Overview of Changes to Colorado’s Consumer Protection Data Protection Laws
Who is impacted by the changes to Colorado’s consumer data privacy laws?
Any person, commercial entity, or governmental entity that maintains, owns, or licenses personal identifying information (“PII”) of Colorado residents in the course of its business, vocation, or occupation.
How have the laws changed?
There have been three major changes. First, the law that requires disposal of PII now requires written policies governing the disposal of both paper and electronic records containing PII. Second, a new law requires covered persons and entities to take reasonable steps to protect PII. Third, the law that requires notification of data security breaches now requires detailed notice to consumers and, in certain circumstances, notice to the Attorney General.
What is the effective date of the changes?
The changes are effective as of September 1, 2018.
Disposal of Personal Identifying Information
What does the new law say about disposal of PII?
If you maintain, own, or license PII, in paper or electronic form, you are required to develop and implement a written policy to ensure that the PII is destroyed when it is no longer needed. Private persons and entities should refer to C.R.S. § 6-1-713. Governmental entities should refer to C.R.S. § 24-73-101.
What is PII?
PII includes social security numbers; personal identification numbers; passwords; pass codes; official state or government-issued driver’s license or identification card numbers; government passport numbers; biometric data; employer, student, or military identification numbers; and financial transaction devices, including financial account numbers.
I am regulated by state or federal law, and my regulator sets its own requirements for disposal of personal identifying information. Is it sufficient to follow those laws and regulations?
Yes. If you maintain procedures for disposal of PII pursuant to the laws, rules, regulations, guidances, or guidelines established by your state or federal regulator, you are in compliance with Colorado’s law governing disposal of personal identifying information.
Protection of Personal Identifying Information
What steps does the law require me to take to protect PII that I maintain, own, or license in the course of my business?
You are required to take reasonable security measures to protect PII, taking into account the nature and size of your business and the type of PII that you are collecting. See C.R.S. § 6-1-713.5 if you are a person or commercial entity, C.R.S. § 24-73-102 if you are a governmental entity.
I am regulated by state or federal law, and my regulator sets its own requirements for protection of PII. Is it sufficient to follow those laws and regulations?
Yes. If you maintain procedures for the protection of personal identifying information pursuant to the laws, rules, regulations, guidances, or guidelines established by your state or federal regulator, you are in compliance with Colorado’s law governing protection of PII.
I am a third-party service provider that maintains, stores or processes PII for clients. What are my obligations to protect that PII?
Unless your client agrees to provide its own security protection for the PII it discloses to you, it must require you to implement and maintain security procedures and practices that are appropriate to the kind of PII your client is disclosing, and are reasonably designed to help protect the PII from unauthorized access, use, modification, disclosure or destruction.
Security Breach Notification
I am a person, commercial entity, or governmental entity that collects PII. Do I need to familiarize myself with the updates to Colorado’s security breach notification laws?
Yes. There have been significant changes to the security breach notification requirements. See C.R.S. § 6-1-716. The new law also imposes security breach notification requirements for governmental entities. See C.R.S. § 24-73-103.
What is a security breach?
A security breach is the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of PII maintained by a person, commercial entity, or governmental entity.
For example, a security breach can occur by:
- A hacker electronically accessing and acquiring computerized data;
- Unauthorized access of a computer network through weak passwords;
- Unencrypted consumer information sent through a payment system;
- A briefcase or laptop computer containing client files that is stolen or misplaced; or
- A mobile device or data storage device containing PII that is stolen or misplaced.
What type of breached information does the law cover?
The law covers breaches of “personal information,” which means a Colorado resident’s first name or first initial and last name in combination with any one of the following:
- Social Security number
- Driver’s License number or Identification Card number
- Student, military, or passport identification number
- Medical information
- Health insurance identification number
- Biometric data (i.e., finger prints, iris recognition, retinal scans)
Personal information also includes:
- A Colorado resident’s username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account; and
- A Colorado resident’s account number or credit or debit card number in combination with any required security codes, access code, or password that would permit access to that account
- Personal information does not include information that is lawfully made available to the general public from government records or widely distributed media.
Under what circumstances do I have to notify Colorado residents of a security breach?
If you become aware that a security breach may have occurred, you must conduct a prompt, good faith investigation to determine the likelihood that personal information has been or will be misused. Unless the investigation determines that the information has not been misused and is not reasonably likely to be misused, you must provide notice to the affected Colorado residents.
