<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=654132&amp;fmt=gif">

A Guide to Privacy Impact Assessments for CPRA, CPA, and VCDPA

In the United States, assessments are quickly becoming one of the trending requirements of new legislation and proposed bills. CPRA, CPA, and VCDPA all have privacy impact assessment requirements, and as 2023 approaches rapidly organizations should be thinking about how to complete assessments, where to store them, and reporting on assessment outcomes.

All Posts

The Colorado Privacy Act Has Passed, What's Next?

It is official - Governor Jared Polis has signed the bill making the Colorado Privacy Act the latest enacted state legislation, joining California and Virginia. But what are we going to see out of the Colorado Privacy Act that's different from CCPA and CDPA? 

  • There are no revenue thresholds as seen in other legislation. A company must adhere if it "controls or processes the personal data of at least 100,000 consumers" or "derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more."
  • The sale of consumer data, in the Colorado Protection Act, is defined as “the exchange of personal data for monetary or other valuable consideration by a controller to a third party" much like the CCPA. 
  • Consumers are protected if "acting in an individual or household context," but are excluded if qualified as a consumer through "a commercial or employment context, as a job applicant..."
  • Exemptions are detailed, but a full exemption is not provided for health care controllers with HIPAA information.
  • Data controllers have a duty of transparency, purpose specification, data minimization, to avoid secondary use, a duty of care, to avoid unlawful discrimination, a duty regarding sensitive data. Click here to learn more about controller duties. 
  • The Colorado Privacy act addresses consumer data protection by saying controllers cannot perform an activity “that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities.” 

This last bullet point is going to present a large task to organizations with the requirement of impact assessments. "Companies who aren't already doing this under the GDPR are not going to have the tools and knowledge necessary to complete these yet," says Dan Clarke, President of Truyo. That's why we've created our Privacy Impact Assessment tool to help organizations prepare for this Colorado Privacy Act requirement that can be overwhelming.

Truyo recommends that you start preparing for this requirement sooner than later. If you are already a Truyo customer, reach out to your Truyo representative or email hello@truyo.com to add this service. If you are not yet a Truyo client, click here to learn more. 

Ale Johnson
About Ale Johnson
Ale Johnson is the Marketing Content Specialist at Truyo.
Recent Posts

A Guide to Privacy Impact Assessments for CPRA, CPA, and VCDPA

In the United States, assessments are quickly becoming one of the trending requirements of new legislation and proposed bills. CPRA, CPA, and VCDPA al...

India's Joint Parliamentary Committee Announces Recommended Changes to Privacy Bill

Last month, the Indian Joint Parliamentary Committee submitted its report on the 2019 Personal Data Protection Bill after two years of consideration, ...

Log4J Vulnerability Update

At Truyo we take data privacy and security very seriously. Recently a security vulnerability was reported in the open-source Java library “Log4J” that...

Forrester Wave Announcement: Truyo Named Strong Performer

Report notes Truyo’s “management and fulfillment of individual privacy rights capabilities are some of the best in the market ” PHOENIX (Dec. 09, 2021...