Drive CPA sensitive data compliance

CPA Overview

Colorado Privacy Act

The Colorado Privacy Act is a state-level data privacy law that was signed into law in 2021. It is similar to the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) in the European Union, and it grants certain rights to consumers regarding the collection, use, and sharing of their personal data. The Colorado Privacy Act will go into effect on July 1st, 2023.

Businesses impacted

The Colorado Privacy Act applies to businesses that operate in Colorado and meet one or more of the following criteria:

1. Control or process the personal data of 100,000 or more Colorado residents during a calendar year 
2. Derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 or more Colorado residents.

If a business meets any of these criteria, it must comply with the requirements of the Colorado Privacy Act, including granting consumers certain rights regarding the collection, use, and sharing of their personal data.

The Colorado Privacy Act applies to a broad range of businesses, including online and brick-and-mortar retailers, social media companies, financial institutions, healthcare providers, and more. Nationwide businesses that fall under the CPRA, VCDPA, or GDPR may already possess most of the necessary mechanisms to comply with the new Colorado law in practice. On the other hand, small and medium-sized businesses that may not have met the threshold criteria for these other statutes may find it challenging to meet the data privacy requirements for consumers for the first time.

Data types covered

Under the Colorado Privacy Act, “personal data” is defined as any information that relates to an identified or identifiable natural person, or that can be reasonably linked, directly or indirectly, to such a person. This includes information that is commonly considered personal, such as name, address, telephone number, and email address, as well as less obvious types of data, such as IP addresses, geolocation data, and biometric data.

CPA also includes a broad definition of “sale,” which includes the exchange of personal data for valuable consideration, such as money or other valuable goods or services. This means that businesses must comply with the act not only when they sell personal data outright, but also when they exchange it for something of value.

CPA applies to collecting, using, and sharing personal data, regardless of the specific type of data involved. However, there are certain types of personal data that are considered sensitive and receive additional protection under the act. These include data related to race or ethnicity, sexual orientation, health or medical conditions, and genetic data. Businesses must obtain explicit consent from consumers before collecting, using, or sharing sensitive personal data.

Compliance requirements

The Colorado Privacy Act requires businesses to take certain steps to ensure compliance with the law. These requirements include:

1. Providing a clear and conspicuous notice to consumers at or before the point of data collection, explaining what personal data is being collected and how it will be used.
2. Allowing consumers to opt out of the sale of their personal data to third parties.
3. Allowing consumers to request that their personal data be deleted.
4. Implementing reasonable security measures to protect personal data from unauthorized access, use, or disclosure.
5. Refraining from discriminating against consumers who exercise their rights under CPA.

It is important for businesses to review the Colorado Privacy Act carefully and take steps to ensure compliance with the law. This may include updating privacy policies, implementing new data collection and storage practices, and training employees on the requirements of the act.

Enforcement and penalties

Under the Colorado Privacy Act, businesses and individuals that violate the law may be subject to enforcement actions and penalties.

The Colorado Attorney General has the authority to enforce compliance with the act and may bring legal action against businesses that violate the law. This may include fines and other penalties, depending on the nature and severity of the violation.

In addition to enforcement actions by the Attorney General, CPA also allows individuals to bring private legal action against businesses that violate the law. This means that consumers may be able to sue businesses that fail to comply with the act, and may be entitled to damages and other relief.

Businesses and individuals may also be subject to other penalties and consequences for violating the Colorado Privacy Act, such as reputational damage and loss of customer trust. It is important for businesses to take steps to ensure compliance with the act in order to avoid these types of consequences.

Six ways Qohash drives compliance

Breach identification

Monitor sensitive data risk around the clock and receive alerts the instant risky accumulation, deletion or exfiltration occurs. If an incident occurs, use keyword search to look up a specific data element and track the full data lineage, including the exact location where the data got out of an environment, where it ended up – every touch point in between.

Sensitive data inventory

Qohash provides a complete inventory of sensitive, unstructured data at-rest. Qohash discovers sensitive data 50x faster than alternatives, across any data source, in any location. Qohash provides labeling, classification, custom RegEx and keyword searches, plus ranked and contextualized risk.

Data deletion

Run keyword searches by name, date, credit card number and more to find all copies of sensitive data across business systems. See which categories of sensitive data are stored on business systems. See how specific data elements moved across employees and locations. Delete data directly within the platform to show compliance with data deletion requests in any location – including endpoints.

Risk assessment

A foundational step in conducting a risk assessment, Qohash provides an inventory of regulated data across every data source. It provides access control lists for evaluation as to whether those with access have a legitimate business need for it. Gain insight into all sensitive data critical exposure points. See how much sensitive data is on business systems and who has access to it. Put policies in place, configure risk levels appropriate to the business, and receive notifications the instant policy violations occur.

Policy enforcement

Qohash provides auditors with evidence that sensitive data is monitored and cross-referenced to employee interactions, enabling in-the-moment policy enforcement. Qohash looks into files to track data elements. It monitors those elements and cross-references them to employees and locations. Know the instant an employee has a risky interaction with sensitive data. Trace the lineage of any data element that moves onto workstations, for faster remediation.

Access control

Quickly create an access control list of all regulated data. Provide evidence of restrictions and show regular evaluation of whether those with access have a legitimate business need for it.