Colorado’s Consumer Data Protection Laws: FAQ’s for Businesses and Government Agencies

Report a Data Breach

Colorado law requires covered entities that experience a data breach to notify affected Coloradans and provide notice to the Office of the Attorney General if the breach affects 500 or more Coloradans.

To report a data breach, use the online Data Breach Reporting Form.

How do I use the Data Breach Reporting Form?

Before you fill out the form, here is what you need to know:

• The system cannot save your form, so you will need to complete it in one sitting.
• You can print a copy or save a PDF of your completed form, but only before you click “Submit.” Please do so if you would like a copy of the form for your files.
• You must fill out all of the web form text fields to submit the form.
• A submitted form and examples of consumer notices or other materials you upload may be subject to disclosure under the Colorado Open Records Act. This means that members of the public may file an open-records request to obtain a copy of your submitted form. The form fields that may be subject to disclosure are those containing contact information, the fields indicating the type of affected personal information, and the dates the breach began and ended. All other form fields and information will be withheld under the Attorney General’s discretion to keep records of investigations and intelligence information confidential. Review section 6-1-111(2), C.R.S.
• The form provides the option to report a series of related breaches. If you experienced several related breaches, please use one form to report all the breaches.
• If you have any questions while filling out the form, please contact us at databreach@coag.gov.
• If you are a consumer or other third party who would like to report a breach, do not fill out this form. Instead, please send us your message using a consumer complaint form.

What happens after I submit my completed Data Breach Reporting Form?

The Consumer Protection Section of the Attorney General’s Office will contact you if we have any follow-up questions.

If you are unable to use the data breach reporting form, please contact the Consumer Protection Section of the Attorney General’s Office at databreach@coag.gov.

Overview of Colorado’s Data Security Laws

What are Colorado’s data security laws?

There are three primary components to Colorado’s data security laws.

1. Colorado requires certain persons and entities that maintain personal identifying information (PII) in paper or electronic form to establish written policies governing the disposal of PII.
2. Colorado law requires certain persons and entities to take reasonable steps to protect PII.
3. The law requires notification of security breaches affecting personal information (PI), which includes detailed notice to Colorado residents and, in certain circumstances, notice to the Attorney General.

Who is impacted by the changes to Colorado’s consumer data security laws?

Any person, commercial entity, or governmental entity that maintains, owns, or licenses PII or PI of Colorado residents in the course of its business, vocation, or occupation.

What is PII?

PII includes social security numbers; personal identification numbers; passwords; pass codes; official state or government-issued driver’s license or identification card numbers; government passport numbers; biometric data; employer, student, or military identification numbers; and financial transaction devices, including financial account numbers.

What is PI?

PI includes a Colorado resident’s first name or first initial and last name in combination with any of the following, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable:

• Social Security number;
• Driver’s license number or identification card number;
• Student, military, or passport identification number;
• Medical information;
• Health insurance identification number; or
• Biometric data (e.g., fingerprints, iris recognition, retinal scans) used to authenticate an individual when they access an online account.

PI also includes:

• A Colorado resident’s username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account; and
• A Colorado resident’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.

PI does not include information that is lawfully made available to the general public from government records or widely distributed media.

Disposal of Personal Identifying Information

What does the law say about disposal of PII?

If you maintain PII, in paper or electronic form, you are required to develop a written policy to ensure that the PII is destroyed or properly disposed of when it is no longer needed. Private persons and entities should refer to section 6-1-713, C.R.S. Governmental entities should refer to section 24-73-101, C.R.S.

I am regulated by state or federal law, and my regulator sets its own requirements for disposal of PII. Is it sufficient to follow those laws and regulations?

Yes. If you maintain procedures for disposal of PII pursuant to the laws, rules, regulations, guidance, or guidelines established by your state or federal regulator, you are in compliance with Colorado’s law governing disposal of PII.

Protection of Personal Identifying Information

What steps does the law require me to take to protect PII that I maintain, own, or license in the course of my business?

You are required to implement and maintain reasonable security procedures and practices to protect PII, taking into account the nature and size of your business and the type of PII you collect. See section 6-1-713.5, C.R.S., if you are a person or commercial entity, section 24-73-102, C.R.S., if you are a governmental entity.

I am regulated by state or federal law, and my regulator sets its own requirements for protection of PII. Is it sufficient to follow those laws and regulations?

Yes. If you maintain procedures for the protection of PII pursuant to the laws, rules, regulations, guidance, or guidelines established by your state or federal regulator, you are in compliance with Colorado’s law governing the protection of PII.

What obligations do I have if a third-party service provider maintains, stores, or processes PII on my behalf?

Unless you agree to provide your own security protection for any PII you disclose to a third-party service provider, you must require the third-party service provider to implement and maintain reasonable security procedures and practices that are appropriate to the kind of PII you disclose and are reasonably designed to help protect the PII from unauthorized access, use, modification, disclosure, or destruction.

