Schedule a demo
See how you can maintain an inventory of CPA-regulated data and provide regulators proof of 24/7 data monitoring, fulfillment of right-to-be-forgotten requests at endpoints, and policy enforcement.
Provide evidence to auditors of steps taken to secure the confidentiality of customer information collected and protect it against threats and unauthorized access.
The Colorado Privacy Act is a state-level data privacy law that was signed into law in April 2021. It is similar to the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) in the European Union, and it grants certain rights to consumers regarding the collection, use, and sharing of their personal data. The Colorado Privacy Act went into effect on January 1, 2023.
The Colorado Privacy Act applies to businesses that operate in Colorado and meet one or more of the following criteria:
If a business meets any of these criteria, it must comply with the requirements of the Colorado Privacy Act, including granting consumers certain rights regarding the collection, use, and sharing of their personal data.
The Colorado Privacy Act applies to a broad range of businesses, including online and brick-and-mortar retailers, social media companies, financial institutions, healthcare providers, and more. Essentially, any business that collects, uses, or shares personal data of Colorado consumers may be impacted by the Colorado Privacy Act.
Under the Colorado Privacy Act, “personal data” is defined as any information that relates to an identified or identifiable natural person, or that can be reasonably linked, directly or indirectly, to such a person. This includes information that is commonly considered personal, such as name, address, telephone number, and email address, as well as less obvious types of data, such as IP addresses, geolocation data, and biometric data.
CPA also includes a broad definition of “sale,” which includes the exchange of personal data for valuable consideration, such as money or other valuable goods or services. This means that businesses must comply with the act not only when they sell personal data outright, but also when they exchange it for something of value.
CPA applies to collecting, using, and sharing personal data, regardless of the specific type of data involved. However, there are certain types of personal data that are considered sensitive and receive additional protection under the act. These include data related to race or ethnicity, sexual orientation, health or medical conditions, and genetic data. Businesses must obtain explicit consent from consumers before collecting, using, or sharing sensitive personal data.
The Colorado Privacy Act requires businesses to take certain steps to ensure compliance with the law. These requirements include:
It is important for businesses to review the Colorado Privacy Act carefully and take steps to ensure compliance with the law. This may include updating privacy policies, implementing new data collection and storage practices, and training employees on the requirements of the act.
Under the Colorado Privacy Act, businesses and individuals that violate the law may be subject to enforcement actions and penalties.
The Colorado Attorney General has the authority to enforce compliance with the act and may bring legal action against businesses that violate the law. This may include fines and other penalties, depending on the nature and severity of the violation.
In addition to enforcement actions by the Attorney General, CPA also allows individuals to bring private legal action against businesses that violate the law. This means that consumers may be able to sue businesses that fail to comply with the act, and may be entitled to damages and other relief.
Businesses and individuals may also be subject to other penalties and consequences for violating the Colorado Privacy Act, such as reputational damage and loss of customer trust. It is important for businesses to take steps to ensure compliance with the act in order to avoid these types of consequences.
See how you can maintain an inventory of CPA-regulated data and provide regulators proof of 24/7 data monitoring, fulfillment of right-to-be-forgotten requests at endpoints, and policy enforcement.
Upload a file to experience Qostodian’s turbocharged scanning engine.
Experience the data security platform that scans data elements and cross-references user behavior to help you nail compliance and identify sensitive data risk.
Qohash’s Qostodian platform finds, inventories, and continuously monitors individual data elements across workstations, attached and shared drives, and Microsoft 365 cloud apps.Â
Qostodian monitors data elements and employee behavior 24/7, making risk identification, remediation and compliance faster and easier. Financial institutions such as Desjardins and Beneva leverage Qohash’s novel technology to watch risky employees and monitor thousands of workstations. Information security teams run data element searches and leverage data propagation functionality to see the extent of an incident within milliseconds. Security analysts see every employee and location with a specific credit card, bank account or other sensitive info type with the click of a button.
Monitor employee interactions with sensitive data 24/7, with a modern, intuitive SaaS data security platform, offered for a one-time predictable fee.