Additional Business Obligations of CPA
Colorado’s privacy law also specifies organizational obligations your business must follow to achieve compliance. This section will go over how to fulfill each of them in more detail.
CPA mandates that businesses must be transparent about their data processing practices by publishing Privacy Notices on their websites.
Your privacy notices should communicate how you’re using consumers' personal data in ways that comply with CPA. This includes the categories of personal data processed by the business or third-parties, the purpose for this processing, and how and where consumers can exercise their rights.
Privacy notices must also notify consumers if their personal data is shared and sold with third-parties, what data is shared with third-parties, and the categories of third-parties the data is shared with.
To ensure compliance with Colorado’s privacy law, write clear privacy notices on your website that includes all of the above information and is easily accessible to consumers.
CPA specifies that businesses have a duty of purpose specification and data minimization. Data minimization is the practice of only collecting data that is necessary and relevant to fulfill a specific business purpose.
Data minimization doesn’t simply mean collecting less data. Rather, it’s a way for businesses to protect themselves from potential data misuse. Reducing the amount of data your business collects will reduce the risk of improper collection, processing, access, storage, or sharing.
To start implementing data minimization into your business, identify the most necessary processing activities your business needs to conduct for a specific purpose. Then you can focus on gathering only the data you need. Once the purpose has been fulfilled, delete the data from your systems so you're not storing more data than necessary.
Do not process users’ personal data for a secondary use or what’s not necessary or explicitly stated without first obtaining user consent. If your business does this, even unintentionally, it’s considered a deceptive practice and could result in a warning from regulators.
Going through this exercise frequently will help your business ensure purposeful and compliant data collection practices with CPA guidelines.
Under CPA, businesses are also required to enter into data processing contracts, or data processing agreements, with entities that process personal data on their behalf. Real-life examples of this include third-party SaaS vendors that process and store data for your business.
These contracts must include instructions for the processor to handle data on the controller’s behalf. They must also specify the type of data being processed and its duration, and ensure that the processor follows the controller’s instructions to delete or return user data.
The contract must also ensure that the processor will not prevent the controller from fulfilling user subject and consent requests, or from providing all of the necessary information for regulators to demonstrate compliance.
One way to prove compliance with CPA is through data protection assessments ((DPAs). Under CPA, companies are required to perform DPAs and analyze the benefits and risks of processing consumers’ personal data.
CPA states that businesses may not process the personal data of consumers in a way that would heighten the risk of harm to users. Risk of harm includes:
- Unfair or deceptive treatment.
- Financial or physical injury.
- Intrusion on privacy.
- “Other substantial injury to consumers.
These assessments must also include the business actions taken to reduce potential risks to consumers. Your business must also produce DPAs to the Attorney General upon request within 30 days.