Breaking Down Colorado’s New Privacy Law and the Future of a Federal One


Post By: Chris Pin, VP, Privacy and Compliance, PKWARE

This past July, the governor of Colorado signed the Colorado Privacy Act (CPA) into law – making the state the third to pass broad consumer privacy legislation, after California and Virginia. In fact, this year there has been more than two dozen states that have tried to pass similar privacy laws, however most ultimately failed.

But, this momentum might pave the way for the federal government to pass a nation-wide privacy law, now that consumers are becoming more aware about data protection and their rights to data privacy.

What’s Included in CPA

While the CPA—like each of the other state laws—has its unique definitions and terms, it largely follows the guidelines of both the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). CPA also picked up a lot of its core requirements from the proposed Washington State Privacy Act, which was one of the bills that failed to pass earlier this year.

CPA includes guidance on data controllers, data processors, redefining what constitutes a “sale,” and what industries or sub-industries are considered “exempt.” For those who are not entirely exempt, CPA defines which subsets of their data or use cases are in scope. This is all par for the course, and what we can likely expect to see from the remaining 47 states should data privacy go un-regulated at the federal level.

Consumers are Pushing Forward Regulation

As mentioned, new regulations seem to be coming out faster than ever before. Some of this can be attributed to consumers becoming more aware of and sensitive to the fact that companies are making profits off their data, and considering data as a digital asset instead of a human asset. When companies do this and approach data in a more “business-minded” way, it’s possible to forget there are real people behind all the data the organization uses to become profitable.

There are multiple reasons for companies to remain cognizant about the people whose personal data is on the line. An individual could work in a sensitive industry like banking, has a sensitive medical diagnosis, or could even be in witness protection. All of these are details most people would not choose to share publicly, yet they exist in data points that could substantially impact their lives if hacked, stolen, or sold to a malicious group.

Because of the level personal impact data can have if improperly managed or used, it is extremely important that organizations not only collect just what is needed for business requirements and understand why they have that data, but also secure it as if it were their own.

Understanding the Data

The privacy laws at their very core are all about one thing: understanding your data. When a privacy, infosec, business, or even data governance team is asked things like, “Where did that data come from?”; “Why do you have that data?”; “Who is that data pertaining to?” or “Is that data properly protected?,” they should immediately have the answer. As part of the state privacy laws, companies cannot just collect data from consumers without a real purpose for it. For example, if a customer is buying a television, the retailer cannot collect information like their gender, or even their address, if they are not having the TV shipped to their house.

Leadership should also ensure that the business understands where all its data is, including duplicated data. This is the foundation and building blocks for a great data security and data privacy program. Data discovery tools can help with that.

The Possibilities of a Federal Law

Globally, several other countries have already enacted data privacy laws, including Brazil, South Africa, Canada, Australia, and Japan. The U.S. is in a bit in limbo without one, with just scattered laws across the states in various stages of passing. That’s why there could be a U.S. federal-level data privacy law coming in the near future—in fact, a bill was just introduced at the end of July, called the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act.

If and when the government does create and pass this law, it will undoubtedly go above and beyond what the state laws already do. It will likely encompass data protection of multiple industries, including the financial and healthcare sectors, much like GDPR does – rather than have multiple laws pertaining to different industries (e.g., the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA)).

There is no predicting which state may pass a data privacy law next, or what the federal government could do in the next six to 12 months. But one thing is for sure: understanding what data your organization has and why, everywhere it’s stored, and what the data is intended for will ultimately set you up for success for the foreseeable future.