What You Need to Know About the Colorado Privacy Act and Connecticut Personal Data and Online Monitoring Act
- Kaitlyn Fisher
Is Your Website Ready?
Two new state privacy laws, the Colorado Privacy Act (CPA) and the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA), both go into effect and are enforceable on July 1, while the California Privacy Acts went into effect on January 1, 2023, will be enforceable on July 1, 2023. Is your business ready for these laws?
If you’re a national organization, you may have already taken steps to comply with the California Consumer Data Protection Act (CCPA), which went into effect January 1, 2020, or the Virginia Consumer Data Protection Act (VCDPA) which went into effect on January 1, 2023, which is a good starting point for complying with the Colorado and Connecticut laws. There are many similarities but also some key differences. Let’s take a look.
Similarities:
- They all provide consumers with rights to access their personal data, delete their personal data, and opt out of the sale of their personal data.
- They all require businesses to take reasonable steps to protect the security of personal data.
- They all require transparency with consumers about what data is being collected and how it’s being used.
Differences:
- The CPRA is the only of the four laws that provides a private right of action, meaning that the consumer can seek civil damages.
- Enforcement of the laws differs slightly, with the Attorney Generals being the sole enforcers in Virginia and Connecticut, Attorneys Generals and District Attorneys can enforce the Colorado law, and the AG of California and the California Privacy Protection Agency.
- Who the law applies to slightly varies. In Virginia, Connecticut, and Colorado, the regulations apply to businesses that “(i) conduct business or produce goods or services that are intentionally targeted to state residents, and (ii) either: (A) control or process personal data of more than 100,000 resident’s data per year; or (B) derive varying shares of total revenue from the sale of personal data of at least 25,000 residents.” The CPRA requires businesses to have annual “revenue of more than $25 million, buy or sell personal data of 100,000 or more California residents, or get 50% or more of their annual revenue from selling or sharing California residents’ personal information.”
- The way that the laws define personal information varies slightly.
This is an excellent resource for a detailed comparison of the different laws.
Is your website compliant?
Privacy Edge by LOKKER can help your business comply with new privacy laws by helping businesses:
- Identify all sources of data collection on the website, including trackers, pixels, cookies, and session recording tools, what data they’re collecting, and understand if it’s being shared with any other downstream trackers.
- Clean up your site of unwanted, unauthorized, or risky trackers collecting user data before adding them to your consent tool.
- Ensure that their consent tools are working as they should; meaning that consent is granted before cookies and trackers load on the site, and that Do Not Sell links are present if they need to be
- Block unwanted data collection automatically and in real-time by risky third-parties
Contact us to learn how Privacy Edge can help you become compliant.