Colorado Privacy Act Consulting
If you need help getting ready for the Centennial State’s new privacy law, you’re not alone. Red Clover Advisors is here to help you make it all make sense.
US Privacy is a Patchwork
When the European Union passed the General Data Protection Regulation (GDPR), it was the first major comprehensive consumer privacy law in the world.
The GDPR became effective in 2018, and since then, countries and consumers have continued to demand changes to the way companies collect and process personal data online.
Unlike the European Union, the United States does not have a federal digital data privacy law that is enforceable across all 50 states. Instead, the US has opted for a fractional approach, creating a patchwork of privacy regulations that vary from state to state.
The US data privacy race is on. If your state doesn’t have a privacy law yet, it will. Red Clover Advisors can help you get ready.
In 2018, the first US data privacy law, the California Consumer Privacy Act (CCPA), took our country’s data privacy from zero to 60.
California also closed CCPA loopholes by passing another law, the California Privacy Rights Act (CPRA), before other states could even get a law on the books. But in early 2021, the Virginia General Assembly passed the Consumer Data Protection Act (VCDPA) and Virginia became the second state to protect consumer privacy.
The June 2021 Colorado Privacy Act (CPA) borrows from both the California and Virginia laws, but it also has a few original contributions to the US privacy patchwork.
No matter which privacy law your business is subject to, RCA can help you create an affordable, practical privacy program that is compliant and customer-focused. Call us today to schedule a consultation with our experts.
Download your guide to CPA compliance now!
Pro-Privacy is Pro-Customer & Pro-Business
Many businesses view privacy as an expensive cost center. That’s not accurate. Here’s why:
- 70% of Americans believe their data is less secure than it was five years ago.
- 84% of consumers want more control over how personal information is used online, both for themselves and for others.
- 97% of businesses have seen benefits like a competitive advantage or investor appeal from investing in privacy.
Creating an effective privacy program shows your customers you mean it when you say you care about them by putting your money (and your resources and your focus) where your mouth is.
If you center privacy as part of a customer experience and retention strategy, you’ll meet an unmet need, strengthen customer loyalty, and outperform your competition—all without changing a single product.
Let us help you turn something you have to do into something that makes you unique.
Here’s the skinny on the who, what, and how of the CPA.
Entities To Which It Applies
Entities that conduct business in Colorado OR produce products or services intentionally targeted to Colorado residents AND
- Control or process the personal data of at least 100,000 Colorado consumers during a calendar year
- Process or control personal data of at least 25,000 Colorado residents and receive revenue from or a discount on the price of goods and services from the sale of personal data
(Unlike the CCPA and the VCDPA, there are no thresholds for either annual revenue or percent of revenue derived from the sale of data)
What Consumers’ Rights Are
- Being informed when personal data is collected
- Knowing what types of data are collected
- Correcting inaccuracies in the personal data collected
- Deleting their data from your databases
- Receiving a copy of their personal data in an easy-to-use format
- Opting out of ad targeting based on inferred preferences (aka behavioral advertising)
- Opting out of having their sensitive data shared or sold
- Opting out of automated decision making or profiling
- Appealing a business’s refusal to act within a reasonable timeline
How It’s Enforced
- Actions against offenders can be brought by either the Colorado Attorney General or district attorneys within the state
- Violators have a 60-day cure period to remedy adverse findings
- Unresolved violations are considered deceptive trade practices punishable by fines up to $20K per violation
(Unlike the CCPA, but similar to the VCDPA, there is no private right of action for consumers)
What Businesses Have to Do
- Create a clear, accessible, and meaningful privacy policy
- Minimize the amount and types of data collected and avoid secondary use of collected data
- Obtain consumer consent via a “clear affirmative act signifying consent is freely given” before processing certain categories of sensitive data
- Establish, implement, and maintain reasonable data security practices
- Conduct a data protection assessment (similar to the GDPR data inventory requirement)
- Establish contracts between data controllers, who are responsible for determining how and why data is processed, and data processors, who perform the actual data operations
- Receive clear, affirmative consent from consumers before processing sensitive personal data such as genetic or biometric information or data from a child.
