Overview
During this webinar, McDermott Partners Elliot Golding and David Saunders shared practical tips and benchmarking to help companies incorporate the new Colorado Privacy Act (CPA) and Connecticut Data Privacy Act (CTDPA) requirements when they take effect on July 1, 2023.
Top takeaways included:
- Both laws impose obligations that exceed existing requirements under other privacy laws, so companies need to take additional steps even if they already comply with the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR). For example, both laws require more granular privacy notice disclosures. Colorado also imposes heightened consent requirements to process sensitive personal information (including ethnicity, health and biometric information).
- Companies must already conduct “data protection assessments” when selling data, conducting targeted advertising, processing sensitive data and for other “higher risk processing activities.” However, Colorado imposes onerous assessment requirements that exceed other laws and will take considerable time to complete, so companies should start these mandatory assessments now.
- Like any compliance program, design will be important. Companies should start their compliance efforts now rather than waiting until the last minute.
Our Global Privacy & Cybersecurity team has templates and risk-based quick reference guides to comply with these and other privacy requirements. Contact Elliot, David or your regular McDermott lawyer to discuss how we can help.
View key takeaways from and recordings of other webinars in our New State Privacy Laws Series:
