Discussions in this blog, like the rest of the site, do not constitute legal advice

Colorado’s New Data Privacy Law: Where’s Your Company’s Policy?

  • December 20, 2018
  • Miles Buckingham
  • Comments Off on Colorado’s New Data Privacy Law: Where’s Your Company’s Policy?

Does your business receive or keep Personal Identifying Information of customers? The definition of Personal Identifying Information is broad, and includes:

  • A user’s password (say, to access restricted areas on your web-site);
  • Personal Identification Numbers;
  • Social security numbers;
  • A pass code;
  • Official state or government-issued driver’s license or identification card numbers or images;
  • A government passport number;
  • Biometric data;
  • Employer, student, or military ID number; and
  • Financial Transaction Devices (think: saved credit card information).

If so, your company may be subject to Colorado’s new data privacy laws. The laws, which became effective on September 1, 2018, set forth a number of requirements for companies who maintain Personal Identifying Information in the course of its business (“Covered Entities”).

The new law has three main components. They are: (1) Covered Entities must implement and maintain a policy to ensure destruction of Personal Identifying Information when it is no longer needed by the company; (2) Covered Entities that entrust or disclose Personal Identifying Information to third party service providers must ensure that the third party service providers have adequate policies and procedures to protect the Personal Identifying Information; and (3) Covered Entities are required to undertake specific steps in the event that a data breach is discovered.

The laws’ requirements are mandatory and are part of the Colorado Consumer Protection Act (C.R.S. 6-1-101, et seq.). Failure to comply can result in substantial civil penalties depending on the number of affected transactions/residents. If they haven’t done so already, companies who do business in Colorado and maintain Personal Identifying Information should immediately begin to implement the necessary policies and procedures to comply with the new data privacy laws.