Colorado’s Protections for Consumers Data Privacy Act, unanimously approved by the state legislature on May 29, imposes heightened data protection and breach notification requirements on businesses of all sizes and government entities. It affects all entities that receive, collect, create or save personally identifiable information (PII) from Colorado residents, customers, employees or even prospective employees. The law comes in the wake of the Equifax data breach in 2017, and Colorado being rated the second riskiest state for identity theft in a 2017 study, only behind Nevada. State Rep. Cole Wist, the primary sponsor of the law, tweeted that Colorado now has “the nation’s strongest data privacy law.”
The requirements include having a written policy explaining how the business or agency will dispose of PII and the protocols through which it will implement the policy. Covered entities must also redact or destroy any documents with obsolete or unnecessary PII of Colorado residents. Covered entities must notify individuals affected by a data breach within 30 days after the entity determines that a breach occurred that resulted in, or is likely to result in, the misuse of personal information. If more than 500 Colorado residents are affected, the Colorado Attorney General must be notified within 30 days after the date of determination that a security breach occurred. If more than 1,000 Colorado residents are affected, the major credit reporting agencies (Equifax, Transunion, and Experian) must be notified.
The law also sets forth new requirements for the content of the breach notification, including the date of the breach, a description of the PII affected, contact information for the covered entity, and numbers, addresses, and websites for credit reporting agencies and the Federal Trade Commission. If the security breach included a Colorado resident’s username or email address, in combination with a password or security questions and answers that would permit access to an online account, the entity must also direct the affected resident to take steps to protect their account, i.e. by changing their password and/or security questions and answers.
Unlike the EU’s General Data Protection Regulation, the Colorado law does not spell out monetary penalties for noncompliance. Enforcement power lies with the Colorado Attorney General, as the law does not give consumers the right to sue in the event of a leak.
The law went into effect in September 2018. It had been overhauled after pro-business advocates argued that some of the heightened requirements were already obligatory under federal law, and that the proposed requirement to notify the attorney general in case of a data breach within seven days, which was the original proposed time frame, was not sufficient to determine if misuse of data had occurred. The law also brings attention to the differences between jurisdictions concerning data privacy regulation, and it highlights the need for national data privacy legislation.