- Complete regular risk assessments
If you’ve never had a privacy program before, these charts can feel like a lot. Even if you already have a privacy program, adding compliance for yet another law can feel overwhelming.
But trust us. Meeting these regulatory requirements is easier than you think. Doing it might even make your operations more efficient and effective.
RCA’s privacy consulting services can give you what you need within your budget and your timeline.
Wondering what working with a privacy consultant would look like for your business? Call us today to schedule a consultation.
Prepping for Privacy—How to Be CPA Compliant
The CPA goes into effect on July 1, 2023, which means that time is on your side.
But only if you start now.
Don’t wait for the “right” time to start. Make it the right time by just starting.
Here are five steps you can start on today. To learn more, download our full guide to CPA compliance.
You can’t protect what you don’t understand.
If you don’t want to have to redo the program and processes you create, you have to know everything about your data, including:
- What you’re collecting and why
- How long and where you’re keeping it
- Who you’re sharing it with or selling it to
We can map your data by following it through its entire lifecycle in your system. And if you already have compliance software, we have the expertise needed to maximize its capabilities.
Data mapping almost always reveals vulnerabilities in your data infrastructure. Whether the risk comes from technology, processes, or people, RCA can help you clearly identify the issue, find realistic solutions, and implement the changes needed to remedy the situation.
The CPA was only passed in June 2021, which means many of the technical parts of the law haven’t been decided yet. But that doesn’t mean you can’t get started.
Most privacy laws follow privacy best practices, and there are plenty of things you can do to establish a foundation capable of quickly and easily responding when the nitty-gritty details are finally ironed out.
In particular, this means being prepared to meet individual rights requirements. Individuals have the right to be informed when their personal data is collected, to correct inaccuracies in their personal data, and to delete their data from your database. They also need to have the option to receive a copy of their personal data in an easy-to-use format and to opt out of ad targeting and having sensitive data shared or sold.
As recognized privacy experts who understand that consumer privacy is a new field still finding its feet, we excel at developing smart and sensible solutions that are adaptable and scalable by design.
Companies prepared to manage change are the ones who succeed. We can help you be that company.
The best privacy program in the world will fail if it’s not cross-functional in both design and execution.
Protecting customers’ sensitive personal information in our hyperconnected economy crosses IT, marketing, customer experience, legal, HR, and operations functions. If you want your privacy program to work, representatives from all these teams need to be together at the drafting table.
95% of data breaches are caused by human error, which means your employees can either be your best defense or your biggest liability.
Just like you need input from all your departments when you create your plan, you need every employee in each of those groups to understand their role in your plan’s execution.
With the goal of matching content to your specific needs, our customized training programs can be delivered virtually or in person for small groups or entire companies over just a few hours or across several days.
Let us show you how we take the guesswork and stress out of creating a robust data privacy program.
Preparation Prevents Poor Performance
You can’t fake preparation.
Crisis situations are inevitable. But there is a difference between crises that are outside your control and crises you create for yourself by ignoring issues visible on the horizon.
If you aren’t proactively working on protecting your customers’ sensitive personal information, you’re building your own crisis brick by brick.
Right now, you’ve got the time.
And we’ve got the skills.
Don’t get forced into learning about data inventories, reasonable security measures, and privacy best practices when you’re facing enforcement actions or in the middle of a damaging data breach. If you put in the work now, you’ll have the skills and knowledge you need to quickly resolve issues when they happen.
At RCA, we passionately believe that a good data privacy program is a powerful tool that creates great experiences for your customers and helps you give more value than you take. Our in-depth understanding of data regulations and corporate backgrounds allow us to successfully guide clients through the intersection of data privacy, digital marketing, and business strategy.
We can help you understand and satisfy the CPA’s regulatory requirements, but more importantly, we can help you create a data privacy program that goes beyond compliance and makes consumer privacy awareness part of your company culture.
