DG Release  - 21 February 2023

Crownpeak DG Release for Utah, Colorado, and Connecticut Privacy Regulations 

 The privacy and consent landscape continuously changes and Crownpeak is committed to helping you stay ahead of these changes and remain compliant with easy-to-use tools.  

Crownpeak released new regulation templates and support for Utah, Colorado and Connecticut privacy laws in the Universal Consent Platform (UCP) to allow customers to add these new regulations to their privacy and disclosure strategies.  

This expands regulation coverage to six USA states and twelve national and international regulations including, of course, CPRA and GDPR with GPC signaling support as well as custom combinations.  

What you need to know about these new regulations 

While legally each regulation is applicable to slightly different company profiles, a holistic approach to privacy, disclosure and compliance suggests that if you include any regulation features in your privacy strategy you should include compliance for all the regulations.  

We have made it easy to enable all regulations by providing templates with the appropriate settings for each geolocation’s applicable regulation. 

The Connecticut Data Privacy Act (CTDPA) 

• Effective Date: 1 July 2023 
• Who must comply: 
  The Connecticut Data Privacy Act (CTDPA) applies to individuals and businesses that conduct business in Connecticut, or that produce products or services that are targeted to Connecticut residents that, in the preceding calendar year, controlled or processed the personal data of at least (1) 100,000 Connecticut consumers (excluding data processed solely for processing payment transactions); or (2) 25,000 Connecticut consumers and derives over 25% of their gross revenue from the sale of personal data. 
• RIGHTS: 
  • Right to Access – Confirm and receive a copy of personal data collected/in possession. 
  • Right to Correct – Correct deficiencies or inaccuracies in personal data. 
  • Right to Delete – Remove personal data from company systems, including collected via third party platforms or systems. 
  • Right to Portability – Obtain a copy of data in a readily usable format to transfer to another Controller.
  • Right to Opt-out of certain processing: 
    • Sale of personal data.
    • Processing of personal data for the purpose of retargeting. 
    • Profiling that may have a legal or other significant impact.

The Colorado Privacy Act (CPA) 

• Effective Date: 1 July 2023 
• The Colorado Privacy Act protects Colorado residents and imposes data protection requirements on companies or organizations that 1) conduct business in Colorado or produce or deliver commercial products or services that are purposely targeted to residents of Colorado; and 2) control or processes personal data of at least 100,000 consumers a year or control or process personal data of at least 25,000 consumers and gain revenue or receives a discount on the price of goods and services, from the sale of personal data. 
• RIGHTS:
  • Right to Access – Confirm and receive a copy of personal data collected/in possession. 
  • Right to Delete- Can ask to have personal data deleted. 
  • Right to Portability – Can receive and transfer their data to another entity in a readable, portable format.
  • Right to Opt-out of certain processing
    • Sale of personal data. 
    • Processing of personal data for the purpose of retargeting. 
    • Profiling that may have a legal or other significant impact.  

The Utah Consumer Privacy Act (UCPA) 

• Effective Date: 31 December 2023 
• Who must comply (any of the following): 
  • A company that conducts business in the state or produces a product or service that is targeted to consumers who are residents of the state. 
  • A company that has annual revenue of $25,000,000 or more; and 
  • A company that satisfies one or more of the following thresholds: 
    • A company that, during a calendar year, controls or processes personal data of 100,000 or more consumers. 
    • A company that derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.” 

• RIGHTS:
  • Right to Access - Confirm and receive a copy of personal data collected/in possession. 
  • Right to Delete – Limited to personal data the consumer provided 
  • Right to Portability - Obtain a copy of data in a readily usable format to transfer to another Controller to the extent technically feasible, practical. 
  • Right to Opt-out of certain processing 
    • Sale of personal data. 
    • Processing of personal data for the purpose of retargeting. 

How to set up new notices for CTDPA, CPA, UCPA

1.  Login to UCP and go to “Manage” in the menu section.
2. From there, choose the domain you wish to set up.
3. Once in the setup page, navigate to the settings. From here in the “Configure Consent” column you will see a new drop down to choose the regulation you wish to set up with the following options:
   • Custom Regulation
   • CCPA
   • GDPR
   • Nevada Consumer Opt-out Law
   • LGPD
   • KVKK
   • PDPA
   • CPRA
   • VCDPA
   • CTDPA
   • CPA
   • UCPA

 Selecting the regulation will automatically choose “Opt-out consent” as default consent type for those regulations. You’ll no longer be able to choose “Don’t require consent” or “Prior Consent” for US regulations.

Global Privacy Control option is also available for all US Regulations. GPC cannot be enabled for the notices with “No Consent Notification” selected as Consent Display Type.