Colorado Consumer Data Protection Law: Stronger and more challenging for businesses

In January 2018, lawmakers in Colorado introduced a radical new bill that requires “reasonable security procedures and practices” for the protection of Personal Identifying Information.

The legislation places a time limit for notifying the Attorney General and affected Colorado residents in the event of a data breach. Last year, Colorado Governor John Hickenlooper signed the bill into law. In so doing, Colorado joins California as a frontrunner in the race to strengthen existing data privacy laws. The new law took effect as of September 1, 2018, introducing significant implications for Colorado based businesses and organizations.

The amendments expand previous breach notification requirements, and clarifies the definition of information which, in the event of a breach, would require the Data Controller to notify affected Colorado residents. The new law defines “Personal Information” (PI), also termed “Personal Identifying Information (PII) as:

“a Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable:

  • social security number;

  • student, military, or passport identification number;

  • driver’s license number of identification card number;

  • medical information; health insurance identification number; or,

  • biometric data.

 Other forms of PI

PI also includes a username or email address, when combined with a password or security questions and answers, which could allow access to a user’s online account. A Colorado resident’s credit card number or bank account number, along with associated security codes or passwords allowing access to the account are other examples of PI.

Reporting procedure

When reporting a data breach affecting Colorado residents, businesses must notify all affected data subjects. Furthermore, in cases where more than 500 residents are affected by the breach, Colorado’s Attorney General must be notified within 30 days of the date on which the security breach was discovered.

Also added to the state’s existing data breach notification rules are specific content requirements. In particular, the law provides no exemptions for organizations that are subject to reporting requirements under the Health Insurance Portability and Accountability Act (HIPAA) or the also known as the Financial Services Modernization Act 1999 (otherwise known as the Gramm-Leach-Bliley Act). In the event of a conflict between the 30-day notice period and a time frame specified by another state or federal law, the shortest notice period takes precedence.

The Attorney General’s office, which spearheaded the legislation, is duly authorized to enforce the new requirements and may bring lawful action to enforce compliance, including the recovery of direct economic damages resulting from a violation.


FAQs - Your opportunity to submit your questions

We invite you to send us your comments and questions on this subject.
In the meantime, here are the top 3 frequently asked questions so far:

Q1: Who is impacted by the changes to Colorado’s consumer data protection laws?

Almost every Coloradoan.  A growing list of entities – including your employer, your doctor, your insurer, your bank, and many online companies – collect and maintain your personal information.  The updates to Colorado’s law are designed to keep your information as safe as possible and to ensure that you are notified quickly if your personal information is compromised.   

Q2: How have the laws changed?

There have been three major changes:

First, there have been updates to the law that requires entities, both commercial and governmental, that collect personal identifying information to dispose of it when they no longer need it, and to ensure that it is rendered unreadable upon disposal.

Second, a new law requires entities that collect your personal identifying information to take reasonable steps to protect it from being compromised.

Third, there have been updates to the law that require entities to notify consumers when their personal information may have been compromised.  In most instances, notification must happen within 30 days of the entity determining a breach has occurred that may lead to misuse of your information.  Also, the notice must provide certain information that could help you to protect yourself against identity theft.

Q3: What is the effective date of these changes to the law?

The changes are effective as of September 1, 2018.

  • What to Colorado residents think?

The Denver Post recently published some Colorado residents’ opinions on the subject of “Making privacy rights a priority”. We include below, comment from two DP readers’ responses to “Battle lines forming as U.S. privacy law fight looms,” Jan. 28 news story in the Denver Post:

  • Re: “Battle lines forming as U.S. privacy law fight looms,” Jan. 28 news story

“Once upon a time, in the land of the free, everyone knew who the Big Three were. They were General Motors, Ford and Chrysler. Those companies sold products that afforded Americans the ability to obtain freedom. You could get behind the wheel and go wherever you wanted and do whatever you wanted and it was nobody’s business but yours!

Today, the Big Three are Facebook, Google and Amazon. They sell services and products that Americans just can’t do without, although America functioned well without any of them just a generation or so ago. Their products are the equivalents of the electronic ankle bracelet. Americans believe these products also provide great freedom. Except that the new Big Three know where you’re at, what you’re buying and whom you’re communicating with, and, they sell some of this information to interested third parties. Who knows where it ends up?”

(Reader’s name withheld), Colorado Springs

  • “For many years, the right to privacy was an important concept in this country. It always should be. No business should be keeping and using someone’s information for any reason whatsoever. Consent to do so should not be included in the fine print of any contract. Legal requirements or a person’s express written consent should be the only exceptions, and these should be for specific situations only. A person should be able to answer “no” to such a request or, better yet, just ignore the request and know his or her information is safe.

    Just because a business has spent millions to build a system to collect and use this data does not create a “right” to do so. The right to privacy should always be more important than a company’s ability to make money using our information. If they want to use it, perhaps they should pay us.”

(Reader’s name withheld), Arvada

Sources and credits: Colorado Attorney General’s Office, Denver Post

Notice: This article is intended as general information only and does not constitute legal advice.
Please consult with a professional data privacy practitioner.