Skip to main content

Impending Legislation : CPA and CTPDA

Multiple states and countries across the globe are providing their residents with solidified privacy laws meaning that companies will need to be prepared for these new regulations. This feature creates an in-platform experience to inform our customers of upcoming legislation changes that could affect them and help them take action through tasks within the platform.

Colorado Privacy Act (CPA) and Connecticut Data and Privacy Act (CTPD)

Two new pieces of privacy legislation are effective on July 1, 2023: SB 190 in Colorado, or the Colorado Privacy Act 2021 (CPA), and SB 6, Connecticut’s Data and Privacy Act 2022 (CTDPA). Both laws are crafted similarly to CCPA and Proposition 24 (CPRA). If you’ve made few or no changes to DataGrail’s recommended United States Default Policy, your policy’s data subject request settings likely comply with the new legislation as long as you’ve linked out the Do Not Sell or Share form in your privacy policy.

The difference between the new laws and the general U.S. Default Policy is that these two states will require opt-out capabilities for consumers to refuse the sale of their information upon enactment. This means you’ll need to provide Colorado and Connecticut residents with an opt-out method as a part of your privacy policy. DataGrail’s Do Not Sell or Share form, which is available to all customers with Request Manager, meets the standard for both Colorado and Connecticut.

CPA and CTPDA both require an appeals process, similar to the process defined by CPRA.

Policy Specifics

DataGrail DefaultUS Standard PolicyColorado Privacy ACT (CPA)Connecticut Data and Privacy Act (CTDPA)
Effective Daten/aJul 1, 2023Jul 1, 2023
Impacted Businessesn/a* Conducts business in Colorado
  • Controls/Processes personal data for 100,000 CO residents per year
  • Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 or more consumers | * People who conduct business in Connecticut or produce products or services targeted to Connecticut residents and, during the prior calendar year, controlled or processed the personal data of:
  • At least 100,000 consumers; or
  • 25,000 or more consumers and derived over 25% of gross revenue from the sale of personal data.
  • Also applies to Processors | | Privacy Rights | Access Correction Deletion Data Portability | Access Correction Deletion Data Portability | Access Correction Deletion Data Portability | | Opt-Outs | | Opt Out of Data Sales Opt Out of Targeted Ads | Opt Out of Data Sales Opt Out of Targeted Ads | | Intake Methods Required for DSR | n/a | 2 Methods | 1 Method | | Sensitive Data Categories | | * Racial or ethnic origin
  • Religious beliefs
  • A mental or physical health condition or diagnosis
  • Sex life or sexual orientation
  • Citizenship or citizenship status
  • Genetic or biometric data that can be processed to identify an individual uniquely
  • Personal data of a known child | * Racial or ethnic origins
  • Religious beliefs
  • Mental or physical health conditions or diagnoses
  • Sexual activity or orientation
  • Citizenship or immigration status
  • Genetic or biometric data that can be used to identify an individual uniquely
  • Personal data of a child under the age of 13
  • Information that identifies an individual’s specific location with a defined degree of precision and accuracy ( precise geolocation data) | | Appeals Process | | 60 Days | 60 Days | | Unique Features of the Law | | Includes Non-Profits | Allows only 1 request per calendar year |

Additional References and Resources

If you have any questions about this feature, you can either click on the "Review Upcoming Policy" task and "Schedule Time to Review" for your dedicated CSM to reach out to you directly or send an email to support@datagrail.io.

The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.