Sign that says, "Welcome to Colorful Colorado"

It's time to welcome Colorado to the data privacy party. The Centennial State became the third U.S. state to enact a comprehensive data privacy protection act when Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA) into law July 7. Colorado joins Virginia and California as U.S. states with such privacy laws. The law becomes effective July 1, 2023.

“Despite similarities to California and Virginia laws, the Colorado Privacy Act includes unique compliance requirements,” said Kristina Podnar, digital policy and privacy expert. “Marketers will need to pay close attention to these differences as they ramp up compliance programs and aim for 2023.”

Another day, another U.S. state with a privacy act, yet still no such federal law in the U.S.. Europe has the GDPR that covers all European Union countries. Some say that day is coming soon for the U.S.. For now marketers are left keeping an eye on the piecemeal state-by-state approach in the U.S.

To Whom Does the CPA Apply

So who’s on the hook for compliance with the Colorado Privacy Act? The CPA applies to those businesses who:

  • Conduct business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado
  • Satisfies one or both of the following thresholds:
    • (1) Controls or processes the personal data of 100,000 consumers or more during a calendar year
    • (2) Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.

It does not apply to protected health information that is collected, stored and processed by a covered entities or its business associates.

Related Article: What Marketers Need to Know About the California Privacy Rights Act

Key Differences for Marketers To Know

Noticeable differences exist between the Colorado Privacy Act and the California Consumer Privacy Act (CCPA) signed into law in 2018, according to Podnar. Such differences, she noted, include the following:

  • Must obtain consent to process sensitive data
  • May only collect minimum data necessary
  • Right to data correction
  • Right to opt out of behavioral advertising, a big one for marketers, according to Podnar
  • Privacy risk assessment

And remember, California also passed the California Privacy Rights Act (CPRA) which amends some provisions and strengthens enforcement of the CCPA. Marketers can easily give themselves an acronym-privacy-law headache really fast reading through all of these emerging laws and where they differ.

“These differences indicate that while each of these states are making strides toward more transparent data collection, there remains a need for an overarching federal law regarding consumer privacy and a rigid set of regulations that advertisers can clearly follow across the board,” said Charles Farina, head of innovation at Adswerve, a Google marketing, analytics and cloud partner.

The Differences Between Colorado (CPA) and California (CCPA) in More Detail

We think it’s helpful for marketers to learn about the differences between Colorado (CPA) and California (CCPA) in more detail. So here are some of the key differences.

The Ability to Process Data

This is what marketers crave, according to Podnar. Under CCPA (California), marketers need to minimize data collection and use it for a permissible purposes. This translates into using a judgement, or interpretive approach, to only collect the data that is necessary and use it for the purposes for which it was intended when collected (e.g., email campaigns, targeted advertising), according to Podnar.

Under CPA (Colorado), marketers must only collect the minimum data that is necessary to collect in order to achieve the delivery of product or service which the consumer has requested. Thus the regulation is much narrower and not open to interpretation, according to Podnar.

“For example, if I collect your address for delivery of a Nationals T-Shirt that you requested as part of a promotion, I cannot also request your birthday information as it is not related to the delivery of the T-Shirt,” Podnar said. “However, I could ask for your phone number since I will send the package via FedEx and they use your phone number to contact you in case the package cannot be delivered.”

It is the narrow definition in Colorado's CPA that limits what you can collect, rather than California CCPA’s approach of asking you as a marketer to minimize the data collected for the task at hand.

In addition, CCPA in California allows you to process a consumer’s sensitive data for permissible purposes; e.g., use the Starbucks coffee card program using your full name and mailing address based on the birthday that you provided when you opted into hearing from me. “Under CPA,” Podnar said, “marketers have to obtain specific consent to the processing of sensitive data, which means that I would explicitly have to ask you permission to have Starbucks process your personal data so that I can send you a coffee card on your birthday.”

Related Article: What Marketers Need to Know About Virginia's Consumer Data Protection Act

Correcting Personal Data Information

Under CPA (Colorado), consumers have the right to ask a company to correct information about them that is incorrect, and a company must comply. CCPA (California) lacks this provision, meaning that marketers don’t have to comply with the request of a consumer to change information.

“On the surface this may not seem like a big deal, but again, think of this from a marketer perspective,” Podnar said. If a company, "collects my title as Sr. Manager, think about where that data goes: Salesforce, conference sponsors, third-party vendors who make custom name tags, etc. I am now promoted to director and I ask you to correct that information as it is wrong. You now have to go and track down that data at every point where you disseminated it and correct it.”

This, Podnar added, is not a small thing for most marketers because we have historically been so loose with data controls. Now marketers have to tighten those up and have more controls and documented institutional knowledge about where the data is collected, where it goes and how long it is retained. “That includes,” Podnar said, “all of those Google Sheets and Excel spreadsheets that marketers keep handy to slice and dice data outside of the martech stack.”

Opting Out of Behavioral Targeting, Advertising

CCPA (California) doesn’t provide for a user to opt out of behavioral targeting for advertising, whereas CPA (Colorado) explicitly addresses this requirement. Marketers will need to build in this functionality into systems and make it available to end users, according to Podnar.