How long do I have to provide notice to the affected Colorado Residents?
You must provide notice in the most expedient time possible, without unreasonable delay, and within 30 days after the date of determination that a security breach has occurred. You may take longer than 30 days to provide notice if a law enforcement agency has directed you not to send notice, or if longer than 30 days is necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.
Other than the affected Colorado residents, am I required to notify anyone else?
- If the security breach is reasonably believed to have affected 500 or more Colorado residents, you must provide notice of the security breach to the Colorado Attorney General. You must provide this notice in the most expedient time possible and without unreasonable delay, but not later than 30 daysafter the date of determination that a security breach occurred.
- Notice to the Attorney General should be sent to the Consumer Protection Program Manager at email@example.com.
- If the security breach is reasonably believed to have affected more than 1,000 Colorado residents, you must notify the consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. You must notify these agencies of the anticipated date of the notification to the residents and the approximate number of residents who are to be notified. You must provide this notice in the most expedient time possible and without unreasonable delay.
How must the notice to Colorado residents be provided?
Notice must be provided by:
- Written notice to the Colorado resident’s postal address listed in your records,
- Telephonic notice, or
- Electronic notice, if you use electronic means as a primary means of communicating with the Colorado resident, or if you provide notice consistent with the provisions regarding electronic records and signatures set forth in the federal “Electronic Signatures in Global and National Commerce Act,” 15 U.S. C. sec. 7001 et seq.
Is there any exception to the requirement to provide notice in this manner?
Yes, you may provide substitute notice if
- The cost of providing notice will exceed $250,000;
- The number of Colorado residents to be notified exceeds 250,000; or
- You do not have sufficient contact information to provide notice
What are the requirements for substitute notice?
Substitute notice must be provided by:
- E-mail, if you have email addresses for all affected Colorado residents;
- Conspicuous posting of the notice on your Website; and
- Notification to major statewide media
What information should I include in the notice to Colorado residents?
The notice must include the following:
- The date, estimated date, or estimated date range of the security breach;
- A description of the personal information that was acquired as part of the security breach (or that is reasonably believed to have been acquired);
- Information that a resident can use to contact you to inquire about the security breach;
- A statement that the resident can obtain information from the federal trade commission and the credit reporting agencies about fraud alerts and security freezes;
- The toll-free numbers, addresses, and websites for consumer reporting agencies;
- As of the date of this post, the websites for the consumer reporting agencies are:
- The toll-free number, address, and website for the Federal Trade Commission;
- As of the date of this post, the website for the Federal Trade Commission is:
The security breach included a Colorado resident’s username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account. Are there additional notice requirements?
Yes. In this case, you must also direct the affected Colorado residents to take steps to protect their account, i.e., by changing their user password and/or security questions and answers.
My entity maintains its own notification procedures as part of its information security policy. Is it sufficient to comply with those procedures?
If your procedures are consistent with the timing requirements set forth in C.R.S. § 6-1-716, you may follow your own procedures for notifying Colorado residents. However, if the security breach is reasonably believed to have affected 500 or more Colorado residents, you are still required to provide notice to the Colorado Attorney General at firstname.lastname@example.org.
My entity is regulated by state or federal law (i.e., the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act) and maintains procedures for security breaches in compliance with those laws and regulations. Is it sufficient to comply with those laws and regulations?
For the most part, yes. However:
- If the security breach is reasonably believed to have affected 500 or more Colorado residents, you are still required to provide notice to the Colorado Attorney General at email@example.com; and
- If the applicable laws set forth different timeframes for the notification to Colorado residents, the law with the shorter timeframe applies. For example, while HIPAA, in some circumstances, permits notification within a period of up to 60 days, you must provide notice in compliance with Colorado’s 30-day timeframe.
What do I have to provide in my notice to the Colorado Attorney General?
Please provide the following in your notice to the Attorney General:
- The name of your organization and a primary contact there who can be reached for further information;
- The date you determined that a security breach had occurred;
- The date that you provided notice to impacted Colorado residents;
- The number of Colorado residents impacted by the breach; and
- A copy of the notice you provided to Colorado residents.
Please DO NOT provide the Attorney General with the PII that was breached. If the office requires additional information, someone will contact your primary contact as described above to request that information.