Skip to main content

Notice – Colorado Changes to Data Privacy Laws

November 6, 2018

Three major changes to Colorado data privacy laws became effective September 1, 2018.  These affect virtually all business collecting personally identifying information (PII)[1] from Colorado residents:

1. First, the law that provides for disposal of PII now requires businesses to adopt a written policy governing the disposal of both paper and electronic records containing PII of Colorado residents.[2]

Action Required: Businesses with Colorado resident PII should revisit or adopt document retention policies to ensure that they address the destruction of paper and electronic documents containing PII. Management should provide oversight and governance for implementation of the document retention and destruction policies.  Larger and more complex organizations may want to conduct internal audits to ensure policy compliance.

2. Second, a new law requires covered persons and entities to take reasonable steps to protect PII.

Action Required: Implement reasonable measures to protect PII from data breaches. Review agreements with third-party service providers to ensure that service providers have reasonable procedures to protect the security of PII provided to them.

Recommended Action:  Adopt a written policy regarding protection of PII and implement practices to comply with the new policy.  Ensure implementation of policy.

3. Third, the law that requires notification of data security breaches[3] now requires detailed notice to consumers and, in certain circumstances, notice to the Colorado Attorney General.  A much broader definition of “personal information” applies to security breaches.[4]

Action Required: In the event of a breach or disclosure of PII involving Colorado residents, notice must be provided to such affected residents within 30 days of discovery.[5] Additionally, businesses should consider updating incident response or business continuity plans in light of the new requirements.  If businesses become aware that a security breach may have occurred, they must conduct a prompt, good faith investigation to determine the likelihood that personal information has been or will be misused.  Unless the investigation determines that the information has not been misused and is not reasonably likely to be misused, notice must be provided to the affected Colorado residents.

[1] PII includes social security numbers; personal identification numbers; passwords; pass codes; access codes; official state or government-issued driver’s license or identification card numbers; government passport numbers; biometric data; employer, student, or military identification numbers; and financial transaction devices, including financial account numbers.

[2] Different statutes govern private businesses and governmental entities.  Governmental entities have similar obligations to those summarized in this Notice.

[3] A security breach is the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of PII maintained by a person, commercial entity, or governmental entity.

[4] For data breaches, “personal information” also includes names, usernames, email addresses, account numbers, and other similar identifying information, but does not include most publicly available information and personal information that is encrypted.

[5] If the security breach is reasonably believed to have affected 500 or more Colorado residents, you must provide notice of the security breach to the Colorado Attorney General.  If the security breach is reasonably believed to have affected more than 1,000 Colorado residents, you must notify the consumer reporting agencies that compile and maintain files on consumers on a nationwide basis

This blog post was drafted by Paul Hanley, a Partner in the Denver, CO office of Spencer Fane LLP. For more information, visit