Manatt privacy and data security Partner Brandon Reilly was quoted in Cybersecurity Law Report discussing the recently enacted Colorado Privacy Act (CPA)—which consolidates ideas from its two predecessors in California and Virginia—and how it will impact businesses with operations in the state. Reilly explained that Colorado uses the same list of categories as Virginia, except it omits precise geolocation, which “is one of the most common data sets collected by businesses, especially on an automated basis.” Additionally, Colorado requires a Data Protection Impact Assessment (DPIA) for data collection that poses heightened risks, which includes all processing of sensitive data and all data sales, the publication noted. “With common requirements, like the affirmative obligations towards purpose limitation and data minimization, the latest laws will alter compliance strategies,” Reilly commented. “We may well remember 2021 as the time when U.S. businesses started to orient their privacy programs away from geography-specific models and toward harmonization of privacy rights and obligations.”
Cybersecurity Law Report subscribers can read the full article here.