The alphabet soup of privacy regulations is only starting to heat up.
On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (aka CPA or ColoPA depending on who you ask) into law. This makes Colorado the third state — joining California and Virginia — to pass comprehensive privacy legislation. Publishers and marketers will need to comply by July 1, 2023.
Much like its predecessors, California’s CCPA and CPRA, as well as Virginia’s VCDPA (with a dash of GDPR thrown in), the CPA will give Colorado residents a bunch of privacy rights, including the right to access, correct, and delete their personal data, and to opt-out of the processing of their data for targeted advertising, sale of their personal data, and profiling.
Also like the others, the CPA could significantly impact personalized advertising. This is a major concern for the advertising ecosystem, as Apple and Google are making changes that limit the targeting of individuals for advertising and content personalization purposes.
As other states are likely to follow suit (and a Federal Privacy Law is imminent) it’s imperative that publishers, advertisers, and ad tech companies think ahead and plan for solutions that are flexible enough to adjust for all types of scenarios. Consumers are looking for transparency and a clear understanding of the value exchange provided when you’re asking them to opt-in. As such, being prepared for CCPA and VCDPA won’t necessarily mean you’re covered for CPA, as there are a few key differences.
Who Needs to Comply With CPA?
If you’re conducting business in the state of Colorado or providing goods and services targeted to Colorado residents and either control or process data of 100,000 or more Colorado residents in a calendar year, or bring in revenue from the sale of personal data and control or process the personal data of at least 25,000 Colorado residents, then this law applies to you.
CPA and VCDPA focus on the amounts of data processed by businesses, rather than the amount of revenue generated like CCPA. And as a first, unlike CCPA and VCDPA, CPA will also hold nonprofit companies accountable.
Publishers, and their advertising partners, should take note of how Colorado defines “personal data” as information that is “linked or reasonably linkable to an identified or identifiable individual,” which means that the individual can be identified either directly or indirectly by reference to an identifier, including either a name, identification number, geolocation data or other online identifiers.
Key Differences Between CPA and Both CCPA and VCDPA
Sure, you’ve got a jump on CPA if you’re already in compliance with CCPA or prepping compliance with VCDPA, but you should also pay close attention to some key differences that might provide a few bumps in the road.
The advertising ecosystem should pay close attention to the following differences:
- CPA enforcement power will reside with the state’s AG and DA and violations will be classified as deceptive trade practices that can be fined $20,000, unlike CCPA and VCDPA which fine up to $7,500 for violations. This will limit consumer-initiated litigation.
- Under CPA, there is a 60-day cure period (unlike the 30 days you get with CCPA and VCDPA) before enforcement action will be taken by the AG and DA. Noncompliance can result in civil penalties of not more than $2,000 per violation, not to exceed $500,000 in total for any related series of violations. The cure period will only be provided until January 1, 2025.
- Data protection assessments will be a lot more rigorous, requiring ongoing documentation of all processing activities involving the processing of personal data.
- As well the regulation provides an opt-out provision mandating that requires businesses to provide consumers with a one-click, universal opt-out feature. It will be up to the AG’s office to provide the technical rules for such mechanisms. Consumer requests can be denied if they cannot be authenticated. This universal opt-out requirement syncs with recent news that the California AG is now requiring that all companies adhere to opt-out requests sent via Global Privacy Control (GPC).
- CPA also introduces a sensitive data requirement, which means businesses have to obtain consumer consent for the processing of data that might reveal racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status, or genetic or biometric data as well as personal data from a known child.
- Consumer portability rights include personal data both collected from and about the consumer. Not only will consumers have the right to receive any personal data collected by a publisher or advertiser in a portable format, but they can also request any other information that was collected about them.
- “Sales” include personal data exchanged for non-monetary purposes. Like CCPA, CPA defines sale broadly, but also like VCDPA, it excludes some exchanges of data from the definition, including disclosure to “affiliates.”
This isn’t just a matter of updating compliance systems and processes around consent management, it’s also time to think ahead to how you will target and measure advertising campaigns effectively. If you don’t already have a first-party data strategy in place and aren’t testing out ID solutions, what exactly are you waiting for?