Colorado is set to become the third state — alongside Virginia and California — to sign a privacy act into law, marking another step towards consumer data protection in the U.S.
The new law will be known as ‘The Colorado Privacy Act (CPA)’ and it is scheduled go into effect July 2023. The proposal is for the Act to be applicable to companies that either collect personal data from 100,000 Colorado residents or collect data from 25,000 Colorado residents and also derive some portion of revenue from sales.
The Act will affect businesses and they will need to prepare and put in place systems to ensure compliance. In addition, the Act will provide new rights for customers, and there remains the potential for more states to get on board with this form of legislation.
Looking at the changes for Digital Journal is Tyrone Jeffress, Vice President of Engineering & US Information Security Officer at Mobiquity.
Jeffress looks at the growing array of privacy bills appearing in the U.S.: “The news of Colorado joining Virginia and California in the passage of privacy acts is welcome as the nation moves towards ensuring these rights for residents and consumers. The law, while holding many similarities to Virginia’s privacy regulations, is expected to be more effective than others as it can be enforced by both the Colorado office of the Attorney General as well as local district attorney offices.”
He adds that the CPA is a little different to the earlier bills: “The CPA goes beyond California’s by requiring a blocking option for consumers to “opt-out” of having their personal information shared to create consumer profiles.”
This means new challenges for businesses, says Jeffress. He recommends: “To ensure compliance with the CPA’s heavier guidelines, businesses and organizations must have a deeper understanding of how their data is collected and exactly what it is being used for when targeting new customers and sharing publicly.”
Jeffress sees the legislation as something positive, noting: “I’m thrilled for the residents of Colorado. Ultimately, each new legislation is a win for U.S. consumers and privacy advocates. As more states introduce privacy regulation, U.S. consumers will be afforded increased agency and control over how their data can be collected and used.”
He see the U.S. as moving towards stronger consumer rights: “Right now, we have a patchwork of privacy regulations that guarantee rights for some, but not all, U.S. consumers based on residency. Each state that adopts common privacy principles will slowly start to raise the bar, but it would be ideal for U.S. residents to have one single framework for data privacy that serves all Americans.”
In terms of lessons for businesses, he adds: “As businesses start to comply with the law, consumers can expect to see more pop-up notifications on websites disclosing how information is being collected and how that information is used. These disclosures are ubiquitous in Europe and will start to increase across the digital landscape in the U.S. as new privacy regulations come onboard. The good news for consumers is that many of the common privacy rights afforded to EU & California residents will become part of the standard way of engaging with businesses in the U.S. going forward.”