasting Time

In a meeting agenda released today, the California Privacy Protection Agency made it clear that they are going to move quickly and start implementing ...

Update: Senate Vote on Colorado Privacy Act is In

The Colorado State Senate has unanimously passed the Colorado Privacy Act which will now move to the State Assembly for voting. The current session co...