“On the surface this sounds simple, but I can tell you from experience it is anything but straightforward,” Podnar said. “I am currently working with an organization that is trying to segregate GDPR vs. CCPA/CPA vs. rest of the world, because business folks are trying to keep the boat steady and data flowing as it has historically, at least for a fraction of the consumer population.”

It’s becoming more complex to track who you provide with what opt-ins or opt-outs, and who you can target when. Also, if you give users the right to opt out of behavioral targeting for advertising, you can see the immediate revenue drop, she said.

“In essence,” Podnar added, “CPA will force marketers to think through the value proposition to the consumer versus the crazy spray and pray methodology that most organizations have historically used. In other words, think through your user’s needs, your offerings and personalize the proposition to incentivize users not to opt out.”

Related Article: What Does it Mean to Be CCPA Compliant?

Universal Opt-Out for Colorado

CPA Colorado also introduces the option of “universal opt-out”, continuing the trend of allowing consumers, and their authorized agents or browser tools, to exercise opt-out rights universally, rather than instance by instance, according to Sarah Gounder, legal director for Iterable, a cross-channel marketing firm.

“Coupled with CPA’s requirement for opt-in processing of personal information, the consent standard explicitly bans businesses from using ‘dark patterns’ or manipulative interfaces and design,” Gounder said. “Dark patterns are quite harmful to certain consumer demographics, who sometimes aren’t familiar with navigating complex interfaces; not to mention dark patterns impair individual consumers’ individualism and autonomy. This addition sets a higher standard than the equivalent California law.”

Risk Assessment in Play

CPA (Colorado) requires a risk assessment, whereas CCPA (California) does not. That means that businesses will need to understand what is being collected and how to protect user data while also providing employee education about data ownership and protection, Podnar said. This extends to when user information can be shared or sold for business-related purposes.

“Having that transparency for the user via assessment means major changes internally as marketers think through what data is collected, where it is shared, for what purposes, and that strategy and marketing ops are shared with internal staff,” Podnar said. “Even for a small org, that is a tall order. Scale that out in your mind to an Intel or an IBM, and the complexity is massive. There are so many different programs, touch points for data collection, that most marketers — and those supporting them — will be busy for a while doing process and data mapping.”

Related Article: How to Turn Data Privacy and Compliance Regulations Into a Buyer Advantage

Setting a High Bar for Marketers

Ultimately, the Colorado CPA’s language sets a high bar for marketers to be transparent in their communications, and to invest in and design experiences that are customer-first, according to Gounder. Now that consumers have the power to opt out of information collection, marketers should double down on communicating their brands’ intentions while collecting customer data to avoid customer opt-outs.

“Legal updates may have been made to protect privacy, but consumers still have high expectations for brands to deliver experiences that are personalized and valuable, which is an expectation that is impossible to deliver on without access to their data,” Gounder said. “While data collection and trust are more often seen as contesting than collaborative, this doesn’t have to be the case. By focusing on communicating clearly with customers and using data to create elevated and individualized experiences, brands can build long-term, lucrative relationships with consumers that will far survive.”

Getting Your First-Party Data Strategy Right

While changes in consumer sentiment and new regulations influenced Google Chrome’s decision to phase out third-party cookies, it’s clear that the marketing industry needs more time to adjust to a privacy-first world, according to Farina. “Consumers are eager for a more transparent, two-way relationship that benefits both parties, and marketers must take advantage of this extension to get first-party data right,” Farina said. “With a 2023 deadline (for CPA), advertisers have the time to focus on privacy-first strategies and first-party data analysis to develop a deeper understanding of their consumers and work toward a future without third-party cookies.”

Marketers must work toward solidifying their first-party data strategies as legislation like the CPA will likely develop across more states’ agendas.

“Despite the overall strong initiative, there remain loopholes in the CPA and other state laws for gathering first-party data, as well as continued doubt from consumers about the safety of their data,” Farina said. “While a first-party data landscape is seemingly still a couple of years ahead, marketers need to start developing new strategies now in order to effectively build trust with consumers in the future.”

Related Article: Google Delay Means Marketers Live in Cookie Tracking World Another Two Years

Cross-Functional Team Can Help Tame the Privacy Law Chaos

With more emerging U.S. state privacy laws on the horizon, marketers are likely asking themselves how to comply with varying state laws and stay updated on current changes. As a marketer, it can be difficult to determine which rules apply to your organization and keep up with the requirements, according to Gounder, especially if your organization is also subject to industry-specific regulations such as HIPAA and PCI.

“Although consequences of non-adherence can be costly, adherence does not need to be and can be a collaborative effort when privacy by design is your organization’s focus,” Gounder said. “An important first step is to prepare a cross-functional team, which will develop and lead a compliance workflow. While every organization has unique needs and challenges, this team will likely consist of marketing, legal, compliance, engineering and operation efforts.”

Though remodeling your traditional data practices can be tricky, it’s well worth it — and legally mandated — in the end, according to Gounder. “Transparent and consensual data collection,” she said, “enables you to create high caliber customer experiences and build trust, all of which can improve customer loyalty and your bottom-line.”