Compliance

CPA

CPA (Colorado Privacy Act) will considerably improve the lives of Colorado citizens, it will give them stronger data rights and more protection.

Cassie will be able to help you achieve compliance without you having to compromise your business goals.

High Volume Icon

Protect individual privacy

Allow end users to take control of their preferences with granular consent controls enforced across domains, devices and platforms

Icon Customer Insight

Avoid fines and brand damage

Cassie enables organizations to meet the complex requirements of CPA and mitigate risk with a robust framework for managing consent, avoiding severe penalties and reputational damage

Icon Dedicated Experts

Pass audit inspections

Be prepared for compliance audits with demonstrable tracking and complete history logs, alongside advanced RoPA and DSAR modules to improve efficiencies and assess risk

Icon Unlimited Storage

Ensure data security

Cassie is SOC 2 certified, assuring organization’s data is safeguarded from unauthorized access or breaches with industry-leading encryption protocols and practices

Icon Audibility

Centralized source of truth

Use Cassie to honor and enforce consent data via APIs and integrations at high volume, in real-time for CPA compliance across your tech stack (CRMs, CMS, marketing automation tools, BI tools)

Icon Connector Red

Complex consent made simple

For every consent captured, Cassie can store unlimited key value pairs of additional information against those consents to unlock scalable, granular consent management

  • Who is the CPA applicable to?
    • The CPA applies to “controllers.” Your business is a “controller” if it conducts business in Colorado or target consumers in Colorado, and either:
      1. Controls or processes the personal data of more than 100,000 consumers per calendar year, or
      2. Derives revenue from the sale of personal data, and processes or controls the personal data of 25,000 or more consumers.
      Confused about whether this applies to you? That brings us on to the law’s definitions.  

      Definitions

       

      What’s “personal data”?

      The CPA defines “personal data” as “information that is linked or reasonably linkable to an identified or identifiable individual.” The definition excludes publicly available and de-identified personal data.  

      What’s “sensitive data”?

      As we’ll see below, the CPA contains certain special rules in relation to “sensitive personal data,” which includes information about a person’s:
      • Racial or ethnic origin
      • Religious beliefs
      • Mental or physical health
      • Sex life or sexual orientation
      • Citizenship or citizenship status
      Sensitive data also includes genetic or biometric information and information about children.  

      What’s a “consumer”?

      The CPA defines a “consumer” as a Colorado resident “acting only in an individual or household context,” and doesn’t include employees or job applicants.  

      What does “selling” personal data mean?

      The “sale” of personal data means “the exchange of personal data for monetary or other valuable consideration to a third party.” “Valuable consideration” can include any benefit you derive from disclosing or transferring personal data. As such, this is a broad definition of “sale”—similar to that of the California Consumer Privacy Act (CCPA). But there are exceptions. The “sale” threshold is not met if you’re disclosing personal data:
      • To a processor
      • To a third party in order to provide products or services requested by the consumer
      • To an affiliate
      • As part of a merger, acquisition, or bankruptcy
      • At the consumer’s request
      • That has been made public via “mass media”
  • What are the consumer rights under CPA?
    • The CPA provides consumers with five rights over their personal data. Broadly speaking, the CPA’s consumer rights are:
      • The right to opt out: Consumers may opt out of targeted advertising, the sale of their personal data, and profiling in respect of decisions with “legal or similarly significant effects.”
      • The right of access: Consumers have the right to access a copy of the personal data a controller holds about them.
      • The right to correction: Consumers have the right to correct any inaccurate personal data a controller holds about them.
      • The right to deletion: Consumers have the right to delete personal data a controller holds about them.
      • The right to data portability: Consumers may receive a copy of their personal data in a portable and readily usable format.
      You must respond to a consumer request within 45 days. A possible 45-day extension is available if “reasonably necessary.”
  • What are the duties of the controllers under CPA?
    • The CPA imposes seven “duties” on controllers. Broadly speaking, the CPA’s duties are:
      • Duty of transparency: Controllers must provide consumers with a privacy notice detailing the controller’s processing activities.
      • Duty of purpose specification: Controllers must specify the purposes for which they are collecting and processing personal data.
      • Duty of data minimisation: Controllers must only collect personal information that is adequate, relevant, and limited to what is necessary in relation to a specified purpose.
      • Duty to avoid secondary use: Unless reasonably necessary, controllers must not process personal data for further purposes that are incompatible with the specified original purpose for which it was collected.
      • Duty of care: Controllers must take reasonable security measures to protect personal data.
      • Duty to avoid unlawful discrimination: Controllers must not process personal data in violation of anti-discrimination law.
      • Duty regarding sensitive data: Controllers must not process sensitive data about a consumer without the consumer’s consent.
  • Do I need to complete data protection assessment under CPA?
    • Controllers must undertake a “data protection assessment” if they’re planning to carry out certain data processing activity, including:
      • Targeted advertising where there are reasonably foreseeable risks to the consumer
      • Selling personal data
      • Processing sensitive data
      A data protection assessment involves weighing the risks and benefits of the processing operation and identifying reasonably foreseeable risks.
  • What enforecement is there under the CPA?
    • Violations of the CPA are punishable by a civil penalty of up to $2,000 per violation. The law does not contain a private right of action, meaning that consumers cannot take controllers to court for infringing their rights under the CPA.