By Tyler Rauert
Data Controllers have important new obligations under Colorado’s newly-enacted Data Privacy Law. They are as follows:
Under the law, controllers MUST:
- Be transparent about how they collect, store, use, share and sell personal data, and clearly identify the purpose for which they do so;
- Minimize the amount of data they collect and store, meaning they should only collect and store information they need;
- Avoid secondary uses of the data, meaning they can’t use personal data for reasons individuals were not originally aware of;
- Use reasonable security practices to secure the data;
- Respond to requests by individuals asserting the rights granted to them under the law; and
- Conduct Data Protection Assessments before selling personal data, processing “sensitive data,” or processing personal data that could result in:
- unfair, deceptive or disparate treatment of individuals;
- financial or physical injury to individuals;
- a physical or other intrusion on an individual’s privacy that would be offensive to reasonable people; or
- some other substantial injury.
Under the law, controllers MAY NOT:
- Collect, store, use, share or sell “sensitive data” without an individual’s consent.
- Use personal data in any way that would result in unlawful discrimination.
Keeping these new obligations in mind, here are the seven things every business should do now in order to ensure compliance with Colorado’s new data privacy law:
- Appoint a “Data Protection Officer”
This issue isn’t going away. Developing internal privacy expertise is critical to successfully and cost-effectively managing and protecting data. Now, I can hear startups and small businesses with lean teams exclaiming, “But I don’t have the headcount or salary to create this position!” Don’t worry; this doesn’t have to be an official appointment of a Data Protection Office (unless the GDPR applies to you.) I simply mean, make someone in your organization responsible for overseeing data privacy compliance. Empower them to be the primary point of contact for privacy matters, conduct internal training, foster a culture of privacy throughout the organization, and liaise with regulatory bodies when necessary. This ensures accountability, prioritization and creates data privacy expertise within your organization.
- Conduct a Data Audit
Conduct a thorough audit of the data your organization collects, processes, and stores. Identify the types of personal information you handle, including customer data, employee records, sales lead lists, marketing lists, and any third-party data. Determine where this data resides and who can access it, and assess the associated risks. This audit maps your data so that you can shape and execute your compliance program as well as prioritize security measures.
- Integrate Privacy by Design
Integrate privacy considerations into the development of your organization’s products, services, and business processes from the outset. Minimize data collection, encrypt sensitive information, and conduct data protection impact assessments (DPIAs) for high-risk processing activities such as targeted advertising, automated decision-making, or inferring sensitive data. By embedding privacy into your organization’s DNA, you can mitigate compliance risks and build trust with your customers. Regulators also love this stuff.
- Review Your Contracts
This is dreadfully boring. Believe me, I know. But reviewing your vendor agreements, sales agreements, and any other documents through which data might be shared is necessary to ensure they comply with data privacy law, including Colorado’s new requirements. You may need to update some of these. Your counterparties should be down to amend once you let them know that privacy laws have changed a bit, and we need to tweak some things to stay on the up-and-up.
- Establish Transparent Data Practices
Prioritize transparency by crafting easily understandable, publicly-facing privacy policies and consent mechanisms. Ensure that customers, potential customers, employees, and job applicants know how their data is being collected, stored, and used. These policies should cover data collection practices, retention periods, purposes of data processing, data subject rights, and the mechanisms for obtaining a lawful basis for you to process personal data. You will also want to establish internal procedures for handling data breaches, responding to data subject requests, and ensuring ongoing legal and regulatory compliance.
- Educate Your Employees
Conduct regular training sessions to educate employees about the importance of data privacy and their role in it. Foster a culture of privacy awareness, accountability, and the shared responsibility of safeguarding personal information. The best trainings educate staff on privacy policies, data handling best practices, and the potential consequences of non-compliance. Empowering your employees with the necessary knowledge and skills greatly strengthens your organization’s defense data privacy and security posture.
- Conduct Regular Assessments and Monitoring
Data privacy compliance is not a one-time effort. The law and best practices move quickly in this area (as do the techniques employed by bad actors), so regular review and updates to these policies are critical. Establish mechanisms for regular internal audits to assess and improve compliance with applicable regulations and internal policies. Implement data governance frameworks that monitor data flows, access controls, and data protection measures. I have seen this work very well in conjunction with security compliance standards such as ISO and SOC, which are often required to do business with large, sophisticated customers and vendors.
The above checklist provides an excellent roadmap for ensuring data privacy compliance. I firmly believe it is possible to create compliance programs that address these rules in a way that still promotes profitability. For more information on data privacy, visit parts 1, 2 and 3 of this blog post series. If you’d like additional help or counsel on creating and executing your company’s privacy compliance action plan, please contact me directly.
