When a strengthened Colorado data privacy law took effect on September 1, 2018, the state joined others (including California and Massachusetts) in becoming more proactive on data protection by passing laws aimed at safeguarding consumer data. New state data protection legislation means that organizations — some also subject to federal and international laws on data privacy — often need to navigate an increasingly complicated array of requirements. Although the California Consumer Privacy Act of 2018 does not take effect until 2020, Colorado’s is already in force.
The Colorado Data Privacy Law in a Nutshell
To simplify a bit, organizations subject to the Colorado data privacy law generally will need to:
- Develop reasonable data security procedures and practices
- Develop written destruction policies for materials (paper as well as electronic) that contain personal identifying information (PII)
- Investigate suspected data breaches promptly
- Provide notice of data breaches to affected Colorado residents as well as to the state attorney general and consumer reporting agencies in certain circumstances
An organization need not necessarily be located within Colorado for the law to be applicable; the requirements extend to covered entities that maintain personal information of Colorado residents. Personal information includes data such as an individual’s first name or initial, last name, and social security number or an identification number.
The Colorado attorney general can prosecute violations of the new law. Covered entities include organizations and even individuals that maintain, own or license PII in the course of their work. PII includes social security numbers, passport numbers, other ID numbers, passwords and biometric data (such as facial ID and fingerprints) used to authenticate someone trying to access an account.
The new Colorado law also imposes requirements on governmental entities such as state agencies, cities and towns, and even school districts.
The Far Reach of the Colorado Data Privacy Law
Colorado’s data privacy requirements specify how data should be protected, how third-party service providers should be handled, and when various notification requirements are triggered.
Protecting data: Covered entities that maintain, own or license the PII of individuals residing in Colorado must have appropriate security procedures and practices befitting the nature and size of their business and its operations. Suspected or actual security breaches must be investigated promptly.
Disposing of data: To protect PII when disposing of documents, entities subject to the Colorado law must shred, erase or otherwise modify materials so that the PII of individuals residing in Colorado is indecipherable.
Monitoring third parties: Under the Colorado law, covered entities also must make sure that the third-party service providers to which they disclose information also undertake reasonable security procedures and practices unless the covered entity opts to provide its own security protection for the information it discloses.
Notifying consumers and others: Generally, affected Colorado residents must be informed of a security breach within 30 days after a covered entity determines that one occurred. Consumer reporting agencies also must be informed if more than 1,000 Colorado residents will be notified, and the Colorado attorney general must be alerted if a security breach affected 500 or more Colorado residents.
Waiver of notification rights is not allowed.
Layers of Requirements
Of course, complying with a variety of state, federal, foreign and even international requirements (such as the General Data Protection Regulation) can be challenging, even for entities with the best intentions. However, there’s some good news: Covered entities regulated by state or federal laws that have procedures for disposal of PII are automatically considered compliant with the new Colorado data privacy requirements.
Additionally, covered entities regulated by state or federal law on security breaches are considered to be compliant with Colorado’s regulations as long as the Colorado attorney general is still notified as required by the state law. If the time periods required for notification conflict, the law with the shortest time frame for notice supersedes.
These provisions may help the regulated community achieve compliance. Even so, keeping track of what exactly must be done and who must be alerted can be tricky.
How will you keep all of these requirements straight?