Colorado’s New Privacy Protection Law

Colorado has joined Vermont and California in passing recent legislation related to consumer privacy. HB18-1128 took effect September 1, 2018, and any organization that collects or maintains certain “personal identifying information” should make sure it is in full compliance.  Here are some highlights most likely to affect private entities (there are also provisions for government entities):

  •  Covered entities in the state of Colorado must maintain a written policy for disposing documents – both paper and electronic – that contain personal identifying information; 

  • Covered entities who maintain, own or license personal identifying information of Colorado residents must implement reasonable security procedures (including requiring reasonable security procedures from third party service providers); and

  • Covered entities who maintain, own or license personal identifying information of Colorado residents must comply with breach notification requirements, including an accelerated 30-day timeframe for notification to Colorado residents impacted by the data breach and the Colorado Attorney General (where more than 500 records are at issue). 

The bill specifically spells out what constitutes personal identifying information, but the definitions are not identical for all provisions.  Note, however, that all include biometric data (as defined in the statute), which continues a trend we have been seeing to include biometric data in regulations relating to privacy and security. 

Businesses subject to this statue should confirm their existing processes, policies and third party contracts are up to these Colorado requirements.