Colorado Privacy Act Compliance
SENATE BILL 21-190
Data Protection Assessments and Full Governance
We work with Colorado businesses to design and implement data protection governance plans and comply with the Colorado Privacy Act (CPA), which goes into effect Jul 1, 2023
What does the CPA require (and how do we help?)
Starting on July 1, 2023, the CPA requires companies handling sensitive consumer data of employees in Colorado to conduct data protection assessments for every data processing activity that involves sensitive data, including processes that use automated or algorithmic tools.
The requirement applies to any company processing Colorado consumer data. It also stipulates the need for a universal opt-out mechanism, among other things. Final rules are currently being drafted, but Proceptual can help you be proactive in your preparation.
Conduct your data protection assessments prior to Jul 1, 2023, when the CPA goes into effect
The data protection assessments would require any employer handling sensitive data, whether for consumer or employment purposes (all are considered “consumers” in this law), to perform an assessment for any tools they use to process, store, retain or share personal data. These assessments must include justification, intended purpose, and risks of using these tools, and include mitigation measures in place.
Identify Universal Opt-Out Mechanisms
The current draft states that Universal opt-out mechanisms must also be implemented, and allow consumers to opt out of all data processing or for a specific purpose. It also seems that, at the moment, these mechanisms will need to be approved by the state, and that companies will have a list of approved tools to select from – we can help you identify those.
Disclosures, Consent Mechanisms, and more
The current draft requires external disclosures that include privacy notices, consent mechanisms that obtain consumer approval through “clear, affirmative action”, and more. We can help you establish the governance plan you need to comply.
When will the final rules for CPA be released?
The final rules hearing was held February 1, 2023, and it was indicated during that session that the rules would be released soon.
Sign up for our newsletter for weekly updates, or contact one of our experts to be immediately notified and debriefed when the rules are released.
Our Proven Process
Proceptual’s technology-driven, proven process produces data governance and compliance quickly and accurately.
Step 1: Scoping
- What pieces of this law are relevant to your organization?
- Which types of data and processes must be assessed?
- What types of mechanisms need to be in place?
Step 2: Data Collection & Cleaning
- Collect all data relevant to covered functions and processes
- Comply with internal and external privacy requirements
Step 3: COMPLETE ASSESSMENTS & IDENTIFY MECHANISMS
- Produce data protection assessments
- Review assessments internally for accuracy
- Produce list of mechanisms needed for compliance
Step 4: IMPLEMENT PUBLIC FACING CHANGES
- Publish privacy notices
- Implement consent mechanisms and opt-out mechanisms
- Implement any other compliance needs
Step 5: ESTABLISH MAINTENANCE PLAN
- Establish review standards to keep up with new tools, data, processes, and laws
- Establish assessment update plan to ensure continuous compliance
How do we help?
We offer end to end compliance with CPA. This includes:
Initial consultation. We work with you to understand what this law requires of your organization.
Data protection assessments pursuant to CPA. We can produce the assessments you need quickly and accurately.
We help you identify and implement any other mechanisms or tools needed for compliance.
We recommend specific steps to comply with all requirements of CPA.
CONTACT US FOR A FREE CONSULTATION TO UNDERSTAND YOUR AI COMPLIANCE OBLIGATIONS
Our team is here to help you navigate emerging regulation of automated hiring systems. Get in touch today to learn more.