TerraTrue, an innovator in privacy, today announced the availability of its privacy platform module for the Colorado Privacy Act (CPA) adding to its modules for GDPR, CCPA/CPRA, and VCDPA compliance. With the CPA module enabled on its platform, TerraTrue activates an out-of-the-box taxonomy that provides intelligent rulesets and workflows for the CPA and automatically analyzes the inputs from past product launches to power recommendations that ensure companies stay in compliance – without ever having to refer back to the law.
The CPA will be coming into effect on July 1, 2023. This means businesses must learn the law and assess the data types, data uses, and data processing activities within their organization's operational processes and products to ensure their current practices can support the law before the new year.
“Companies should plan to take an inventory of the data they hold that may be considered 'sensitive' under the CPA, as well as the context in which it was collected or processed,'' said Chris Handman, co-founder and COO of TerraTrue and former Snap General Counsel. “TerraTrue's CPA module is purpose-built to expertly guide companies along the path to compliance. Our system uses structured data, which uniquely allows us to automatically analyze past launch information like data types, data uses, and org info to provide customers a curated set of recommendations that will help them identify what they may need to take action on to comply with the CPA.”
About the CPA
The CPA gives consumers the right to access their data, obtain a copy of their personal data, and request that their personal information be deleted by businesses. It also requires companies to conduct data protection assessments related to processing personal data for targeted advertising and sales purposes. The CPA applies to persons who “conduct business” in the Commonwealth or produce products or services that are “targeted” to residents of Colorado.
Entities conducting business in Colorado must satisfy one of two thresholds to fall within the statute's scope, and both thresholds address a minimum number of affected consumers. Entities must control or process the personal data of at least 100,000 consumers in a calendar year, or the personal data of at least 25,000 consumers, while deriving over 50 percent of gross revenue from the sale of that data.
If you're already VCDPA compliant, the CPA reads very similarly. Perhaps the most significant difference, though, is that Colorado reserves rulemaking authority to their state attorney general – meaning that the Colorado attorney general will have the power (unlike in Virginia) to issue implementing regulations sketching out what best practice compliance actually looks like.
How TerraTrue's CPA module helps companies get compliant:
TerraTrue automates gap analysis
TerraTrue's structured data approach saves teams from the slow, inefficient, and error-prone process of manual gap analysis. Without it, they'll have to dig through old privacy reviews by hand, examine them individually, and cross-check their privacy practices with the CPA's new requirements. Even in smaller organizations, a full gap analysis can sprawl across thousands of pages of documentation that must be mapped and tracked across all of their databases and tools.
TerraTrue's CPA module automates most of this work. Documenting existing data protocols is quick, taking just a few minutes for each privacy review. Then the platform automatically scans a company's entire privacy program and creates a prioritized list of recommendations — the expert-guided path to CPA compliance.
Run privacy reviews that get simpler over time
TerraTrue gets smarter the more teams use it, so completing privacy reviews for new products, features, and business initiatives get simpler and more efficient over time. Does a business work with sensitive data types like citizenship, immigration status, or biometric data? Does it require users to create online accounts? Does the HR department retain contact information for job applicants or past employees? TerraTrue learns about a company's privacy practices every time a privacy review is completed — meaning its recommendations get better and reviews get simpler as teams go.
Get real-time guidance on shifting regulations
TerraTrue helps teams stay on top of regulatory changes as they happen. TerraTrue's CPA module is designed to account for incoming regulations, court decisions, and enforcement interpretations, so companies can stay up to date without getting bogged down in research. That means they'll get the confidence of expert guidance without spending huge amounts of time and money deciphering and interpreting new rules.
Read more on our blog
To dive deeper into what's changed with CPA, read more
TerraTrue empowers teams to build privacy and security into everything they do through a collaborative, intuitive, and scalable platform. Purpose-built to work with modern product development, TerraTrue seamlessly captures structured data about how teams plan to collect, use, store, and share data. The platform then maps that digital blueprint to the world's privacy laws to automate guidance, risk-flagging, and downstream data maps and reports. Sitting as a hub between product teams and review teams, TerraTrue also smartly routes rule-based workflows throughout an organization, automatically detects and reports infrastructure changes in cloud environments, and drives vendor management — all from the same single source of truth. Using TerraTrue, companies run a scalable, fast pre-deployment privacy program that eliminates spreadsheets, manual ad-hoc processes, and compliance bottlenecks. TerraTrue was founded in 2018 by former Snap execs and is backed by, among others, 3L Capital, Anthos Capital, and Chris Sacca. Modern brands like Lyft, Robinhood, Roku, and Foursquare are shifting left to get privacy right with TerraTrue.
— WebWireID291537 —