Colorado Privacy Act Continues Countdown to 2023 Effective Date
Attorney General's Remarks Highlight Upcoming Compliance Deadlines
Colorado Attorney General Philip Weiser issued remarks on Data Privacy Day in January discussing his office's plans for implementing the Colorado Privacy Act (CPA), as well as best practices for companies to comply with data security requirements. Though the remarks did not provide much detail regarding topics to be tackled in the rulemaking process, they did suggest that Weiser's office will be focused on enforcement of the CPA's provisions and other Colorado laws requiring businesses to take reasonable measures to secure personal information.
CPA Rulemaking
In his remarks, Weiser outlined that the process to issue rules under the CPA – which was passed in July 2021 and goes into effect in July 2023 – will involve separate stages of feedback from Colorado consumers and businesses before the formal rules are drafted. A formal Notice of Proposed Rulemaking is anticipated by this fall with final rules expected to be adopted in early 2023. Weiser did not preview the topics on which he would seek feedback or any rulemaking priorities.
With passage of the CPA, Colorado became the third U.S. state, following California and Virginia, to pass comprehensive data protection laws. In his remarks, Weiser noted the absence of federal guidance on data privacy and security, labeling the passage of the CPA as a "second-best solution" in the wake of congressional inaction and lack of comprehensive legislation on a federal level, which has left companies to sort through a "patchwork of standards" from varying state laws. Weiser emphasized the importance of support for state leadership in order to protect consumers' data and privacy rights, highlighting his state's efforts to pass the CPA to strengthen consumer protection.
Emphasis on Data Security
Weiser's remarks also emphasized requirements in the CPA and existing state law to provide appropriate protection to personal information, dispose of it when no longer needed and promptly notify Colorado residents when their information has been affected in a breach. Weiser noted his office's power to enforce such laws, listing examples of past enforcement actions against certain companies for running afoul of acceptable data protection practices. These include instances of data breaches in which businesses had failed to properly respond to phishing attacks and ransomware incidents. He cited a best practices guidance document previously published by his office for further details on protecting sensitive information from unauthorized third-party intrusion. These best practices include:
- identifying types of data collected and establishing a system for its storage, management and disposal
- maintaining a written information security policy that includes employee training
- adopting a written data incident response plan outlining remedial actions and timely notification plans in the event of a data breach
- managing the security of vendors by limiting data sharing to strictly necessary purposes and ensuring vendors are obligated to protect consumer data
- practicing vigilance and engaging protective measures to protect against ransomware attacks and other data security threats
Weiser also referred to federal guidance and previous state guidance setting forth key steps for sound data security protection, including:
- adopting multifactor authentication
- using endpoint detection to search for malicious network activity
- responding to potential malicious activity on the network
- encrypting sensitive data
- utilizing a skilled, empowered security team to rapidly patch vulnerabilities and incorporate threat information into company defenses
- backing up and regularly testing data, system images and configurations
- maintaining backups offline
- testing existing incident responses plans and security team response
- segmenting company networks
More Than Privacy
The need to dispose of personal information when it is no longer needed is often cited as a privacy requirement, but Weiser described it as a security requirement, indicating that failure to maintain processes to dispose of information at the end of its life cycle is a failure to implement reasonable security. The CPA, Virginia's new consumer privacy law and the amendments to California's privacy rules all contain requirements to secure personal information, as well as minimize personal information processed. Weiser's remarks serve to further underscore that businesses need to address retention of personal information as they prepare for new privacy requirements in 2023.