Colorado’s New Consumer Data Privacy Law- Effective September 1, 2018


Come September 1, 2018, Colorado’s latest consumer data privacy legislation, House Bill 18-1128, goes into effect. The new law requires covered entities to establish reasonable security procedures, responsibly dispose of personal identifying information, ensure that third party service providers properly handle personal identifying information, and timely notify affected residents of a security breach.

Key provisions of the new law include:

Reasonable security procedures

Covered entities that maintain, own, or license “personal identifying information” (PII) of a Colorado resident are required to “implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.”

PII is defined broadly and includes a social security number; personal identification number; password; passcode; official state or government-issued driver’s license or identification card number; government passport number; biometric data; employer, student, or military identification number; or financial transaction device.

Virtually all employers maintain information about their employees that fall under this definition of PII, such as social security numbers, passport numbers, and driver’s license numbers. Accordingly, employers with Colorado employees will be subject to the requirements of the new law.

Covered entities that disclose PII to third parties must either provide their own security protection for the information transferred to a third party service provider, or require” the third-party service provider to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the PII disclosed and reasonably designed to help protect the PII from unauthorized access, use, modification, disclosure, or destruction. A “third party service provider” is an entity that “has been contracted to maintain, store, or process personal information on behalf of a covered entity.”

The law further requires covered entities to develop a written policy for the destruction of electronic or paper documents that contain PII when they are no longer needed.

The Colorado Attorney General’s office is authorized to enforce these requirements and may bring an action in law or equity to ensure compliance or recover direct economic damages resulting from a violation.

Prompt notification of breach

Covered entities that maintain, own, or license “personal information” (PI) must notify affected individuals within 30 days after determining that a security breach occurred that resulted in, or is likely to result in, misuse of PI.

PI is not defined identically to PII. Instead, PI means a Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: social security number; student, military, or passport identification number; driver’s license number of identification card number; medical information; health insurance identification number; or biometric data. PI also includes a Colorado resident’s username or e-mail address, in combination with a password or security questions and answers that would permit access to an online account, or a Colorado resident’s account number or credit/debit card number in combination with any required security code, access code or password that would permit access to the account.

The law specifies what information the notice must include, such as a description of the PI that was acquired or reasonably believed to have been acquired in the breach, the date or estimated date of the breach, contact information for the Federal Trade Commission and credit reporting agencies, and a statement about obtaining information regarding fraud alerts and security freezes. If the breach involves login credentials, a covered entity must notify individuals to change their login information, including password, security questions and answers, as applicable, for that account and any other account that uses the same login information.

If a third-party servicer provider experiences a data breach, it is required to notify the covered entity “in the most expedient time possible, and without unreasonable delay.”

A covered entity must notify the Colorado Attorney General’s office, which has authority to enforce these notification requirements, if it provides notice to 500 or more Colorado residents, and if it provides notice to more than 1,000 Colorado residents, it must also notify consumer reporting agencies.

Notably, the law does not create exemptions for entities subject to reporting requirements under the Gramm-Leach-Bliley Act or HIPAA. If there is a conflict between the 30-day notice period and a time period under another federal or state law, the shortest notice period applies.

The law also creates similar obligations for government entities.

To prepare for Colorado’s new law, covered entities should develop written information security procedures, inclusive of reasonable administrative, technical, and physical safeguards, create a written policy concerning proper disposal of PII, update third party service provider practices and agreements, and implement incident response plans that are compliant with new requirements.

You can read the legislation here:

This article is intended for general informational purposes only and should not be construed as legal advice or opinion. Consult legal counsel with questions concerning specific facts and circumstances.