Colorado’s Protections for Consumer Data Privacy law (“new law”) takes effect on September 1, 2018 and requires that businesses holding personal information for Colorado residents destroy the data they don’t need, protect the data they decide to keep, and disclose any security breaches involving that data within 30 days of its occurrence. The new law amends existing obligations and adds new obligations applicable to businesses holding information about Colorado residents.

New Requirement to Dispose of and/or Protect Personally Identifiable Information (PII)

Colorado law already had a definition of PII. The new law clarifies the definition and expands the existing requirement to dispose of paper documents containing PII. Now, businesses must develop a written policy to destroy or dispose of paper and electronic documents containing PII. Businesses must destroy paper and electronic documents that “are no longer needed.”

The new law creates an additional requirement for businesses to protect Colorado residents’ PII from unauthorized access by implementing reasonable security procedures and practices based on (1) the nature and size of the business, and (2) the nature (sensitivity) of the PII.

Changes to the Notification of a Security Breach Statute

The law also revises Colorado’s breach notification requirements. The revision expands the original definition of “personal information” (not to be confused with the law’s definition of PII described above) and sets a deadline for disclosing security breaches. A Colorado Resident’s personal information now includes two new categories in addition to the original categories. The new categories are:

  1. The resident’s username or e-mail address in combination with a password or security questions and answers, that would permit access to an online account;
  2. The resident’s account number or credit or debit card number in combination with any required security code, or password that would permit access to that account.

If a business learns that a security breach may have occurred, the business must promptly investigate the likelihood that Colorado residents’ personal information has been, or will be, misused. Unless the investigation concludes that misuse of personal information is unlikely to occur, the business must disclose the security breach without unreasonable delay and no later than 30 days after discovering the security breach may have taken place.

The new law requires additional notifications be made in certain cases. If more than 1,000 Colorado residents have to be notified of a security breach, the Covered Entity is also required to notify all consumer reporting agencies that compile and maintain files on consumers nationwide.

If 500 or more Colorado residents are reasonably believed to have been affected by the security breach, the Covered Entity must also notify the Colorado Attorney General of the security breach. The deadline to notify the Attorney general is also 30 days after the point in time where sufficient evidence exists to conclude that a security breach has taken place.