Hot Off The Privacy Presses This Week: Finalized Colorado Regulations & A New Iowa Privacy Law

by: Dhara Shah

Colorado has now finalized its regulations that implement the Colorado Privacy Act (CPA). While the regulations remain mostly intact from its previous draft, there are a few new provisions that will place significant compliance obligations on businesses. Including in relation to biometric data, loyalty programs, profiling, and privacy policy disclosures.

These requirements just touch on the surface of obligations the CPA places on businesses. They highlight the necessity to carefully review your data practices and prioritize compliance to avoid potential legal and financial consequences. Businesses have until July 1 to work towards compliance with the CPA.

A few states over, the Iowa legislature has passed (awaiting governor’s signature) the country’s sixth comprehensive state privacy law. The Iowa law will apply to businesses that either (1) process 100,000 Iowa residents’ data, or (2) process 25,000 Iowa residents’ data and derive 50% or more of its revenue from selling data. While the Iowa privacy law places many of the same obligations on businesses that we have seen from Connecticut , Utah, Virginia and Colorado – it most resembles Utah with its business-friendly framework. These provisions include basic consumer rights, transparent disclosures, and implementation of proper security measures. Once signed by the governor, the Iowa privacy law is set to be in effect on January 1, 2025.

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.