Ralph L. Carr Judicial Building

Colorado’s Consumer Data Protection Laws: FAQ’s for Consumers

Security Breach Data Graphic

Frequently Asked Questions

Who is impacted by the changes to Colorado’s consumer data protection laws?

Almost every Coloradoan. A growing list of entities – including your employer, your doctor, your insurer, your bank, and many online companies – collect and maintain your personal information. The updates to Colorado’s law are designed to keep your information as safe as possible and to ensure that you are notified quickly if your personal information is compromised.

How have the laws changed?

There have been three major changes:

  • First, there have been updates to the law that requires entities, both commercial and governmental, that collect personal identifying information to dispose of it when they no longer need it, and to ensure that it is rendered unreadable upon disposal.
  • Second, a new law requires entities that collect your personal identifying information to take reasonable steps to protect it from being compromised.
  • Third, there have been updates to the law that require entities to notify consumers when their personal information may have been compromised. In most instances notification has to happen within 30 days of the entity determining a breach has occurred that may lead to misuse of your information. Also, the notice must provide certain information that could help you to protect yourself against identity theft.

What is the effective date of these changes to the law?

The changes are effective as of September 1, 2018.

Where can I get more details about these changes to the law?

Additional information is available on Colorado’s Consumer Data Protection Laws webpage.

How can I find out more about how to protect myself against identity theft?

Visit the Identity Theft Fraud Center (opens in new window) to learn more about how you can prevent identity theft, and what to do if you believe you are a victim of identity theft.

Where can I report violations of the law requiring disposal and protection of personal identifying information and notification of security breaches?

You may file a complaint online. Visit the Attorney General’s File a Complaint webpage to get started or you may call 800-222-4444.