Securiti announces a $75M Series C Funding Round
ViewColorado has become the third US State to pass a comprehensive data privacy law. Colorado Privacy Act (CPA) was signed into law on July 8th, 2021. Modeled pretty similarly to the Virginia Data Protection Act (VCDPA) passed earlier this year, the CPA provides comprehensive privacy rights to state residents of Colorado and imposes a new set of obligations and duties on data controllers managing consumer personal information.
With the increasing importance of privacy in today's digital age, the Colorado Privacy Act represents a major step forward in the protection of personal data for residents of the state.
The Colorado Privacy Act, also known as Senate Bill 21-190, is a comprehensive privacy law that was enacted in Colorado on July 7, 2021. This legislation provides significant protections for the personal information of Colorado residents, establishing new standards for the collection, use, and protection of personal data by businesses operating in the state.
All consumers may invoke the following rights by sending a verified request to the data controller (in case of a child, the parent/guardian may send the request on behalf of the child):
The consumer shall have a right to confirm whether or not a controller is processing his/her personal data.
The consumer has a right to access the personal data collected and processed about him/her by the data controller.
The consumer has a right to have inaccurate personal data being stored or processed by the data controller be corrected.
The consumer has the right to have his/her personal data stored or processed by the data controller be deleted.
The consumer has a right to obtain a copy of his/her personal data in a portable, technically feasible and readily usable format that allows the consumer to transmit the data to another controller without hindrance.
The consumer has the right to opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice containing specific information including categories of data it shares or sells (including for targeted advertising) and means for consumers to exercise their rights and how they can appeal against the denial of their DSRs.
A controller must undertake Data Protection Assessment (DPAs) for each processing activity which poses a heightened risk of harm to consumers, protect deidentified data from reidentification and comply with data subject requests made by consumers as well as ensure data processors it contracts with comply with the duties prescribed under this law.
Controllers shall not collect unnecessary personal data of consumers or process the personal data for purposes beyond what was disclosed to consumers without gaining their consent.
Controllers may not process the personal data to discriminate against the consumer in violation of state or federal laws that prohibit unlawful discrimination against consumers.
Controllers cannot process sensitive personal data or data of minors unless it has the express consent of the consumer or of the parents/guardians of a minor child, respectively.
Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data during both storage and use. Such data security practices shall be appropriate to the volume and nature of the personal data at issue.
Unlike the VCDPA that can be enforced only by the Virginia Attorney General, the Colorado Privacy Act can be enforced either by the Attorney General or District Attorney, or both. In the event of a notice served by the AG or DA, the controller will be provided 60 days to fix the violation. A non-compliant business or entity shall be fined up to 20,000 per violation.
The CPA does not apply to:
Colorado Privacy Act protects the personal information of Colorado residents by setting new standards for the collection, use, and protection of personal data by businesses operating in the state. The act seeks to give individuals greater control over their personal information and to promote transparency and accountability in the handling of such information by companies.
It further addresses the growing concerns around the misuse and exploitation of personal data, particularly in light of recent high-profile data breaches and privacy violations. The act requires businesses to implement appropriate security measures to protect personal data, and to be transparent about their data practices by providing individuals with information about the data they collect, how it is used, and whom it is shared with.
In short, the Colorado Privacy Act aims to ensure that businesses handle personal information responsibly and securely and to give individuals greater control and visibility over how their personal data is collected, used, and protected.
The provisions of this act shall become effective on July 1, 2023 unless a referendum petition is filed within 90 days after final adjournment of the general assembly and the people vote for the proposed changes to the act within the referendum at the general election to be held in November 2022. In such a case, the amended provisions will take effect July 1, 2023, or on the date of the official declaration of the vote thereon by the governor, whichever is later.
The CPA is structurally very similar to the VCDPA. There are only a few significant differences between the two acts.
Data Protection Assessments under the CPA must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks. It is important to note that the controller shall make the data protection assessments available to the attorney general upon request.
The requirement to conduct Data Protection Assessments under the CPA shall apply to processing activities created or generated after July 1, 2023, and is not retroactive.
The CPA defines a minor below 13 years of age for the additional protections it provides.
There is no 12 months time limit as found in the CPRA or CCPA after which the business can re-ask for the consent of the consumer who chooses to exercise the right to opt-out.
The CPA requires that opt-in consent be collected for processing of children’s Personal Data, use of Sensitive Personal Data and use of Personal Data beyond the initial purpose for which it was collected for.
Get all the latest information, law updates and more delivered to your inbox
August 4, 2020
Overview In 2016, the European Commission replaced its long-existing Data Protection Directive with a modernised version, the General Data Protection Regulation (GDPR). The GDPR...
September 2, 2020
Overview In August 2018, in South America, the Brazilian government approved Law No. 13.709, named Lei Geral de Proteção de Dados Pessoais (LGPD), which...
September 30, 2020
The world is realizing the importance of the need for data protection. More and more countries are drafting comprehensive legal frameworks that protect individuals'...
The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.
Get the Book“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”
- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
[email protected]
300 Santana Row Suite 450. San Jose,
CA 95128