Colorado Attorney General Phil Weiser is following in California Attorney General Rob Bonta’s footsteps by sending letters to organizations in scope of their respective privacy laws. While AG Weiser’s notices didn’t serve as a warning of non-compliance, it made clear his intentions to bring enforcement in the future.

To summarize the letters that went out, the scope of the Colorado Privacy Act, obligations for companies in scope, and a clear recommendation that the companies on the receiving end of the letters “assess whether the CPA applies to your business, and if so, ensure that you are in full compliance with its terms.”

AG Weiser, in no uncertain terms, made it clear he’s got an eye on the compliance efforts of companies in scope and this is their chance to evaluate compliance before true enforcement begins.

Is Enforcement Coming?

It’s not a matter of if, but a matter of when the next round of letters will be disseminated, and it is unlikely they will be as gentle. We anticipate the next round to be a heavy-handed warning that compliance was brought to your attention and you’ve chosen to continue with activities deemed unlawful by the Colorado Privacy Act.

While AG Weiser’s first round of letters were simply a reiteration of CPA requirements, the nudge to companies to assess their readiness and compliance hinted at what’s to come. If AG Bonta’s letter cadence is any indication, the next letter will identify specific compliance issues to companies that have yet to address and give the defined cure period of 60 days to rectify the identified concerns. The 60-day right to cure will sunset January 1, 2025 so for the time being, companies can expect that cushion.

Truyo President Dan Clarke says, “Since the Attorney General referred to these as “the initial round of letters,” he clearly intends to follow up to underscore the “new legal obligations” on companies through assessments, a particular emphasis on the requirement to obtain consumer consent prior to collecting sensitive data, and the obligation to allow consumers to opt out of targeted advertising.”

What Will CPA Enforcement Look Like?

While the Colorado Privacy Act does not include a private right of action, potential fine amounts were not disclosed. Many privacy laws will outline the maximum penalty for non-compliance, but that’s not the case in Colorado. We don’t know if AG Weiser will lean toward hefty penalties or not, but he certainly seems to be intentional in building up to actual enforcement indicated by the operating rules being longer than the actual statute and this pre-enforcement activity foreshadowing what are likely to be aggressive intentions.

 

Use Truyo’s free privacy policy generator to ensure your policy is up to date with all current privacy regulations, including the Colorado Privacy Act.

Stay Off Enforcement Radar

There are simple steps you can take to comply with the most obvious aspects of the law:

• Update your privacy policy to include clear right to opt out and transparent explanation of data collection and use.
• Ensure consumers can submit Data Subject Access Requests and those are fulfilled within the 45-day response period.
• Implement a universal opt out mechanism (UOOM) by July 1, 2024.
• Establish consumer consent for sensitive data collection.
• Identify when data protection assessments are required and be prepared to complete when necessary.

Lastly, assess your data collection and practice adequate data minimization. If the PI and PII you’re collecting is not necessary, nix the collection. With enforcement on the horizon, you’ll want to collect only what’s necessary to your business operations.

If you want to discuss how Truyo can help you automate your DSAR process to comply with the 45-day response requirement, provide a comprehensive data map including both structured and unstructured data to inform data minimization, or our privacy assessment module, reach out to hello@truyo.com.