Colorado’s new consumer data protection law, the Protections for Consumer Data Privacy Act, took effect September 1 and companies now have another set of requirements to comply with for their data privacy compliance.

The law outlines three key requirements for businesses and government entities that retain Coloradan “personal identifying information,” from small, solo enterprises to multi-national corporations. PII is defined to include Social Security numbers, driver’s license or ID numbers, personal passwords, health insurance ID numbers, biometric data such as fingerprints, and financial transaction devices such as financial account numbers. The three requirements include:

Written Policies. Businesses and agencies are required to maintain a written policy that explains how they will dispose of and destroy PII that they store and no longer need.

“Reasonable” Security Procedures. Entities must take “reasonable” security steps to protect PII. The law intentionally does not define what “reasonable” steps entail so that the standard remains flexible to different sized businesses and agencies with different types of data who may require more or less protection.

Data Breach Notification Rules. Entities must notify consumers in the event a data breach has been detected, or is likely to occur, within 30 days of the security breach. If more than 500 Coloradans are affected by the breach, the entity must inform the Attorney General’s office. Breaches may include such scenarios as a hacker electronically accessing data, the misplacement of a mobile data storage device or computer, or the distribution of unencrypted information through a payment system. The law includes beaches of “personal information,” which includes a Colorado resident’s first name (or initial) and last name in combination with any of the personal identifying information defined above.

There are a few other caveats within the law that should also be noted: (1) The law does not grant consumers the right to sue in the event of a data breach – enforcement power remains with the Attorney General; and (2) Entities that utilize a third-party data management firm are not exempt from the above responsibilities.


Some initial recommendations that entities should consider:

  • Conduct a data audit to determine if you collect, store, or use data covered by the statute;
  • Collect only the data you need;
  • Do not store data for longer than necessary;
  • Routinely perform additional security assessments;
  • Audit third-party vendors to ensure they are compliant with the law and implement a system for managing vendors; and
  • Training of staff.

This new law underscores the importance of having a well-planned privacy program that considers consumer data protection. It also reinforces the serious business, financial, and reputational impact a data breach can bring if business owners and agencies are not adequately prepared.

The Colorado Attorney General’s office has provided a website with FAQs for businesses to turn to for a quick reference on the law.