Security Breach Notification

I am a person, commercial entity, or governmental entity that collects PI. Do I need to familiarize myself with Colorado’s security breach notification laws?

Yes. Persons, commercial entities, and governmental entities that collect or maintain PI should be familiar with Colorado’s security breach notification laws. See section 6-1-716, C.R.S., if you are a person or commercial entity; see section 24-73-103, C.R.S., if you are a governmental entity.

What is a security breach?

A security breach is the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of PI maintained by a person, commercial entity, or governmental entity.

For example, a security breach can occur when:

• An employee clicks on a link or opens an email attachment that contains malware;
• An employee provides their password or other sensitive information to an unauthorized person;
• Your entity is the victim of a ransomware attack (which is sometimes accompanied by malware that steals data);
• Unencrypted PI is sent through a payment system;
• A briefcase containing client files is stolen or misplaced; or
• A mobile device or data storage device containing personal information is stolen or misplaced.

Under what circumstances do I have to notify Colorado residents of a security breach?

If you become aware that a security breach may have occurred, you must conduct a prompt, good-faith investigation to determine the likelihood that PI has been or will be misused. You must provide notice to the affected Colorado residents, unless the investigation determines that the information has not been misused and is not reasonably likely to be misused.

How long do I have to provide notice to the affected Colorado residents?

You must provide notice in the most expedient time possible, without unreasonable delay, and within 30 days after the date of determination that a security breach has occurred. Notice may be delayed consistent with the legitimate needs of law enforcement, or consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

Other than the affected Colorado residents, am I required to notify anyone else?

Yes:

• If the security breach is reasonably believed to have affected 500 or more Colorado residents, you must provide notice to the Colorado Attorney General. You must provide this notice in the most expedient time possible and without unreasonable delay, but not later than 30 days after the date of determination that a security breach occurred.
  • To report a data breach, use the online Data Breach Reporting Form.
• If the security breach is reasonably believed to have affected more than 1,000 Colorado residents, you must notify the consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. You must notify these agencies of the anticipated date of the notification to the residents and the approximate number of residents who are to be notified. You must provide this notice in the most expedient time possible and without unreasonable delay.
  • To notify Equifax, visit their Your Credit. Your Identity webpage (opens new window).
  • To notify Experian, visit their Reach your credit and money goals webpage (opens new window).
• If sensitive information relating to residents of other states was compromised, you should review the applicable state law for notice requirements.

How must the notice to Colorado residents be provided?

Notice must be provided by:

• Written notice to the Colorado resident’s postal address listed in your records,
• Telephonic notice, or
• Electronic notice, if you use electronic means as a primary method of communicating with the Colorado resident, or if you provide notice consistent with the provisions regarding electronic records and signatures set forth in the federal “Electronic Signatures in Global and National Commerce Act,” 15 U.S.C. sec. 7001 et seq.

Is there any exception to the requirement to provide notice in this manner?

Yes, you may provide substitute notice if:

• The cost of providing notice will exceed $250,000;
• The number of Colorado residents to be notified exceeds 250,000; or
• You do not have sufficient contact information to provide notice.

What are the requirements for substitute notice?

Substitute notice must be provided by:

• E-mail, if you have email addresses for the affected Colorado residents;
• Conspicuous posting of the notice on your website; and
• Notification to major statewide media.

What information should I include in the notice to Colorado residents?

The notice must include the following:

• The date, estimated date, or estimated date range of the security breach;
• A description of the personal information that was acquired as part of the security breach (or that is reasonably believed to have been acquired);
• Information that a resident can use to contact you to inquire about the security breach;
• A statement that the resident can obtain information from the Federal Trade Commission (FTC) and the credit reporting agencies about fraud alerts and security freezes;
• The toll-free numbers, addresses, and websites for consumer reporting agencies;
• The toll-free number, address, and website for the FTC.

The security breach included a Colorado resident’s username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account. Are there additional notice requirements?

Yes. In this case, you must also direct the affected Colorado residents to take steps to protect their accounts that may be accessed with the compromised credentials, i.e., instruct them to change their user password and/or security questions and answers.

My entity is regulated by state or federal law (e.g., the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA)) and maintains procedures for security breaches in compliance with those laws and regulations. Is it sufficient to comply with those laws and regulations?

For the most part, yes. However:

• If the security breach is reasonably believed to have affected 500 or more Colorado residents, you are still required to provide notice to the Colorado Attorney General.  Notice to the Colorado Attorney General should be submitted using the online Data Breach Reporting Form.
• If the applicable laws set forth different timeframes for the notification to Colorado residents, the law with the shorter timeframe applies. For example, while HIPAA, in some circumstances, permits notification within a period of up to 60 days, you must provide notice in compliance with Colorado’s 30-day timeframe.