Upcoming Data Privacy Laws a Reminder to be All Over Your Map

 |  Share

Much like the beginning of 2023, when two new state data privacy acts went into effect, the midpoint of 2023 will feature two more state data privacy acts coming onto the books.  On July 1, 2023, the Colorado Privacy Act (“CPA”) and the Connecticut Data Privacy Act (“CDPA”) become effective, and those states join California and Virginia as states with data privacy laws.

To effectively prepare for the CPA and CDPA, or any new data privacy laws, businesses should start with a review of how they collect, use and/or disclose consumer data. Businesses should focus on assessing whether they engage in any activities that present a heightened risk to consumers. It is worth pointing out that both the CPA and CDPA will require businesses to formally assess privacy and cybersecurity risks to comply with each state’s respective requirements.

What’s in the CPA and CDPA?

The CDPA requires businesses to perform and document an assessment if a business (1) processes personal data for the purposes of targeted advertising, (2) sells personal data, (3) processes personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of (a) unfair or deceptive treatment of, or unlawful disparate impact on, consumers, (b) financial, physical or reputational injury to consumers, (c) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person, or (d) other substantial injury to consumers, and (4) processes sensitive data. The CPDA identifies these specific activities as  “present[ing] a heightened risk of harm to a consumer.”[1]

The CPA stipulates more comprehensive requirements for businesses covered under that act. Pursuant to the CPA, a “Data Protection Assessment” must be a “genuine, thoughtful” analysis of the business’s activities (collection, use, sale, storage, disclosure, analysis, deletion or modification of consumer personal data) that presents a heightened risk of harm to a consumer. A Data Protection Assessment of the CPA (1) identifies and describes the risks to the rights of a consumer associated with the processing, (2) documents measures considered and taken to address and offset those risks, (3) contemplates the benefits of the processing, and (4) demonstrates that the benefits of the processing outweigh the risks offset by safeguards in place.[2]

Your Map Will Get You Places

Diagramming a “road map” of a consumer’s data as it is collected, used and/or shared is an assessment tool that businesses can use to identify gaps in their processes, business strategy and policies. A data road map should start with any first touchpoint where consumer data can be collected, such as a website homepage or online intake form. Take a moment to consider all the ways consumers share their information with you — then ask, are your consumers informed about your use of their data, such as through a privacy policy? If not, you have just identified a potential hazard.

Fill in the details of your data road map by tracing all the possible routes of consumer data through your business, such as internal processing or analytics by a third-party service provider. Highlight all the different ways consumer data is used by your business — then ask, are all these different uses accounted for in your privacy policy? If not, you just identified another hazard.

Next, identify where consumer data eventually ends up after being used by your business, including whether consumer data is stored or if data ever leaves your control. Look for any final hazards — ask, do you disclose if you sell or share consumer data with any other business, including affiliated, parent, or subsidiary companies?

And finally, remember to update your data road map as your business strategy and processes adapt. Your road map is only useful as long as it accurately reflects how consumer data is actually collected, used and/or shared by your business. But with a complete data road map, businesses can identify the critical next steps to address hazards and stay compliant with data privacy laws.


It is critical that businesses take this opportunity to assess their data privacy compliance, not only because of imminent data privacy act requirements coming into effect soon, but also because more and more states (Indiana, Iowa, Montana and Tennessee are among those) are considering  their own data privacy laws.


This DarrowEverett Insight should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This Insight is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal question you may have. We are working diligently to remain well informed and up to date on information and advisements as they become available. As such, please reach out to us if you need help addressing any of the issues discussed in this Insight, or any other issues or concerns you may have relating to your business. We are ready to help guide you through these challenging times.

Unless expressly provided, this Insight does not constitute written tax advice as described in 31 C.F.R. §10, et seq. and is not intended or written by us to be used and/or relied on as written tax advice for any purpose including, without limitation, the marketing of any transaction addressed herein. Any U.S. federal tax advice rendered by DarrowEverett LLP shall be conspicuously labeled as such, shall include a discussion of all relevant facts and circumstances, as well as of any representations, statements, findings, or agreements (including projections, financial forecasts, or appraisals) upon which we rely, applicable to transactions discussed therein in compliance with 31 C.F.R. §10.37, shall relate the applicable law and authorities to the facts, and shall set forth any applicable limits on the use of such advice.

[1] https://www.cga.ct.gov/2022/act/Pa/pdf/2022PA-00015-R00SB-00006-PA.PDF

[2] https://coag.gov/app/uploads/2023/03/FINAL-CLEAN-2023.03.15-Official-CPA-Rules.pdf