As new privacy laws pass, legislators and enforcement entities are faced with operationalizing those laws in a way that makes it possible for organizations to comply through clear and concise rules. Colorado Attorney General Phil Weiser released the final operating rules for the Colorado Privacy Act (CPA). These guidelines are intended to provide explicit standards for businesses that collect and use consumer data while giving those consumers more control over their personal information.

Prepare for assessments, privacy notices, consent, and more

What’s most important for organizations to prepare for is the emphasis on assessments, universal opt-out by July 1, 2024, and adequate privacy notices. Data protection assessments will be required for activities “created or generated after July 1, 2023” without a lookback period. Your opt-out mechanism must allow consumers to opt out of the sale of their personal data, targeted advertising, and specific forms of profiling. The Colorado attorney general will release a list of approved Universal Opt-Out Mechanisms you can employ by January 1, 2024.

The new rules also included updates to requirements for “disclosures, notifications, and other communications to consumers to state that they must be provided in a readable format on all devices through which Consumers normally or regularly interact with the controller.” In addition to these disclosure requirements, if you store images, videos, or audio you need to evaluate yearly if it is appropriate to retain these files. Really, you should do this with all data with particular attention to these types. Data minimization is the key. Keep what you need for only as long as you need it.

Consent is paramount

The rules require businesses to obtain consent from consumers before collecting or using their personal data and disclosure of the names of all third parties receiving sensitive consumer data through a sale. Businesses must also provide consumers with clear and concise information about how their personal data will be used and allow consumers to access their personal data, correct any inaccuracies, and delete their personal data. Under CPA, consent is needed to process sensitive information and process information about a child. This matches the underlying theme of recent privacy legislation – transparency.

Cybersecurity matters

The rules also require businesses to implement reasonable security measures to protect personal data, again intertwining the privacy and cybersecurity divisions of an organization. Businesses must also have a data breach response plan in place should an incident occur.

The rules are a significant step forward in protecting consumer privacy in Colorado. Businesses that collect and use personal data in Colorado must comply with the rules or face penalties. Consumers who believe that their personal data has been violated can file a complaint with the Colorado attorney general.

Getting ready for July 1, 2023

If your organization is compliant with CPRA, will you need to do anything else? The answer is yes. You’ll need to evaluate your consent practices to provide consent options for consumers rather than blanket consent and make sure all consent options grouped together are compatible. Further evaluation of your disclosures, notices, targeted advertising, and processing of SARs is key between now and July 1, 2023.

Although CCPA-compliant organizations may be able to use some of their efforts to meet the CPA requirements, these laws do not completely overlap. For instance, the CPA final rules already include risk assessments and profiling considerations, but the California Privacy Protection Agency (CPPA) is just starting its work to write regulations on similar topics. We will determine if there is additional overlap as the CPPA releases finalized rules.