It is official - Governor Jared Polis has signed the bill making the Colorado Privacy Act the latest enacted state legislation, joining California and Virginia. But what are we going to see out of the Colorado Privacy Act that's different from CCPA and CDPA?
- There are no revenue thresholds as seen in other legislation. A company must adhere if it "controls or processes the personal data of at least 100,000 consumers" or "derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more."
- The sale of consumer data, in the Colorado Protection Act, is defined as “the exchange of personal data for monetary or other valuable consideration by a controller to a third party" much like the CCPA.
- Consumers are protected if "acting in an individual or household context," but are excluded if qualified as a consumer through "a commercial or employment context, as a job applicant..."
- Exemptions are detailed, but a full exemption is not provided for health care controllers with HIPAA information.
- Data controllers have a duty of transparency, purpose specification, data minimization, to avoid secondary use, a duty of care, to avoid unlawful discrimination, a duty regarding sensitive data. Click here to learn more about controller duties.
- The Colorado Privacy act addresses consumer data protection by saying controllers cannot perform an activity “that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities.”
This last bullet point is going to present a large task to organizations with the requirement of impact assessments. "Companies who aren't already doing this under the GDPR are not going to have the tools and knowledge necessary to complete these yet," says Dan Clarke, President of Truyo. That's why we've created our Privacy Impact Assessment tool to help organizations prepare for this Colorado Privacy Act requirement that can be overwhelming.
Truyo recommends that you start preparing for this requirement sooner than later. If you are already a Truyo customer, reach out to your Truyo representative or email firstname.lastname@example.org to add this service. If you are not yet a Truyo client, click here to learn more.